Available Data OT Security

OT Security Asset Import Data Map

Logic for mapping OT Security Assets to ServiceNow Configuration Items.

Asset import sequence:

  1. ServiceNow queries OT Security for assets.
  2. Data is attached to ServiceNow Job Chunk.

  3. Data is transformed into a format useable for ServiceNow Identification and Reconciliation Engine (IRE).

  4. Data is submitted to IRE which creates CIs in CMDB.
  5. OT Assets are created for certain CIs.

Data Transformation in ServiceNow

For each Asset imported from OT Security into ServiceNow, multiple records are created.

Main CI

A main CI record (cmdb_ci_incomplete_ip, cmdb_ci_unclassed_hardware, or cmdb_ci_computer) is created for every OT Security Asset imported into ServiceNow.

ServiceNow Field Details (OT Security fields in bold) CMDB Class
Class
  1. “Operational Technology (OT)”

  2. Specific OT Class

    • If there is a known ServiceNow CI class map for that OT Security type

All classes
Name

details.name

All classes
Serial Number details.serial All classes
Description details.description All classes
Operating System details.os All classes
Backplane ID details.backplane.id All classes
Backplane Name details.backplane.name All classes
Firmware version details.firmwareVersion All classes
Model number details.modelName All classes
Discovery Source “SG-TenableForAssets” All classes
IP Address details.ips[0] All classes
Most recent discovery details.lastSeen All classes
First discovered details.firstSeen All classes
Vendor details.vendor All classes
Manufacturer details.vendor All classes
Tenable Asset Attributes Reference to Tio CMDB Asset Attributes table with OT Security specific fields All classes

Child Network Adapter CIs

Related Network Adapter CI records (cmdb_ci_network_adapter) are created for OT Security Assets since there is no network interface information pulled from Tenable.

ServiceNow field Details (OT Security fields in bold)
Class “Network Adapter”
Name

details.macs

MAC Address

details.macs

Configuration Item Reference to Main CI
Discovery Source “SG-TenableForAssets”

Child IP Address CIs

Related IP Address CI records (cmdb_ci_ip_address) are created for each IP address associated with a Main CI.

ServiceNow field Details (OT Security fields in bold)
Class “IP Address”
Name

details.ips

IP Address

details.ips

IP Version “4”
Network Partition Identifier details.extendedSegments.nodes[0].id
Discovery Source “SG-TenableForAssets”

Tenable Asset Attributes Records

A Tenable Asset Attributes record (x_tsirm_tio_cmdb_asset_attributes) is created for every Main CI.

ServiceNow filed Details (OT Security fields in bold)
Hostname Main CI name
Connector Reference to connector record
Tenable Uniqueness

id

Asset UUID id
Raw Data Raw JSON Data
Sources “OT for” + Tenable App Name
Source Native Key

id

Attributes Raw JSON Data in ServiceNow format
Name Connector.Name + ". " + id
Related CI Reference to Main CI

OT Asset Records

An OT Asset record (cmdb_ot_entity) is created for every Main CI.

ServiceNow field Details (OT Security fields in bold)
OT asset Reference to Main CI
OT asset type

Specific asset type

  • If there is a known ServiceNow OT asset type map for that OT Security type.

OT discovery source ID id
Purdue level details.purdueLevel
Asset criticality details.criticality
OT discovery source name “SG-TenableForAssets”

CMDB Relationship Records

A CMDB Relationship record (cmdb_rel_ci) is created for every parent/child relationship between the Main CI and a Network Adapter CI or an IP Address CI.

ServiceNow field Details
Parent Reference to Main CI
Child Reference to Network Adapter or IP Address CI
Type “Owns::Owned by”

Discovery Source Records

A Discovery Source record (sys_object_source) is created for every new CI created in ServiceNow with information about the source and the unique identifier of the CI.

ServiceNow field Details
ID id
Last Scan Date/time of last OT Security import
Target Sys ID Reference to Main CI
Target Table Table of Main CI
Name “SG-TenableForAssets”
Source Feed “Tenable”

Importing Backplane Information

PLC CIs display ownership information, as shown in the following image:

Backplane CIs display information about the asset that owns them, as shown in the following image:

Note: If importing a Tenable asset with backplane information, but no parent is found on that same backplane, create a fake OT Control System CI using the backplane ID as the unique identifier. The name should be based off of the backplane. The generic parent is created so the integration can create the OT Control Module children successfully.

Note: If importing a Communication Module asset and there is no backplane information, create it as a Network Gear CI. If importing an I/O Module asset and there is no backplane information, create it as an Industrial Sensor CI.

API Calls to OT Security

Query Assets

Input: first, after

  • Example: {"operationName": "getAssets", "variables": {"first": chunkSize, "after": afterCursor, "sort": [ { "direction": "AscNullFirst", "field": "lastSeen" } ] }, "query": "query getAssets($filter: AssetExpressionsParams, $search: String, $sort: [AssetSortParams!], $slowCount: Boolean, $after: String, $first: Int) { assets(filter: $filter sort: $sort search: $search slowCount: $slowCount after: $after first: $first) { pageInfo { ...pageInfo __typename } nodes { ...inventoryAsset __typename } count: totalCount __typename } } fragment pageInfo on PageInfo { startCursor endCursor hasNextPage hasPreviousPage __typename } fragment inventoryAsset on Asset { id superType type details segments { nodes { ...segmentName __typename } __typename } __typename } fragment segmentName on SegmentGroup { id name type assetType subnet systemName system isPredefinedName __typename}" }

Output: Use GraphiQL Playground or review Asset object documentation for possible asset values.