Available Data OT Security
OT Security Asset Import Data Map
Logic for mapping OT Security Assets to ServiceNow Configuration Items.
Asset import sequence:
- ServiceNow queries OT Security for assets.
-
Data is attached to ServiceNow Job Chunk.
-
Data is transformed into a format useable for ServiceNow Identification and Reconciliation Engine (IRE).
- Data is submitted to IRE which creates CIs in CMDB.
- OT Assets are created for certain CIs.
Data Transformation in ServiceNow
For each Asset imported from OT Security into ServiceNow, multiple records are created.
Main CI
A main CI record (cmdb_ci_incomplete_ip, cmdb_ci_unclassed_hardware, or cmdb_ci_computer) is created for every OT Security Asset imported into ServiceNow.
ServiceNow Field | Details (OT Security fields in bold) | CMDB Class |
---|---|---|
Class |
|
All classes |
Name |
details.name |
All classes |
Serial Number | details.serial | All classes |
Description | details.description | All classes |
Operating System | details.os | All classes |
Backplane ID | details.backplane.id | All classes |
Backplane Name | details.backplane.name | All classes |
Firmware version | details.firmwareVersion | All classes |
Model number | details.modelName | All classes |
Discovery Source | “SG-TenableForAssets” | All classes |
IP Address | details.ips[0] | All classes |
Most recent discovery | details.lastSeen | All classes |
First discovered | details.firstSeen | All classes |
Vendor | details.vendor | All classes |
Manufacturer | details.vendor | All classes |
Tenable Asset Attributes | Reference to Tio CMDB Asset Attributes table with OT Security specific fields | All classes |
Child Network Adapter CIs
Related Network Adapter CI records (cmdb_ci_network_adapter) are created for OT Security Assets since there is no network interface information pulled from Tenable.
ServiceNow field | Details (OT Security fields in bold) |
---|---|
Class | “Network Adapter” |
Name |
details.macs |
MAC Address |
details.macs |
Configuration Item | Reference to Main CI |
Discovery Source | “SG-TenableForAssets” |
Child IP Address CIs
Related IP Address CI records (cmdb_ci_ip_address) are created for each IP address associated with a Main CI.
ServiceNow field | Details (OT Security fields in bold) |
---|---|
Class | “IP Address” |
Name |
details.ips |
IP Address |
details.ips |
IP Version | “4” |
Network Partition Identifier | details.extendedSegments.nodes[0].id |
Discovery Source | “SG-TenableForAssets” |
Tenable Asset Attributes Records
A Tenable Asset Attributes record (x_tsirm_tio_cmdb_asset_attributes) is created for every Main CI.
ServiceNow filed | Details (OT Security fields in bold) |
---|---|
Hostname | Main CI name |
Connector | Reference to connector record |
Tenable Uniqueness |
id |
Asset UUID | id |
Raw Data | Raw JSON Data |
Sources | “OT for” + Tenable App Name |
Source Native Key |
id |
Attributes | Raw JSON Data in ServiceNow format |
Name | Connector.Name + ". " + id |
Related CI | Reference to Main CI |
OT Asset Records
An OT Asset record (cmdb_ot_entity) is created for every Main CI.
ServiceNow field | Details (OT Security fields in bold) |
---|---|
OT asset | Reference to Main CI |
OT asset type |
Specific asset type
|
OT discovery source ID | id |
Purdue level | details.purdueLevel |
Asset criticality | details.criticality |
OT discovery source name | “SG-TenableForAssets” |
CMDB Relationship Records
A CMDB Relationship record (cmdb_rel_ci) is created for every parent/child relationship between the Main CI and a Network Adapter CI or an IP Address CI.
ServiceNow field | Details |
---|---|
Parent | Reference to Main CI |
Child | Reference to Network Adapter or IP Address CI |
Type | “Owns::Owned by” |
Discovery Source Records
A Discovery Source record (sys_object_source) is created for every new CI created in ServiceNow with information about the source and the unique identifier of the CI.
ServiceNow field | Details |
---|---|
ID | id |
Last Scan | Date/time of last OT Security import |
Target Sys ID | Reference to Main CI |
Target Table | Table of Main CI |
Name | “SG-TenableForAssets” |
Source Feed | “Tenable” |
Importing Backplane Information
PLC CIs display ownership information, as shown in the following image:
Backplane CIs display information about the asset that owns them, as shown in the following image:
Note: If importing a Tenable asset with backplane information, but no parent is found on that same backplane, create a fake OT Control System CI using the backplane ID as the unique identifier. The name should be based off of the backplane. The generic parent is created so the integration can create the OT Control Module children successfully.
Note: If importing a Communication Module asset and there is no backplane information, create it as a Network Gear CI. If importing an I/O Module asset and there is no backplane information, create it as an Industrial Sensor CI.
API Calls to OT Security
Input: first, after
-
Example: {"operationName": "getAssets", "variables": {"first": chunkSize, "after": afterCursor, "sort": [ { "direction": "AscNullFirst", "field": "lastSeen" } ] }, "query": "query getAssets($filter: AssetExpressionsParams, $search: String, $sort: [AssetSortParams!], $slowCount: Boolean, $after: String, $first: Int) { assets(filter: $filter sort: $sort search: $search slowCount: $slowCount after: $after first: $first) { pageInfo { ...pageInfo __typename } nodes { ...inventoryAsset __typename } count: totalCount __typename } } fragment pageInfo on PageInfo { startCursor endCursor hasNextPage hasPreviousPage __typename } fragment inventoryAsset on Asset { id superType type details segments { nodes { ...segmentName __typename } __typename } __typename } fragment segmentName on SegmentGroup { id name type assetType subnet systemName system isPredefinedName __typename}" }
Output: Use GraphiQL Playground or review Asset object documentation for possible asset values.