Configure SecOps Roles for ServiceNow

To configure SecOps roles, perform the following procedure.

Procedure

Log in to your ServiceNow instance.
Go to the Roles page using the ServiceNow Search menu on the left side of the page.
Find and open the role.
Scroll down and click the Edit button.

Note: If the Edit button is not visible, add the scope of the application.
To x_vmw_cb_connector.admin, add the following roles:
- sn_si_admin
- export_set_scheduler
- mid_server - to configure Data Forwarder Alert ingest
- n_ti.malicious_attachment_access - to download and view secured attachments
- sn_ti.observable.write - to view and edit observable records
Users who have this role will have the following permissions:
- Install the integration application plugins
- Create Users
- Configure the application for REST API approach or Data Forwarder with AWS S3 Bucket approach
- View Application Logs
- Manually create an Incident from Alerts
- Configure automatic creation of an Incident from Alerts
- Manually close an Alert
- Close Incidents
- Perform SOAR actions
- Apply MITRE classification
- Access Support Contact
Repeat steps 3-4 to add the following roles to Carbon Black Cloud Analysts (x_vmw_cb_connector.analyst1, x_vmw_cb_connector.analyst2, x_vmw_cb_connector.analyst3):
- sn_si_analyst
- export_set_scheduler
- n_ti.malicious_attachment_access - to download and view secured attachments
- sn_ti.observable.write - to view and edit observable records
Users who have this role will have the following permissions:
- Access the Application
- Manually create an Incident from Alerts
- Manually close an Alert
- Close Incidents
- Perform SOAR actions
- Apply MITRE classification
- Access Support Contact
Repeat steps 3-4 to add the following roles to Carbon Black Cloud View All (x_vmw_cb_connector.view_all):
- sn_si_read
- sn_incident read - to view CMDB data
Users who have this role can read all the records, but cannot write or delete records.