Available Data OT Security
OT Security Asset Import Data Map
Logic for mapping OT Security Assets to ServiceNow Configuration Items.
Asset import sequence:
- ServiceNow queries OT Security for assets.
-
Data is attached to ServiceNow Job Chunk.
-
Data is transformed into a format useable for ServiceNow Identification and Reconciliation Engine (IRE).
- Data is submitted to IRE which creates CIs in CMDB.
- OT Assets are created for certain CIs.
Data Transformation in ServiceNow
For each Asset imported from OT Security into ServiceNow, multiple records are created.
Main CI
A main CI record (cmdb_ci_incomplete_ip, cmdb_ci_unclassed_hardware, or cmdb_ci_computer) is created for every OT Security Asset imported into ServiceNow.
| ServiceNow Field | Details (OT Security fields in bold) | CMDB Class |
|---|---|---|
| Class |
|
All classes |
| Name |
details.name |
All classes |
| Serial Number | details.serial | All classes |
| Description | details.description | All classes |
| Operating System | details.osNamel | All classes |
| Backplane ID | details.backplane | All classes |
| Backplane Name | details.backplane | All classes |
| Firmware version | details.firmwareVersion | All classes |
| Model number | details.modelName | All classes |
| Discovery Source | “SG-TenableForAssets” | All classes |
| IP Address | details.ips[0] | All classes |
| Most recent discovery | details.lastSeen | All classes |
| First discovered | details.firstSeen | All classes |
| Vendor | details.vendor | All classes |
| Manufacturer | details.vendor | All classes |
| Tenable Asset Attributes | Reference to Tio CMDB Asset Attributes table with OT Security specific fields | All classes |
Child Network Adapter CIs
Related Network Adapter CI records (cmdb_ci_network_adapter) are created for OT Security Assets since there is no network interface information pulled from Tenable.
| ServiceNow field | Details (OT Security fields in bold) |
|---|---|
| Class | “Network Adapter” |
| Name |
details.macs |
| MAC Address |
details.macs |
| Configuration Item | Reference to Main CI |
| Discovery Source | “SG-TenableForAssets” |
Child IP Address CIs
Related IP Address CI records (cmdb_ci_ip_address) are created for each IP address associated with a Main CI.
| ServiceNow field | Details (OT Security fields in bold) |
|---|---|
| Class | “IP Address” |
| Name |
details.ips |
| IP Address |
details.ips |
| IP Version | “4” |
| Network Partition Identifier | details.extendedSegments.nodes[0].id |
| Discovery Source | “SG-TenableForAssets” |
Tenable Asset Attributes Records
A Tenable Asset Attributes record (x_tsirm_tio_cmdb_asset_attributes) is created for every Main CI.
| ServiceNow filed | Details (OT Security fields in bold) |
|---|---|
| Hostname | Main CI name |
| Connector | Reference to connector record |
| Tenable Uniqueness |
id |
| Asset UUID | id |
| Raw Data | Raw JSON Data |
| Sources | “OT for” + Tenable App Name |
| Source Native Key |
id |
| Attributes | Raw JSON Data in ServiceNow format |
| Name | Connector.Name + ". " + id |
| Related CI | Reference to Main CI |
OT Asset Records
An OT Asset record (cmdb_ot_entity) is created for every Main CI.
| ServiceNow field | Details (OT Security fields in bold) |
|---|---|
| OT asset | Reference to Main CI |
| OT asset type |
Specific asset type
|
| OT discovery source ID | id |
| Purdue level | details.purdueLevel |
| Asset criticality | details.criticality |
| OT discovery source name | “SG-TenableForAssets” |
CMDB Relationship Records
A CMDB Relationship record (cmdb_rel_ci) is created for every parent/child relationship between the Main CI and a Network Adapter CI or an IP Address CI.
| ServiceNow field | Details |
|---|---|
| Parent | Reference to Main CI |
| Child | Reference to Network Adapter or IP Address CI |
| Type | “Owns::Owned by” |
Discovery Source Records
A Discovery Source record (sys_object_source) is created for every new CI created in ServiceNow with information about the source and the unique identifier of the CI.
| ServiceNow field | Details |
|---|---|
| ID | id |
| Last Scan | Date/time of last OT Security import |
| Target Sys ID | Reference to Main CI |
| Target Table | Table of Main CI |
| Name | “SG-TenableForAssets” |
| Source Feed | “Tenable” |
API Calls to OT Security
Input: first, after
-
Example: {"operationName": "getAssets", "variables": {"first": chunkSize, "after": afterCursor, "sort": [ { "direction": "AscNullFirst", "field": "lastSeen" } ] }, "query": "query getAssets($filter: AssetExpressionsParams, $search: String, $sort: [AssetSortParams!], $slowCount: Boolean, $after: String, $first: Int) { assets(filter: $filter sort: $sort search: $search slowCount: $slowCount after: $after first: $first) { pageInfo { ...pageInfo __typename } nodes { ...inventoryAsset __typename } count: totalCount __typename } } fragment pageInfo on PageInfo { startCursor endCursor hasNextPage hasPreviousPage __typename } fragment inventoryAsset on Asset { id superType type details segments { nodes { ...segmentName __typename } __typename } __typename } fragment segmentName on SegmentGroup { id name type assetType subnet systemName system isPredefinedName __typename}" }
Output: Use GraphiQL Playground or review Asset object documentation for possible asset values.