This script is meant as proof-of-concept code for taking in Stealthwatch Cloud webhook events to create ServiceNow incidents.
In the app.py file you'll need to provide three configuration items for ServiceNow:
- Username (SNOW_USERNAME)
- Password (SNOW_PASSWORD)
- Tenant (SNOW_TENANT)
This script was built using the AWS Chalice micro-framework.
The easiest way to get this off the ground is by doing the following from the base project directory:
python3 -m venv venv
source venv/bin/activate
cd SWC-Webhook
pip install -r requirements.txt
chalice deploy
This will deploy the AWS Lambda function, and give you a Rest API URL like the following:
https://abc123.execute-api.us-east-1.amazonaws.com/api/
Stealthwatch Cloud will need to be provided with that URL.
In Stealthwatch Cloud, follow the steps below to finish configuration.
- In the SWC web interface, click on the gear/cog icon in the upper right-hand corner, then select Services/Webhooks
- In the left-hand menu, select Webhooks
- In the HTTP/HTTPS URL field, enter your Lambda function's Rest API URL.
- Make sure Output Format field is set to JSON.
- Click Add
This should send a test event to your Lambda function, and create an event in ServiceNow.
NOTE: If the webhook fails, you can click on the "Recent Deliveries" entry in the Stealthwatch Cloud UI to see the request and response, and even re-send the webhook. It often takes a few minutes for the Lambda function to fully initialize.
Future events will perform the same task, but will populate the ServiceNow incident with real event data.