Proactively Monitoring the Security and Compliance Issues using ServiceNow and PagerDuty Incidents

As cloud security adoption has increased, compliance standards have had to evolve, as cloud platforms and services are expected to remain compliant with various international, federal, state, and local security standards, regulations, and laws. A lack of compliance to these rigid rules can lead to legal challenges, penalties, fines, and other negative ramifications.

Cloud compliance and security is more important than ever as the threat landscape becomes more sophisticated. It can’t be overlooked, ignored, or pushed to the proverbial back burner. It’s a topic that must be proactively monitor and addressed. But it’s undeniably challenging, which makes it an unattractive endeavour for organizations that already have enough technically complex tasks on their organizational to-do lists.

Solution: IBM Cloud Security and Compliance Center help to ensure that your organisation is adhering to the external and internal standards for your industry. By using the Security and Compliance Center to validate the resource configurations in your account against a profile, you can identify potential issues as they arise.

What is IBM Cloud Event Notifications?

IBM Cloud® Event Notifications is an event notification routing service that notifies you to critical events that occur in your IBM Cloud account or triggers automated actions by using webhooks. You can filter and route event notifications from IBM Cloud services like Availability Monitoring, to email, SMS, push notifications and webhooks.

How events are collected and sent by Security and Compliance Center?

When an event of interest takes place in the Security and Compliance Center, the service communicates with a connected Event Notifications instance to forward a notification to a supported destination.

Security and Compliance Center aggregates a list of your pending notifications by event type. The service checks for and dispatches any pending notifications to the connected Event Notifications service as they occur in the system. For example, you might receive notifications that are similar to the following messages:

· A validation scan of your resources was completed.

· A new resource was found in your inventory.

· Control failures exceeded the threshold limit.

· A Security Insights finding was reported for your account.

Step 1: Create an IBM Cloud Event Notifications service instance

1. Log in to your IBM Cloud account.

2. In the IBM Cloud catalog, search Event Notifications > Event Notifications.

3. Select a Region from the list of supported region and Select a pricing plan.

4. Provide a Service name.

5. Select a resource group.

6. Click Create.

Step 2: Connecting to Event Notifications in the Security and Compliance Center

After signing into IBM Cloud, you can access the Security and Compliance Center:

1. By clicking the Menu icon > Security and Compliance in the navigation.

2. In the Security and Compliance Center navigation, click Settings.

3. In the Event Notifications section, and click Connect.

4. In the side panel, review the source details for the connection. Optionally, provide a description.

5. Select the resource group and Event Notifications service instance that you want to connect.

If an IAM authorization between Security and Compliance Center and Event Notifications doesn’t exist in your account, a dialog is displayed. Follow the prompts to grant access between the services.

To grant access between Security and Compliance Center and Event Notifications, click Authorize.

In the side panel, select Event Notifications as the target service.

From the list of instances, select the Event Notifications service instance that you want to authorize.

Select the Event Source Manager role.

Click Review.

Click Assign.

6. To confirm the connection, click Connect.

A success message is displayed to indicate that Security and Compliance Center is now connected to Event Notifications. If you need to disconnect from Event Notifications later, you can use the options menu > Disconnect to remove the Security and Compliance Center as a source service in the Event Notifications instance.

Step 3: Verify the Security and Compliance Center source in IBM Cloud Event Notifications

1. Click the menu icon > Resource list.

2. Open Services and software.

3. Open the IBM Cloud Event Notifications instance you created.

4. Click Sources.

When you connect to Event Notifications in the Security and Compliance Center UI, a source is automatically added to your IBM Cloud Event Notifications Sources list.

Step 4: Create an IBM Cloud Event Notifications Destination

Configuring a ServiceNow destination

To configure a ServiceNow destination, do the following steps:

1. From your Event Notifications instance dashboard, click Destinations.
2. Click Add + to add a new destination.
3. In the Add a destination side panel, provide the following details.

• Name — Enter a name for your destination.
• Description — Optionally, enter a description for your destination.
• Type — Under Destination, for the Type, select ServiceNow from the drop-down as your destination type.
• Instance Name — Enter the name of your ServiceNow instance.
• Username — Enter the username to be used for connecting to the ServiceNow instance.
• Password — Enter the password to be used for authenticating the username mentioned earlier to authenticate in the ServiceNow instance.
• Namespace defaulting to now and it cannot be changed.
• Event Notifications currently allows creation of entries on “Incident” table only and it cannot be changed.
• URL gets populated based on the value provided before.
• Client ID — Enter the client ID needed to retrieve the OAuth access token.
• Client secret — Enter the client secret required for authenticating the Client ID provided earlier.

Note: Client ID and Client secret can be fetched from System Oauth -> Application Registries. This is inside your Event Notifications instance console (you can search by clicking on “All”). Make sure it is in active state and applicable for connecting to external clients.

• Click Add.

Configuring a PagerDuty destination

You can configure a PagerDuty destination in the Destinations tab.

To configure a PagerDuty destination, do the following steps:

1. From your Event Notifications instance dashboard, click Destinations.

2. Click Add + to add new destination.

3. In the Add a destination side panel, provide the following details.

• Name — Enter a name for your destination.
• Description — Optionally, enter a description for your destination.
• Type — Under Destination, for the Type, select Pagerduty from the drop-down as your destination type.
• API key — Enter the API key that you have generated earlier.
• Routing key — Enter the routing key generated earlier.

4. Click Add.

Step 5: Create an IBM Cloud Event Notifications topic

Next you will define an IBM Cloud Event Notifications topic that will receive an event from Security and Compliance Dashboard.

1. Click Topics.

2. Click Create. The Topic details panel opens.

3. In the Topic details enter the following:

· Enter the Name for your topic. For example, SecurityThreat.

· For Source select the IBM Cloud Event Notifications source, which is named the same as your Security and Compliance Dashboard.

· Select an Event Type.

· Select an Event subtype.

· Select a Severity.

4. Click Add a condition. (If you do not click Add a condition before you click Create, the topic will be created with no conditions associated with it.)

5. Click Create. Your topic will be displayed in the Topics list.

Note: Click Add a condition without selecting any Event Type to send the test event from Security and Compliance Dashboard.

Step 6: Create an IBM Cloud Event Notifications ServiceNow Subscription

1. Click Subscriptions.

2. Click Create. The Create a subscription panel opens.

3. In the Create a subscription panel enter the following:

· Enter the Name for your subscription. For example, ServiceNowSubscription/PagerDutySubscription.

· For Topic select the topic you created. For example, SecurityThreat.

· For Destination select ServiceNow/PagerDuty.

Step 7: Sending a test event to Event Notifications from the SCC Dashboard

After you enable notifications for Security and Compliance Center, test your connection to ensure that the events that are generated by Security and Compliance Center are being forwarded to Event Notifications.

1. In the Security and Compliance Center UI, click Settings.

2. In the Event Notifications section, click Send test event.

A success message is displayed to indicate that the test event was forwarded successfully to Event Notifications.

You should start receiving ServiceNow and PagerDuty incidents that you configured whenever the criteria defined in both Security and Compliance Center and IBM Cloud Event Notifications match.

Cheers! Check out my profile for more such similar tutorials :)