Configure the RiskSense Web Service Connector to Import RBVM Events

Security Operations Management 2023.3 updated the way ITSM communicates with Neurons for RBVM.

If you have Security Operations Management 2023.1 already installed, Security Operations Management 2023.3 will not make changes to your existing integration.

Security Operations Management 2023.3 includes two new Web Service Connections:

  • RiskSense - Create Security Events: Calls the Neurons for RBVM API and creates new Security Events or updates existing Security Events by SourceID. If a Security Event is set to Closed in ITSM but not in Neurons for RBVM, a new Security Event will be created with the same SourceID next time the Schedule Entry job runs. If the Security Incident record is set to Resolved.

  • RiskSense - Security Event Details: Updates the Security Event record by filling in the Description, Event Severity and Risk Score fields with details from Neurons for RBVM via the Neurons for RBVM API.

  • RiskSense - CIs by Security Event: Either finds CIs within ITSM that are associated with the SourceID in RiskSense and update the CI record OR will create a new CI record. If the Risk Score and Event Severity are above 9, a Security Incident record is automatically created. You can edit those thresholds in the Triggered Actions of the Security Event business object. When the Security Event record is created, the system will associate the affected CIs in the record's CI tab.

  • RBVM Integration Using Export API: New for Security Operations Management 2023.3, this API offers better mapping of imported data into fields in Security Event forms. This also allows for better reporting and more detailed dashboards.

If you installed Security Operations Management 2023.3 over a previous version, you will have to update the Schedule Entry to use the new Web Service Connections. You can also leave the Web Service Connections from older versions in place if you prefer.

When a Security Event is created, two Business Rule Triggered Action are initiated:

RiskSense - Update Start Date: Updates the record filling in the Event Start Date field with the current date/time.

RiskSense - Create/Update CIs: Calls the ‘RiskSense - CIs by Security Event’ Workflow and either finds CIs within ITSM that are associated with the SourceID in RiskSense and updates the record OR creates a new CI record.

To import RiskSense events:

1.Open the Integration Tools workspace and select Web Service Connections.

See About Configuring Data Integration and Working with Incoming Web Service Connections for more information.

Three connections were installed with Security Operations Management 2023.1: RiskSense - CIs by Security Event, RiskSense - Create Security Events, and RiskSense - Security Event Details.

Edit the RiskSense Integration.

On the Integration Details page, select Next.

On the Integration Script page, edit the API Call Settings to add the RiskSense API URL and the API Key.

RiskSense API Settings

Select Next.

In the Schedule Settings window, select Next.

Create a schedule to import these events on a regular basis. See Creating a Schedule in About the Schedule Entry and Scheduled Jobs Workspaces.

If you installed Security Operations Management 2023.1 over Security Operations Management 2022.2, you will have to update the Integration tab.

Select Yes in the Confirmation window.

On the Review and Publish page, select Publish.

Select OK on the Data Import confirmation window.

2.Open the Integration Queue workspace.

See Viewing the Integration Status and History.

Select Refresh to see the running RiskSense Integration. You may need to do this several times.

You can also open the Integration History workspace to verify the Integration has finished running.

If the import fails, open the Integration Log workspace to check for Error Stats.

If the import fails, try changing the date format to MM/DD/YYYY on the Integration Script page.

RiskSense Date Format

3.To view the imported events, open the Events workspace.

When a Security Event is imported from RiskSense, an Incident is automatically created.

4.Set the RiskSense Integration Schedule:

Search for RiskSense in the Schedule Entry workspace and open the RiskSense Integration job.

In the Integration tab, link the RiskSense - Create Security Events_job.

Set the recurring schedule as desired.

See Creating a Schedule in About the Schedule Entry and Scheduled Jobs Workspaces.

If you installed Security Operations Management 2023.1 over Security Operations Management 2022.2, you will have to update the Integration tab to link RiskSense - Create Security Events_job.