Depending on what features you have with ServiceNow, Carbon Black offers two main Integration apps.

  • ITSM App: When an alert occurs in Carbon Black Cloud, create a ticket in ServiceNow. The Carbon Black Cloud integration with the ServiceNow IT service management (ITSM) module provides endpoint device context and metadata within tickets to streamline IT workflows and reduce manual data collection.
  • SecOps App: When an alert occurs in Carbon Black Cloud, create an incident in ServiceNow. The Carbon Black Cloud integration with the ServiceNow SecOps module provides access to additional endpoint response actions, threat intelligence, and metadata to contextualize and accelerate security investigations.

Both apps have a reliance on the Base App, which is used to manage the connection between Carbon Black Cloud and ServiceNow and to integrate relevant endpoint alerts and context directly into ServiceNow ticketing and incident workflows. The Base app is automatically installed when installing the ITSM app or SecOps app. See Setting up ServiceNow Apps and Users.

Roles and Permissions

For all actions described in this section, the VMware CBC Analyst (x_vmw_cb_connector.analyst) role is required.

Configuration of the application, including of profiles, requires VMware CBC Admin (x_vmw_cb_connector.admin). For details on Roles and Users, see Configuring ServiceNow Roles and Users.

Domain Separation (Multi-tenancy)

  • Use the Domain Separation feature to isolate Carbon Black Cloud data from different organizations and manage access controls.
  • You must activate the Domain Support - Domain Extensions Installer plugin to use this feature. See Activate Domain Support - Domain Extensions Installer for ServiceNow.
  • Use the Domain Separation feature to create child domains and assign users to a specific domain.
  • Users can have multiple child domains assigned to a Parent domain.
  • Each child domain can have a separate Configuration Profile with different alert records.

Alert Ingestion

You must configure a profile to ingest Alerts from Carbon Black Cloud into ServiceNow. See Configuring a ServiceNow Configuration Profile.

Three types of alerts are supported for ingestion into ServiceNow, depending on the Carbon Black Cloud subscription that you have purchased:

  • CB Analytics Alerts
  • Device Control Alerts
  • Watchlist Alerts

After you configure the Profile and activate data collection for the REST API approach, the connector app fetches the alerts from Carbon Black Cloud and populates them in the Alerts table in ServiceNow.

To view an alert in ServiceNow, go to VMware Carbon Black Cloud > Alerts and open any Alert record.