Integration with Remedy for Incident and Change creation


Version Details

The integration has been tested with below product versions.

Service Product

Content Version

ITSM/Remedy

9.1 sp5 (9.1.05), 19.08.01, 20.02

TSO

8.1.00

TSO Content

20.18.01.00

Pre-requisites for Incident

Port number 28080 must be open on the host where the TSO connector is running. This port is used by TrueSight Orchestration to communicate with the connector.

BMC Helix Cloud Security provides a sample run book for creating incidents, which requires the modules and adapters listed below.

The following out-of-the-box modules available in TSO content installer are necessary to use the sample run book:

OOTB Module

Content Version

Installer Screen

AMP-AD-BMC-Remedy-ARS

20.18.01.00   

image2019-8-15_2-16-2.png

AutoPilot-OA-Common_Utilities

20.18.01.00  

AutoPilot-OA-Incident_Management

20.18.01.00

AutoPilot-AD-Utilities

20.18.01.00

Pre-requisites for Change

Port number 28080 must be open on the host where the TSO connector is running. This port is used by TrueSight Orchestration to communicate with the connector.

BMC Helix Cloud Security provides a sample run book for creating Change, which requires the modules and adapters listed below.

The following out-of-the-box modules available in TSO content installer are necessary to use the sample run book:


OOTB Module

Content Version

Installer Screen

AutoPilot-OA-Change_Management

20.18.01.00 2

image2019-8-15_2-17-29.png

AutoPilot-OA-Task_Management

20.18.01.00 2



The adapters required for Change and Incident Management are available in TSO content installer are as follows:


Module Adapter

Content Version

Installer Screen

HTTP Adapter ro-adapter-http  

20.18.01.00   

image2019-8-15_2-18-3.png

ARS Adapter ro-adapter-remedy-actor

20.18.01.00  

Remedy Monitor

ro-adapter-remedy-monitor

20.18.01.00

ITSM Template for Incident

The TSCS template must be present on ITSM. Users must import this Incident Template directly into ITSM using the Data Management Module. The user also needs to update the data in the excel sheet attached and import the excel sheet using the Job Console in Data Management Module. User can also manually create the Template in ITSM instead of using the Data Management Module

To download the excel sheet which user must import into ITSM, click here.

Configuring the sample workflow for Remedy integration

TSCS provides a sample workflow to showcase how incidents are created from the cloud security portal for single or multiple violations. The workflow uses the following request parameters to create incidents.

Parameter Name

Type

Value

Remarks

group_by_criteria

String

resource_type

It’s an actually enumeration, which will allow to create incident grouped by following list.

violation

resource

policy

resourceType

additional_info

object

Array of Rule Violations in json/xml object.

Click here to download the sample workflow for incident management.

Workflows should be constructed such that the business logic employed must be able to receive the input XML with data on violations and send a call-back XML with the ITSM incidents to the ITIL service after incident creation. 

XML for creating Incident

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>

<additionalInfoPayload>

    <header>

        <connectorId>uLmh2QXvZwmHtcfJEUkI</connectorId>

        <source>itil-service</source>

        <requestId>cc01dcbb-a9c2-43b6-b385-e5938b4cda2e</requestId>

        <callbackurl>/tickets/requests/cc01dcbb-a9c2-43b6-b385-e5938b4cda2e/callback</callbackurl>

        <connectorcallbackurl>http://10.133.146.79:48080/workflow/callback>

        <requestType>create_incident</requestType>

        <requestTime>0</requestTime>

        <responseTime>0</responseTime>

        <errorOccured>false</errorOccured>

    </header>

    <body>

        <ruleResults>

            <ruleResult>

                <orgId>65157176315077369399</orgId>

                <complianceStatus>NonCompliant</complianceStatus>

                <policyId>AWS CIS IAM Credentials</policyId>

                <resourceId>GOV AWS Cloud:896852662668:arn:aws-us-gov:iam::896852662668:user/awagh</resourceId>

                <resourceName>arn:aws-us-gov:iam::896852662668:user/awagh</resourceName>

                <ruleGroupId>1</ruleGroupId>

                <ruleGroupName>1 Identity and Access Management</ruleGroupName>

                <ruleId>6</ruleId>

                <ruleName>1.16 Ensure IAM policies are attached only to groups or roles</ruleName>

                <userGroupId>collector</userGroupId>

                <userId>U9Dw7r7rhKKs8ehbExGm</userId>

                <origin>GOV AWS Cloud:896852662668</origin>

                <resourceType>IAM Credentials</resourceType>

                <severity>9</severity>

                <connectorName>GOV AWS Cloud</connectorName>

                <ruleReferenceId>CCE-78912-3</ruleReferenceId>

                <tags>

                    <tag>

                        <tagDefinition>default-tag-definition</tagDefinition>

                        <value>896852662668</value>

                    </tag>

                </tags>

                <id>ABCXYZ</id>

                <additionalProperties />

            </ruleResult>

        </ruleResults>

    </body>

</additionalInfoPayload>

Callback XML after Incident is created

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>

<additionalInfoPayload>

    <header>

        <connectorId>uLmh2QXvZwmHtcfJEUkI</connectorId>

        <source>itil-service</source>

        <requestId>cc01dcbb-a9c2-43b6-b385-e5938b4cda2e</requestId>

        <callbackurl>/tickets/requests/cc01dcbb-a9c2-43b6-b385-e5938b4cda2e/callback</callbackurl>

        <connectorcallbackurl>http://10.133.146.79:48080/workflow/callback>

        <requestType>create_incident</requestType>

        <requestTime>0</requestTime>

        <responseTime>0</responseTime>

        <errorOccured>false</errorOccured>

    </header>

    <body>

        <ruleResults>

            <ruleResult>

                <orgId>65157176315077369399</orgId>

                <complianceStatus>NonCompliant</complianceStatus>

                <policyId>AWS CIS IAM Credentials</policyId>

                <resourceId>GOV AWS Cloud:896852662668:arn:aws-us-gov:iam::896852662668:user/awagh</resourceId>

                <resourceName>arn:aws-us-gov:iam::896852662668:user/awagh</resourceName>

                <ruleGroupId>1</ruleGroupId>

                <ruleGroupName>1 Identity and Access Management</ruleGroupName>

                <ruleId>6</ruleId>

                <ruleName>1.16 Ensure IAM policies are attached only to groups or roles</ruleName>

                <userGroupId>collector</userGroupId>

                <userId>U9Dw7r7rhKKs8ehbExGm</userId>

                <origin>GOV AWS Cloud:896852662668</origin>

                <resourceType>IAM Credentials</resourceType>

                <severity>9</severity>

                <connectorName>GOV AWS Cloud</connectorName>

                <ruleReferenceId>CCE-78912-3</ruleReferenceId>

                <tags>

                    <tag>

                        <tagDefinition>default-tag-definition</tagDefinition>

                        <value>896852662668</value>

                    </tag>

                </tags>

                <id>ABCXYZ</id>

                <additionalProperties />

            </ruleResult>

        </ruleResults>

    </body>

</additionalInfoPayload>

The workflow needs be uploaded and activated on the grid in TSO. Workflows must ensure that XML formats are strictly adhered to.

ITSM Templates for Change Management

ITSM Task Template

The TSCS template must be present on ITSM. Users must import this Task Template directly into ITSM using the Data Management Module. The user also needs to update the data in the excel sheet attached and import the excel sheet using the Job Console in Data Management Module. User can also manually create the Template in ITSM instead of using the Data Management Module

To download the excel sheet which user must import into ITSM, click here.

ITSM Change Template

The TSCS template must be present on ITSM. Users must import this Change Template directly into ITSM using the Data Management Module. The user also needs to update the data in the excel sheet attached and import the excel sheet using the Job Console in Data Management Module.User can also manually create the Template in ITSM instead of using the Data Management Module

To download the excel sheet which user must import into ITSM, click here.

Once the Change Template and Task Template are created in ITSM assign the task template to the Change Templat

ITSM Filter

The filter needs to be added in ITSM. Please install the D2P package to import the filter. 

To download the D2P package, Click here

The steps to install D2P package are mentioned in this link, Click here

The D2P package creates a user "cloudopsuser" which is added in the filter by default. The D2P package also creates a form CloudOps:Configuration. If user needs to configure user other than cloudopsuser the customer needs to disable the cloudopsuser.  After disabling, add and enable the ITSM user in the CloudOps:Configuration form.

Enabling Alerts on ITSM 

The alerts are enabled on ITSM by default, If the alerts are disabled on your remedy system, kindly enable the alerts on AR system.

The documents to enable alerts on the AR system is mentioned below:

https://docs.bmc.com/docs/ars91/en/configuring-a-server-for-alerts-609073786.html

Click here to download the sample workflow for Change management.

The workflow supports the Out of box process flow for change management. Workflows should be constructed such that the business logic employed must be able to receive the input XML with data on change and send a call-back XML with the ITSM change to the ITIL service after change creation. 

XML for Creating change

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<additionalInfoPayload>
<header>
<connectorId>qeCEcEvBXfUkQ0m2zpEI</connectorId>
<source>itil-service</source>
<requestId>c42460b6-e6c6-4606-8ae0-0b4cb7647f02</requestId>
<callbackurl>/itil_service/requests/c42460b6-e6c6-4606-8ae0-0b4cb7647f02/callback</callbackurl>
<connectorcallbackurl>https://172.29.156.116:28080/workflow/callback</connectorcallbackurl>
<requestType>create_incident</requestType>
<requestTime>1540887889207</requestTime>
<responseTime>0</responseTime>
<errorOccured>false</errorOccured>
</header>
<body>
<actions>
<action>
<context>
<connectorId>KGbRjtf7JLVgePztEgtM</connectorId>
<policyId>CIS Google Cloud Platform Foundation Benchmark - Storage</policyId>
<resourceId>GCP Connector-1013536615:neat-element-200309:sdkautobucket</resourceId>
<result>
<orgId>70359032252833983412</orgId>
<complianceStatus>NonCompliant</complianceStatus>
<policyId>CIS Google Cloud Platform Foundation Benchmark - Storage</policyId>
<resourceId>GCP Connector-1013536615:neat-element-200309:sdkautobucket</resourceId>
<resourceName>sdkautobucket</resourceName>
<resultTimeStamp>1540791531847</resultTimeStamp>
<ruleGroupId>2</ruleGroupId>
<ruleGroupName>5 - Storage</ruleGroupName>
<ruleId>2</ruleId>
<ruleName>5.2 Ensure that Cloud Storage bucket is not anonymously and/or publicly accessible</ruleName>
<userGroupId>collector</userGroupId>
<userId>KGbRjtf7JLVgePztEgtM</userId>
<origin>GCP Connector-1013536615:neat-element-200309</origin>
<resourceType>GCP Buckets</resourceType>
<severity>1</severity>
<connectorName>GCP Connector-1013536615</connectorName>
<lastStatusChangeTime>1540791531847</lastStatusChangeTime>
<tags>
<tag>
<key>projectNumber</key>
<tagDefinition>default-tag-definition</tagDefinition>
<value>17604022803</value>
</tag>
<tag>
<key>projectName</key>
<tagDefinition>default-tag-definition</tagDefinition>
<value>My First Project</value>
</tag>
</tags>
<id>70359032252833983412_CIS_Google_Cloud_Platform_Foundation_Benchmark_-_Storage_GCP_Connector-1013536615:neat-element-200309:sdkautobucket_2</id>
<additionalProperties />
</result>
<ruleId>2</ruleId>
<ruleName>5.2 Ensure that Cloud Storage bucket is not anonymously and/or publicly accessible</ruleName>
</context>
<content>
<action>disablePubliclyAccessibleBucket</action>
<actionContent>GCP Connector-1013536615:Google Cloud CIS Storage Remediation_1.0.0</actionContent>
<actionDefinition>disablePubliclyAccessibleBucket</actionDefinition>
</content>
<invocations>
<invocation>
<property>
<key>actionName</key>
<value>disablePubliclyAccessibleBucket</value>
</property>
<property>
<key>actionDefinition</key>
<value>disablePubliclyAccessibleBucket</value>
</property>
<property>
<key>actionDisplayName</key>
<value>disablePubliclyAccessibleBucket</value>
</property>
<property>
<key>invocationId</key>
<value>UniqueinvocationId</value>
</property>
<property>
<key>incidentId</key>
<value>123</value>
</property>
<property>
<key>module</key>
<value>SINKS</value>
</property>
<property>
<key>function</key>
<value>disablePubliclyAccessibleBucket</value>
</property>
<property>
<key>Bucket</key>
<value>sdkautobucket</value>
</property>
</invocation>
</invocations>
</action>
</actions>
</body>
</additionalInfoPayload>


Callback XML after Change is created

<CallBackPayload>
 <header>
 <connectorId>fyFcsLmz5pmuqh2Hg3zD</connectorId>
 <source>itil-service</source>
 <requestId>c339b721-7fe0-4671-903f-ab70896cdd01</requestId>
 <callbackurl>/tickets/requests/c339b721-7fe0-4671-903f-ab70896cdd01/callback</callbackurl>
 <connectorcallbackurl>https://172.25.159.47:28080/workflow/callback</connectorcallbackurl>
 <requestType>CHANGE</requestType>
 <requestTime>0</requestTime>
 <responseTime>1546928851918</responseTime>
 <errorOccured>false</errorOccured>
 <message />
 </header>
 <body>
 <records>
 <record>
 <status>Scheduled For Approval</status>
 <urgency>3-Medium</urgency>
 <external_id>CRQ000000000910</external_id>
 <impact>3-Moderate/Limited</impact>
 <organization>Calbro Services</organization>
 <created_date>1546928839</created_date>
 <type>Change</type>
 <callback_identifiers>5246d91b-6ec0-4d06-8753-de087df9bc4b</callback_identifiers>
 </record>
 </records>
 </body>
 </CallBackPayload>


XML for Closing Change

<?xml version='1.0' encoding='UTF-8' standalone='yes'?>
<additionalInfoPayload>
 <header>
 <connectorId>qeCEcEvBXfUkQ0m2zpEI</connectorId>
 <source>itil-service</source>
 <requestId>c42460b6-e6c6-4606-8ae0-0b4cb7647f02</requestId>
 <callbackurl>/itil_service/requests/c42460b6-e6c6-4606-8ae0-0b4cb7647f02/callback</callbackurl>
 <connectorcallbackurl>http://10.133.76.150:28080/workflow/callback</connectorcallbackurl>
 <requestType>close_change</requestType>
 <requestTime>1540887889207</requestTime>
 <responseTime>0</responseTime>
 <errorOccured>false</errorOccured>
 </header>
 <body>
 <records>
 <record>
 <external_id>external_id</external_id>
 <status>Success/Failure</status>
 <status_reason>Failure reason if any</status_reason>
 <callback_identifiers>invocationid</callback_identifiers>
 </record>
 </body>
</additionalInfoPayload>"

Performing next steps

To on-board an Orchestration connector, see Orchestration connector.

To create incidents for violations, see Managing notifications.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*