Service Now and Cloud App Security (MCAS)

I was recently in a scenario where we needed to do some testing to integrate Service Now into Cloud App Security (MCAS) which I now know as Microsoft Defender for Cloud Apps. But anyway… MCAS uses API integration to collect logs, user activity from supported SaaS services, such as Service Now which is one of these supported applications.

Connecting ServiceNow to Cloud App Security gives us insights into users’ activities, provides threat detection using machine learning-based anomaly detections, and information protection detections such as identifying when sensitive customer information is uploaded to the ServiceNow cloud.

You can use the following built-in policy templates to detect and notify you about potential threats:

Type Name
Built-in anomaly detection policy Activity from anonymous IP addresses
Activity from infrequent country
Activity from suspicious IP addresses
Impossible travel
Activity performed by terminated user (requires AAD as IdP)
Multiple failed login attempts
Ransomware detection
Unusual multiple file download activities
Activity policy template Logon from a risky IP address
Mass download by a single user
Potential ransomware activity
File policy template Detect a file shared with an unauthorized domain
Detect a file shared with personal email addresses
Detect files with PII/PCI/PHI

In addition to monitoring for potential threats, you can apply and automate the following ServiceNow governance actions to remediate detected threats:

User governance – Notify user on alert (via Azure AD)
– Require user to sign in again (via Azure AD)
– Suspend user (via Azure AD)

To set up this integration you will need the following.

  •  Service Now supported version: Eureka, Fiji, Geneva, Helsinki, Istanbul, Jakarta, Kingston, London, Madrid, New York, Orlando, Paris and Quebec.
  • Must have the role Admin and make sure the ServiceNow instance supports API access.

You can use either an OAuth application registration or a username or password

ServiceNow new OAuth profile.

If you use the username and password approach the credentials are only used for API token generation and are not saved after the initial connection process. Then go into Cloud App Security Portal –> Investigate –> Connected Apps and select Connect an App

Then define the credentials

Then click Connect. If the connection is successful, it will take some time before the activities and user information gets populated into Cloud App Security. (Up towards 30 – 40 minutes)

If you go into the application overview it will see user activity for the users

NB: For some reason, the connector also gets all system-based activity which might flood your activity log within Cloud App Security.

Let’s go investigating!

When going into Investigate –> Users and Accounts you can after a while see users get listed within the portal. Users from Service Now will be marked with the logo behind them.

Marking a user, you can show all user-related activity.

So, what can we do with this? One example is suspending a user when someone is trying to logon to Service Now multiple attempts. Here we define an activity policy and scope it to the App Service Now.

Then we can define an action such as suspending a user. It should be noted that this would require that the service now instance is federated with Azure Active Directory to have any effect.

Another cool feature with MCAS now is that we can send alerts to Power Automate as well. This opens another complete set of features as well and shows how we can use Service Now in combination with MCAS.

You can also use MCAS in combination with File Policies as well. For instance, we can define a file policy where we match files or data in Service Now according to defined sensitivity labels in Microsoft 365 and integrate that with ServiceNow.

and with it we can also do custom governance actions such as send a summary of the file info to the file owner




Leave a Reply

Scroll to Top