Version Details
The integration has been tested with below product versions.
| |
|---|
| 9.1 sp5 (9.1.05), 19.08.01, 20.02 |
| |
| |
Pre-requisites for Incident
Port number 28080 must be open on the host where the TSO connector is running. This port is used by TrueSight Orchestration to communicate with the connector.
BMC Helix Cloud Security provides a sample run book for creating incidents, which requires the modules and adapters listed below.
The following out-of-the-box modules available in TSO content installer are necessary to use the sample run book:
| | |
|---|
| | |
AutoPilot-OA-Common_Utilities | |
AutoPilot-OA-Incident_Management | |
| |
Pre-requisites for Change
Port number 28080 must be open on the host where the TSO connector is running. This port is used by TrueSight Orchestration to communicate with the connector.
BMC Helix Cloud Security provides a sample run book for creating Change, which requires the modules and adapters listed below.
The following out-of-the-box modules available in TSO content installer are necessary to use the sample run book:
| | |
|---|
AutoPilot-OA-Change_Management
| | |
AutoPilot-OA-Task_Management | |
| |
The adapters required for Change and Incident Management are available in TSO content installer are as follows:
| | |
|---|
HTTP Adapter ro-adapter-http | | |
ARS Adapter ro-adapter-remedy-actor | |
Remedy Monitor ro-adapter-remedy-monitor | |
ITSM Template for Incident
The TSCS template must be present on ITSM. Users must import this Incident Template directly into ITSM using the Data Management Module. The user also needs to update the data in the excel sheet attached and import the excel sheet using the Job Console in Data Management Module. User can also manually create the Template in ITSM instead of using the Data Management Module
To download the excel sheet which user must import into ITSM, click here.
Configuring the sample workflow for Remedy integration
TSCS provides a sample workflow to showcase how incidents are created from the cloud security portal for single or multiple violations. The workflow uses the following request parameters to create incidents.
| | | |
|---|
| | | It’s an actually enumeration, which will allow to create incident grouped by following list. violation resource policy resourceType |
| | Array of Rule Violations in json/xml object. | Click here to download the sample workflow for incident management. |
Workflows should be constructed such that the business logic employed must be able to receive the input XML with data on violations and send a call-back XML with the ITSM incidents to the ITIL service after incident creation.
XML for creating Incident
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<additionalInfoPayload>
<header>
<connectorId>uLmh2QXvZwmHtcfJEUkI</connectorId>
<source>itil-service</source>
<requestId>cc01dcbb-a9c2-43b6-b385-e5938b4cda2e</requestId>
<callbackurl>/tickets/requests/cc01dcbb-a9c2-43b6-b385-e5938b4cda2e/callback</callbackurl>
<connectorcallbackurl>http://10.133.146.79:48080/workflow/callback>
<requestType>create_incident</requestType>
<requestTime>0</requestTime>
<responseTime>0</responseTime>
<errorOccured>false</errorOccured>
</header>
<body>
<ruleResults>
<ruleResult>
<orgId>65157176315077369399</orgId>
<complianceStatus>NonCompliant</complianceStatus>
<policyId>AWS CIS IAM Credentials</policyId>
<resourceId>GOV AWS Cloud:896852662668:arn:aws-us-gov:iam::896852662668:user/awagh</resourceId>
<resourceName>arn:aws-us-gov:iam::896852662668:user/awagh</resourceName>
<ruleGroupId>1</ruleGroupId>
<ruleGroupName>1 Identity and Access Management</ruleGroupName>
<ruleId>6</ruleId>
<ruleName>1.16 Ensure IAM policies are attached only to groups or roles</ruleName>
<userGroupId>collector</userGroupId>
<userId>U9Dw7r7rhKKs8ehbExGm</userId>
<origin>GOV AWS Cloud:896852662668</origin>
<resourceType>IAM Credentials</resourceType>
<severity>9</severity>
<connectorName>GOV AWS Cloud</connectorName>
<ruleReferenceId>CCE-78912-3</ruleReferenceId>
<tags>
<tag>
<tagDefinition>default-tag-definition</tagDefinition>
<value>896852662668</value>
</tag>
</tags>
<id>ABCXYZ</id>
<additionalProperties />
</ruleResult>
</ruleResults>
</body>
</additionalInfoPayload>
Callback XML after Incident is created
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<additionalInfoPayload>
<header>
<connectorId>uLmh2QXvZwmHtcfJEUkI</connectorId>
<source>itil-service</source>
<requestId>cc01dcbb-a9c2-43b6-b385-e5938b4cda2e</requestId>
<callbackurl>/tickets/requests/cc01dcbb-a9c2-43b6-b385-e5938b4cda2e/callback</callbackurl>
<connectorcallbackurl>http://10.133.146.79:48080/workflow/callback>
<requestType>create_incident</requestType>
<requestTime>0</requestTime>
<responseTime>0</responseTime>
<errorOccured>false</errorOccured>
</header>
<body>
<ruleResults>
<ruleResult>
<orgId>65157176315077369399</orgId>
<complianceStatus>NonCompliant</complianceStatus>
<policyId>AWS CIS IAM Credentials</policyId>
<resourceId>GOV AWS Cloud:896852662668:arn:aws-us-gov:iam::896852662668:user/awagh</resourceId>
<resourceName>arn:aws-us-gov:iam::896852662668:user/awagh</resourceName>
<ruleGroupId>1</ruleGroupId>
<ruleGroupName>1 Identity and Access Management</ruleGroupName>
<ruleId>6</ruleId>
<ruleName>1.16 Ensure IAM policies are attached only to groups or roles</ruleName>
<userGroupId>collector</userGroupId>
<userId>U9Dw7r7rhKKs8ehbExGm</userId>
<origin>GOV AWS Cloud:896852662668</origin>
<resourceType>IAM Credentials</resourceType>
<severity>9</severity>
<connectorName>GOV AWS Cloud</connectorName>
<ruleReferenceId>CCE-78912-3</ruleReferenceId>
<tags>
<tag>
<tagDefinition>default-tag-definition</tagDefinition>
<value>896852662668</value>
</tag>
</tags>
<id>ABCXYZ</id>
<additionalProperties />
</ruleResult>
</ruleResults>
</body>
</additionalInfoPayload>
The workflow needs be uploaded and activated on the grid in TSO. Workflows must ensure that XML formats are strictly adhered to.
ITSM Templates for Change Management
ITSM Task Template
The TSCS template must be present on ITSM. Users must import this Task Template directly into ITSM using the Data Management Module. The user also needs to update the data in the excel sheet attached and import the excel sheet using the Job Console in Data Management Module. User can also manually create the Template in ITSM instead of using the Data Management Module
To download the excel sheet which user must import into ITSM, click here.
ITSM Change Template
The TSCS template must be present on ITSM. Users must import this Change Template directly into ITSM using the Data Management Module. The user also needs to update the data in the excel sheet attached and import the excel sheet using the Job Console in Data Management Module.User can also manually create the Template in ITSM instead of using the Data Management Module
To download the excel sheet which user must import into ITSM, click here.
Once the Change Template and Task Template are created in ITSM assign the task template to the Change Templat
ITSM Filter
The filter needs to be added in ITSM. Please install the D2P package to import the filter.
To download the D2P package, Click here
The steps to install D2P package are mentioned in this link, Click here
The D2P package creates a user "cloudopsuser" which is added in the filter by default. The D2P package also creates a form CloudOps:Configuration. If user needs to configure user other than cloudopsuser the customer needs to disable the cloudopsuser. After disabling, add and enable the ITSM user in the CloudOps:Configuration form.
Enabling Alerts on ITSM
The alerts are enabled on ITSM by default, If the alerts are disabled on your remedy system, kindly enable the alerts on AR system.
The documents to enable alerts on the AR system is mentioned below:
https://docs.bmc.com/docs/ars91/en/configuring-a-server-for-alerts-609073786.html
Click here to download the sample workflow for Change management.
The workflow supports the Out of box process flow for change management. Workflows should be constructed such that the business logic employed must be able to receive the input XML with data on change and send a call-back XML with the ITSM change to the ITIL service after change creation.
XML for Creating change
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<additionalInfoPayload>
<header>
<connectorId>qeCEcEvBXfUkQ0m2zpEI</connectorId>
<source>itil-service</source>
<requestId>c42460b6-e6c6-4606-8ae0-0b4cb7647f02</requestId>
<callbackurl>/itil_service/requests/c42460b6-e6c6-4606-8ae0-0b4cb7647f02/callback</callbackurl>
<connectorcallbackurl>https://172.29.156.116:28080/workflow/callback</connectorcallbackurl>
<requestType>create_incident</requestType>
<requestTime>1540887889207</requestTime>
<responseTime>0</responseTime>
<errorOccured>false</errorOccured>
</header>
<body>
<actions>
<action>
<context>
<connectorId>KGbRjtf7JLVgePztEgtM</connectorId>
<policyId>CIS Google Cloud Platform Foundation Benchmark - Storage</policyId>
<resourceId>GCP Connector-1013536615:neat-element-200309:sdkautobucket</resourceId>
<result>
<orgId>70359032252833983412</orgId>
<complianceStatus>NonCompliant</complianceStatus>
<policyId>CIS Google Cloud Platform Foundation Benchmark - Storage</policyId>
<resourceId>GCP Connector-1013536615:neat-element-200309:sdkautobucket</resourceId>
<resourceName>sdkautobucket</resourceName>
<resultTimeStamp>1540791531847</resultTimeStamp>
<ruleGroupId>2</ruleGroupId>
<ruleGroupName>5 - Storage</ruleGroupName>
<ruleId>2</ruleId>
<ruleName>5.2 Ensure that Cloud Storage bucket is not anonymously and/or publicly accessible</ruleName>
<userGroupId>collector</userGroupId>
<userId>KGbRjtf7JLVgePztEgtM</userId>
<origin>GCP Connector-1013536615:neat-element-200309</origin>
<resourceType>GCP Buckets</resourceType>
<severity>1</severity>
<connectorName>GCP Connector-1013536615</connectorName>
<lastStatusChangeTime>1540791531847</lastStatusChangeTime>
<tags>
<tag>
<key>projectNumber</key>
<tagDefinition>default-tag-definition</tagDefinition>
<value>17604022803</value>
</tag>
<tag>
<key>projectName</key>
<tagDefinition>default-tag-definition</tagDefinition>
<value>My First Project</value>
</tag>
</tags>
<id>70359032252833983412_CIS_Google_Cloud_Platform_Foundation_Benchmark_-_Storage_GCP_Connector-1013536615:neat-element-200309:sdkautobucket_2</id>
<additionalProperties />
</result>
<ruleId>2</ruleId>
<ruleName>5.2 Ensure that Cloud Storage bucket is not anonymously and/or publicly accessible</ruleName>
</context>
<content>
<action>disablePubliclyAccessibleBucket</action>
<actionContent>GCP Connector-1013536615:Google Cloud CIS Storage Remediation_1.0.0</actionContent>
<actionDefinition>disablePubliclyAccessibleBucket</actionDefinition>
</content>
<invocations>
<invocation>
<property>
<key>actionName</key>
<value>disablePubliclyAccessibleBucket</value>
</property>
<property>
<key>actionDefinition</key>
<value>disablePubliclyAccessibleBucket</value>
</property>
<property>
<key>actionDisplayName</key>
<value>disablePubliclyAccessibleBucket</value>
</property>
<property>
<key>invocationId</key>
<value>UniqueinvocationId</value>
</property>
<property>
<key>incidentId</key>
<value>123</value>
</property>
<property>
<key>module</key>
<value>SINKS</value>
</property>
<property>
<key>function</key>
<value>disablePubliclyAccessibleBucket</value>
</property>
<property>
<key>Bucket</key>
<value>sdkautobucket</value>
</property>
</invocation>
</invocations>
</action>
</actions>
</body>
</additionalInfoPayload>
Callback XML after Change is created
<CallBackPayload>
<header>
<connectorId>fyFcsLmz5pmuqh2Hg3zD</connectorId>
<source>itil-service</source>
<requestId>c339b721-7fe0-4671-903f-ab70896cdd01</requestId>
<callbackurl>/tickets/requests/c339b721-7fe0-4671-903f-ab70896cdd01/callback</callbackurl>
<connectorcallbackurl>https://172.25.159.47:28080/workflow/callback</connectorcallbackurl>
<requestType>CHANGE</requestType>
<requestTime>0</requestTime>
<responseTime>1546928851918</responseTime>
<errorOccured>false</errorOccured>
<message />
</header>
<body>
<records>
<record>
<status>Scheduled For Approval</status>
<urgency>3-Medium</urgency>
<external_id>CRQ000000000910</external_id>
<impact>3-Moderate/Limited</impact>
<organization>Calbro Services</organization>
<created_date>1546928839</created_date>
<type>Change</type>
<callback_identifiers>5246d91b-6ec0-4d06-8753-de087df9bc4b</callback_identifiers>
</record>
</records>
</body>
</CallBackPayload>
XML for Closing Change
<?xml version='1.0' encoding='UTF-8' standalone='yes'?>
<additionalInfoPayload>
<header>
<connectorId>qeCEcEvBXfUkQ0m2zpEI</connectorId>
<source>itil-service</source>
<requestId>c42460b6-e6c6-4606-8ae0-0b4cb7647f02</requestId>
<callbackurl>/itil_service/requests/c42460b6-e6c6-4606-8ae0-0b4cb7647f02/callback</callbackurl>
<connectorcallbackurl>http://10.133.76.150:28080/workflow/callback</connectorcallbackurl>
<requestType>close_change</requestType>
<requestTime>1540887889207</requestTime>
<responseTime>0</responseTime>
<errorOccured>false</errorOccured>
</header>
<body>
<records>
<record>
<external_id>external_id</external_id>
<status>Success/Failure</status>
<status_reason>Failure reason if any</status_reason>
<callback_identifiers>invocationid</callback_identifiers>
</record>
</body>
</additionalInfoPayload>"
To on-board an Orchestration connector, see Orchestration connector.
To create incidents for violations, see Managing notifications.
