Use any ServiceNow table to provide context for cloud governance

In a prior post, we announced the integration between ServiceNow and Turbot Guardrails that brings critical business context to your cloud infrastructure. Today, we're excited to introduce two powerful enhancements that further enrich your cloud governance controls with any ServiceNow data:

1. Custom Table Discovery - Bring data from any ServiceNow record into Guardrails, extending visibility beyond the pre-configured CMDB Application, Cost Center, and User tables.
2. Record Filtering - Control which records sync to Guardrails with ServiceNow query filters for targeted data synchronization.

These enhancements give you greater flexibility and control over how your ServiceNow data enriches your cloud governance policies in Guardrails.

Custom table discovery and configuration

While our initial integration supported three key ServiceNow CMDB tables (Applications, Cost Centers, and Users), organizations often have specialized data in custom or additional standard tables that provide valuable context to manage your cloud resources.

With the new Custom Table Discovery feature, you can now discover and manage records from any table in your ServiceNow CMDB, whether they're standard tables like cmdb_ci_service and cmdb_ci_server, other system tables like cmn_department and service_offering, your own custom tables with prefixes like u_ or x_. The data appears in Guardrails as ServiceNow > Custom > Record resources, with real-time updates as changes occur in ServiceNow.

Enable ServiceNow tables to Guardrails sync

Configuring this feature requires just a couple of policy settings:

Set the ServiceNow > Custom > Table > CMDB policy to "Enforce: Enabled". Then specify which tables to discover in the ServiceNow > Custom > Table > CMDB > Tables policy:

Set real-time table updates

To enable real-time updates when records change in ServiceNow, you can simply have Guardrails automatically configure the business rule by enabling the ServiceNow > Custom > Table > Business Rule policy to "Enforce: Configured"

Once configured, your ServiceNow data seamlessly integrates into the Guardrails environment, providing a unified view of both your cloud resources and enterprise context that's fully searchable, auditable, and ready to power your governance policies.

Query filters to target specific records

The next enhancement gives you control over which records sync from ServiceNow to Guardrails through query filtering. This feature applies to both standard and custom tables, allowing you to synchronize only the records relevant to your governance needs.

For each table, you can define a filter using ServiceNow's encoded query syntax. For example, when limiting records syncing from the cmdb_ci_service table, you can set the ServiceNow > Custom > Record > CMDB > Query policy with filters such as nameLIKESAP to sync only SAP-related services, or go further with business_criticality=1^used_for=Production to sync only critical production business services.

With the filter policy in place, now only Business Services related to SAP are being synced to Guardrails:

Customizing Record Display Titles

You can also control how records appear in the Guardrails interface by specifying which fields should be used as display titles by setting the ServiceNow > Custom > Record > CMDB > Title policy. By default most ServiceNow tables use the "name" field as the primary display name, however you can adjust to meet the standards for your table, e.g. "sys_id", "title", etc.

Guardrails supports an ordered list which is useful when the default field doesn't contain the most recognizable identifier. The policy provides a fallback mechanism, if the first field is empty, it tries the second, and so on. This ensures your ServiceNow records are easily identifiable in Guardrails even when certain fields are missing values.

Enriching Guardrails Policies with Business Service Context

Building upon the example above, syncing business service information, you can create powerful new automation scenarios that connect your enterprise context to your cloud resources.

Auto-tag resources with business service information

You can automatically tag cloud resources with business service data from ServiceNow using a calculated policy template:

business_service: "{{ $.business_service.name }}"
criticality: "{{ $.business_service.business_criticality }}"
environment: "{{ $.business_service.used_for }}"
business_owner: "{{ $.business_service.owned_by }}"

This applies these tags to cloud resources whenever they're created or updated, or when the related business service information changes in ServiceNow:

Apply data protection controls based on context

You can enforce stricter controls on resources based on context using a calculated policy template. This example, using the AWS > S3 > Bucket > Versioning policy, leveragtes the context from the tagging configurations on the AWS S3 bucket to enforce versioning when the bucket is related to a critical business service. This ensures your most critical applications have the highest level of data protection, while allowing more flexible policies for non-critical services.

{%- if $.resource.tags.criticality == "1 - most critical" -%}
"Enforce: Enabled"
{%- else -%}
"Enforce: Disabled"
{%- endif -%}

See it in action

Get started with context-aware guardrails

With these enhancements to the ServiceNow integration, you can now bring any enterprise context into your cloud governance strategy, improving security and operational efficiency across your entire infrastructure.

New to Turbot Guardrails? Contact us to get started. Existing customers can follow our guides for Custom Table Discovery and Record Filtering.

Join our Slack community #guardrails channel to share your use cases and feedback.