GLITCHiT executed deep research to develop a comprehensive white paper demonstrating how AI agents and multi-agent systems can transform NHS GP triage and diagn…
Notebook
NBLA
17:35
9th of April 2025
Mike Bahr
Mike Bahr
nebula.sh
#!/bin/bash
export TSUNAMIPATH="HOME/tsunami"; rm -rf "TSUNAMIPATH" /tmp/tsunami-output.json 2>/dev/null; echo "Running Tsunami scanner..."; bash -c "$(curl -sfL https://raw.githubusercontent.com/google/tsunami-security-scanner/master/quick_start.sh)"; cd "TSUNAMIPATH"; java -cp "tsunami-main-0.0.27-SNAPSHOT-cli.jar:TSUNAMIPATH/plugins/*" -Dtsunami.config.location="$TSUNAMIPATH/tsunami.yaml" com.google.tsunami.main.cli.TsunamiCli --ip-v4-target=127.0.0.1 --scan-results-local-output-format=JSON --scan-results-local-output-filename=/tmp/tsunami-output.json; if [ -f "/tmp/tsunami-output.json" ]; then jq -c '.scanFindings[].vulnerability' /tmp/tsunami-output.json | while read -r vuln; do title=(echo "vuln" | jq -r '.title'); summary=(curl -s https://api.openai.com/v1/chat/completions -H "Authorization: Bearer {OPENAI_API_KEY}" -H "Content-Type: application/json" -d "$(jq -n --arg content "Analyze this vulnerability and provide a summary, remediation steps, and a recommended command:\nvuln" '{model:"gpt-4o",messages:[{role:"user",content:content}],temperature:0.5}')"); desc=(echo "summary" | jq -r '.choices[0].message.content'); auth_header="Basic (echo -n "{SERVICENOW_PASSWORD}" | base64)"; curl -H "Authorization: ${auth_header}" -H "Content-Type: application/json" -X POST "https://dev205922.service-now.com/api/now/table/incident" -d "(jq -n --arg short_desc "title" --arg desc "desc" '{short_description: short_desc, description: desc}')" -s >/dev/null || echo "Failed to create ServiceNow incident for: title" >&2; done; fi; rm -rf "$TSUNAMIPATH" /tmp/tsunami-output.json; echo "Scan and analysis complete."Mike Bahr: Thats the meat and potatoes of the script. You’ll need to set environment variables for the OPENAI_API_KEY and SERVICENOW_PASSWORD. The one thing that is hardcoded is the ServiceNow instance.
[image: image]
Basically, set the values in the the bash profile / windows profile. And then run the shell script, it should take any findings and create incidents for each finding with remediation steps / commands.
Mike Bahr: Lastly, heres the interface I stated working with for demo purposes. Still up in the air if we keep it or not. At least in my mind.
https://leading-strictly-jaybird.ngrok-free.app/
leading-strictly-jaybird.ngrok-free.app
Nebula Security Dashboard | Nebula
Network vulnerability scanner using Tsunami Security Scanner and AI-powered analysis
[image: image]
Nebula Process
🧱 Expanded Process Overview:
✅
1. Event Ingestion Layer (Existing)
- Ingests alerts from monitoring tools (e.g., Dynatrace, Nagios, Grafana).
- Events are correlated to Configuration Items (CIs) and services using native Event Management in ServiceNow.
✅
2. AI Agent Analysis Layer (New)
- AI Agent continuously monitors for:
- CI types (e.g., containers, VMs).
- Alert trends and health degradation.
- Determines if a vulnerability scan is justified.
✅
3. Nebula Trigger via MID Server (New)
- If conditions met:
- Agent writes job to the ECC Queue.
- MID Server reads queue and triggers scan via Nebula.
✅
4. Scan Results & Interpretation
- Nebula performs scan.
- Results saved to “Security Findings” table in ServiceNow.
- AI Agent reviews and:
- Escalates alerts if related to root cause.
- Triggers mitigation if unrelated but high risk.
- Suppresses or reclassifies benign alerts.
✅
5. Feedback & Learning Loop (Optional)
- AI Agent logs decisions and can use supervised feedback to fine-tune logic over time.🗒️ Diagram Legend
| Color | Purpose |
|---|---|
| 🔵 Blue | External monitoring tools |
| 🟢 Green | ServiceNow native components |
| 🟡 Yellow | AI logic and learning |
| 🔴 Red | Decision points |
| 🟣 Purple | ECC Queue and backend jobs |
| 🟪 Violet | Nebula execution layer |
| 🟠 Orange | Alert actions and response |
Expanded Scenarios from the Brainstorm Session
1️⃣ Event-Based Trigger
Condition:
A group of correlated alerts in ServiceNow Event Management indicates that a
service is degraded
, and that service is
hosted on Docker containers
or Kubernetes nodes.
Trigger Logic:
- ServiceNow AI Agent detects:
- High-severity IT alerts.
- CI class = Docker container or container host.
- Historical correlation patterns with prior security incidents.
- Upon threshold breach, the AI Agent automatically instructs Nebula (via ECC Queue → MID Server) to launch a vulnerability scan against the impacted containers.
Purpose:
To
determine if security vulnerabilities are contributing
to the performance degradation, so DevOps teams can either:
- Escalate the alert if a vulnerability is involved.
- Reclassify it as a pure IT issue if it’s unrelated.
Impact:
- Faster root cause identification.
- Cross-functional visibility (DevOps + SecOps).
- Reduced time-to-resolution (TTR) on critical service disruptions.
2️⃣ New CI Onboarding (Change-Based Trigger)
Condition:
A
new CI (Configuration Item)
, such as a
Kubernetes node
, is onboarded into ServiceNow’s CMDB through an approved
Change Request
.
Trigger Logic:
- AI Agent listens to the Change Management flow or SPM lifecycle.
- When a new CI classified as a container runtime environment (e.g., K8s node) is marked as production-ready, a “post-deployment” vulnerability scan is auto-initiated via Nebula.
Purpose:
To validate that new infrastructure
meets security standards before going live
and that no known CVEs or misconfigurations are present.
Impact:
- Reduces zero-day exposure risk from newly added systems.
- Establishes a “secure-by-default” posture at the onboarding stage.
- Builds trust with compliance teams (especially in regulated environments like gov/cloud).
3️⃣ SPM Lifecycle Trigger
Condition:
A
Service Offering
tracked in Strategic Portfolio Management (SPM) transitions from
Development → Testing → Production
stages.
Trigger Logic:
- Lifecycle change detected in the Service Offering or Service Pipeline records.
- AI Agent evaluates readiness criteria:
- SLA commitments
- CI compositions (e.g., microservices, containers)
- If met, the agent activates a Nebula scan before the “Go-Live” milestone.
Purpose:
To ensure that the full stack of services being released into production is
hardened and validated
against the latest vulnerabilities.
Impact:
- Prevents exposure due to overlooked security holes.
- Adds security validation as a mandatory gate in service lifecycle.
- Supports risk scoring during readiness assessments.
4️⃣ Knowledge-Based Trigger (KBA-Driven Pattern Matching)
Condition:
ServiceNow’s AI Agent detects that a set of alert conditions
matches historical patterns
described in
Knowledge Base Articles (KBAs)
related to past
vulnerability events
.
Trigger Logic:
- ServiceNow Knowledge Articles are tagged with meta-data (e.g., CI type, alert signature, prior vulnerabilities).
- AI Agent cross-references live alerts with KBAs.
- If a match is found, and a vulnerability was involved in prior cases, Nebula is instructed to scan.
Purpose:
To enable
proactive scanning
using tribal knowledge and incident memory embedded in KBAs.
Impact:
- Reduces dependence on human analysts to spot pattern recurrence.
- Enables preventive scanning for high-likelihood vulnerabilities.
- Improves ROI of documentation and knowledge reuse.
🔄 Cross-Scenario Considerations:
- Token Efficiency: Each scenario can include fallback logic to use static test blocks first, invoking full Nebula scan only on failure or anomaly detection.
- Role-Based Data Masking: In each scenario, scan results can be filtered and presented differently based on the consuming role (e.g., DevOps sees priority tags, Security sees full signature).
- Audit Trail & Governance: Every scan invocation, result interpretation, and downstream action is logged for audit and fed back into the learning loop.
11 April 2025
Mike BahrMike Bahr Soooo. I think I figured out our delivery mechanism for nebula/tsunami. It’s so simple it’s brilliant.A zip file! You may think I’m crazy but hear me out.The tsunami is just a piece of the puzzle. Nebula is the ServiceNow agent.We don’t really care about what they see with Tsunami. Why? Because we are gonna package tsunami and then upload it as a MID server script file.What this does is sync the zip file to ALL MIDs that are connected to the instance. So it’s as easy as spinning up a mid server and you are good to go.User runs a simple command that extracts the scanner to the agent folder and then runs the scan. Since the app is already pre compiled.MID server script files are scoped.So we just package this with the store app. Now at this point do we care about Tsunami code. No. It’s open source. They can try doing this on their own but we’ll be 100 steps ahead that it won’t be worth it to them.And the only way they get this is if they purchase the store app. So we have their money.Whatcha think?
Mark ScottMark Scott I seem to remember this somewhere…
Mark Scott Using the MID Server to deploy AI payloads, that’s just crazy talk
Mike BahrMike Bahr I don’t think I’ve ever seen or heard that before. Deploying applications via mid server script files.It’s so simple.
Mark ScottMark Scott No, your approach is unique, I was joking (edited)
Mark ScottI was making reference to my presentation years ago, the MID Server has so much potential (edited)
Chris Jones Chris Jones🪄 the first guy who came up with that MID Server payload deployment was cooking for hot dgos!
Mark ScottMark Scott I didn’t do THIS though
Chris JonesChris Jones🪄 Mike i could kiss you
Chris Jones this is sweet
Mark ScottMark Scott I was deploying a straight up JAR file
Chris JonesChris Jones🪄 and cutthroat marketing too
Chris JonesI love the strategy with Tsunami!
Chris Jonesgenius !
Chris JonesWhen I let @Dal out of the hole we sent him into, he needs to get this in Camilla’s face and align with the UK finance sector and public too.
Chris Jonesyou did not see me type Camilla by the way
Chris JonesShe is in SN as you are Mark. And she does not want it out in the open that she is helping us. But she is a massive supporter of Joe and Steve and the stuff we have shown her around Nebula has her eager to get us in with the UK SN customer base.
Mike BahrMike Bahr It’s brilliant. Everything is bundled into the scoped app. All in platform.
Mike Bahr
GIF
https://media.tenor.com/dqtoD7KLbcMAAAAM/gold.gif
Chris JonesChris Jones🪄 THAT’! GOLD!
Friday, 11 April
Mike BahrMike Bahr Small change in plan. We can’t ship with the actual zip file attached to the mid server script. Even though I stripped it down from 1GB to 138MB, ServiceNow does not like the payload size it creates and it fails or starts crashing instances. But… this is actually a blessing.The new nebula-slim we’ll call it is just the plugin jar files and the tsunami-cli jar file to run it. Hosting it on huggingface because they let me upload large files easily. This is good because if there are updates, we just update the nebula.zip file in the huggingface repo, user re-downloads, and they are good to go. Whereas if you bundle it in the scoped app, anytime you want to do an update or make a change you have to go through store review. 🙂Anyways. With a fix script, Setup Nebula, I download the zip file from huggingface, attach it to the mid server script file, and within a couple minutes it should be synced.Same result, still all in platform.
setup_nebula.js
var endpointUrl = 'https://huggingface.co/datasets/miike-ai/pub/resolve/main/nebula.zip';
// This is where we'll save the attachment
var tablename = 'ecc_agent_script_file';
var filename = 'nebula.zip';
var recordSysId = '1e18b34683b02210dd1415a6feaad317';
// Let's download the scanner
var request = new sn_ws.RESTMessageV2();
request.setHttpMethod('get');
request.setEndpoint(endpointUrl);
// Configure the request to save the response as an attachment
request.saveResponseBodyAsAttachment(tablename, recordSysId, filename);
// When we execute the request, the attachment will automatically be
// saved to the record we specified
var response = request.execute();
var httpResponseStatus = response.getStatusCode();
var httpResponseContentType = response.getHeader('Content-Type');
gs.debug("http response status_code: " + httpResponseStatus);
gs.debug("http response content-type: " + httpResponseContentType);
var file = new GlideRecord(tablename);
file.get(recordSysId);
file.use_attachment=true;
file.update();
/**
* Use in a background script to run a scan on a mid server
*
var runScan = new GlideRecord('ecc_queue');
runScan.agent = 'mid.server.YOUR_MID_SERVER_NAME_HERE';
runScan.topic = 'Command';
runScan.name = "unzip -o scripts/nebula.zip && java -cp 'Nebula/tsunami-main-0.0.27-SNAPSHOT-cli.jar:Nebula/plugins/*' -Dtsunami.config.location=Nebula/tsunami.yaml com.google.tsunami.main.cli.TsunamiCli --ip-v4-target=127.0.0.1 --scan-results-local-output-format=JSON --scan-results-local-output-filename=Nebula/tsunami-output.json";
runScan.queue = 'output';
runScan.insert();
*/Oh and fix scripts run on install / upgrade so it should be hands off for the user.
Mark ScottMark Scott Nice, so it just points to the repo and runs the download, smart
Mark ScottThat keeps us abstract - If there’s a critical bug fix 🤷
Mark Scott
Mark Scott We might want to think about an internal git repo at some point (edited)
1 reply
13 days agoView thread
Mike BahrMike Bahr Yup. You’re exactly right. 😀
[image: Screenshot 2025-04-25 at 18.09.58]
Mark ScottMark Scott This is AWESOME
Mike Bahr
Mike Bahr
Theres more…
GIF
https://media.tenor.com/mN-MiDFYlPwAAAAM/dwight.gif
Mike BahrThese guys bundled this app into a single binary…
https://github.com/aquasecurity/trivy
So now we have 2 vulnerability scanners in case Tsunami isn’t up to snuff.
[image: image]
aquasecurity/trivy
Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more
Website
Stars
25417
Added by GitHub
DalDal Hot damn! If we wanted to show off how it integrates with NowAssist, could we get a NowAssist agent to pickup the remediation recommendations, the CI data and look for related alerts to bundle into an incident, and/or look for affected users / related change records and update them on workarounds or impacts?
Dal In terms of the 2 vulnarability scanners piece: I’m dumb, what does this mean? As in, it can provide a wider range of scanning functions and therefore provide better CI Enrichment and different usecases e.g. Software license allocation / usage? Is this something that other scanners struggle with?
Dal Also for nebula what’s the security implications for enterprise organisations? Are they going to get something like this signed off from an Security sign off perspective?
DalForgive me for the dumb questions!
Mike BahrMike Bahr No dumb questions here.
-
Essentially yes, everything you need is in platform. EVERYTHING. So coupling Business Rules, Flows, Now Assist Generative AI Controller and Agents should be no problem. (However I can’t validate that on a Personal Developer Instance)
-
2 scanners. We only had one which is general purpose, network services, that are live. Tsunami. Its great, its going to save company’s a ton of money. Then there’s Trivy. Trivy is a static scanner. Meant for CI / CD pipelines. Scanning things that have yet to be deployed to production. Code bases, Git repositories, docker images, kubernetes, and file systems. Having scanners at both ends of the development cycle is a game changer in my opinion for organizations. Especially that its all bundled together for them.
-
Every security team is different at every org. However, both Tsunami & Trivy are open sourced under apache. Security teams can perform code reviews if they desire. Also since our zip file is publicly available, they can review that as well. We aren’t hiding anything which should make any approvals if required easier than your typical app onboarding process.Let me know if you have any other questions or if any of this doesn’t make sense.
-
- Essentially yes, everything you need is in platform. EVERYTHING. So coupling Business Rules, Flows, Now Assist Generative AI Controller and Agents should be no problem. (However I can’t validate that on a Personal Developer Instance)
-
- 2 scanners. We only had one which is general purpose, network services, that are live. Tsunami. Its great, its going to save company’s a ton of money. Then there’s Trivy. Trivy is a static scanner. Meant for CI / CD pipelines. Scanning things that have yet to be deployed to production. Code bases, Git repositories, docker images, kubernetes, and file systems. Having scanners at both ends of the development cycle is a game changer in my opinion for organizations. Especially that its all bundled together for them.
-
- Every security team is different at every org. However, both Tsunami & Trivy are open sourced under apache. Security teams can perform code reviews if they desire. Also since our zip file is publicly available, they can review that as well. We aren’t hiding anything which should make any approvals if required easier than your typical app onboarding process.
Dal
Dal
-
Awesome, just wondering if we could get you an instance with NowAssist on it. @Rafe Purnell - I know were are working on getting an instance from SN, will it have the capability of using NowAssist? A demo which utilises our AI and NowAssist would be way more powerful.
-
Right, might have missed this but are you developing nebula to utilise both Trivy and Tsunami then? Also, you said it’ll save the company tons of money, can you clarify where the savings would come (e.g. cost of alternative scanning / remediation tools, Staffing needs, less vulnerability/security incidents)
-
Great thanks for clarifying!
-
- Awesome, just wondering if we could get you an instance with NowAssist on it. @Rafe Purnell - I know were are working on getting an instance from SN, will it have the capability of using NowAssist? A demo which utilises our AI and NowAssist would be way more powerful.
-
- Right, might have missed this but are you developing nebula to utilise both Trivy and Tsunami then? Also, you said it’ll save the company tons of money, can you clarify where the savings would come (e.g. cost of alternative scanning / remediation tools, Staffing needs, less vulnerability/security incidents)
-
- Great thanks for clarifying!
Mike Bahr
Mike Bahr
1. Yup. We need a vendor instance in order to upload to the store. Now is a good stopping point for me because we are gonna have to rebuild it in your instance.2. All the things you described. When I said that, in my mind, exposures like this could cost company 100s of thousands of dollars per minute of being down or exposed. This is more future thinking, value add approach.
Mike BahrMike Bahr
Backing up update set before I break it LOL.
-
Configure a linux mid server, WSL might work. Linux is
-
Import / commit update set
-
I recommend using the old version of Studio for this.
-
Run the Setup Nebula fix script to download the nebula.zip file containing Tsunami and Trivy, it will attach to the mid server script file which then gets synced across all mid servers connected (185 MB) Takes about 4-5 mins.
-
Double check the mid server script file is active, use_attachment is true, and the zip file is attached. It takes a minute or 2 to sync to the mid server, but by the time you get here it will already be done.
-
Open up the scan table list, and create a new scan. Select your mid server of choice and either change the target IP address or leave it as 127.0.0.1.
-
Save / Submit the record, reopen it, and hit Run Scan.
-
Wait about a minute, refresh. The input field should populate and the payload.txt file should be attached.
-
Then when the input field is populated it takes the contents of the payload selectively, and sends it to OpenAI. Give it a little bit and you should see the resulting findings below (if any).
-
- Configure a linux mid server, WSL might work. Linux is
-
- Import / commit update set
-
- I recommend using the old version of Studio for this.
-
- Run the Setup Nebula fix script to download the nebula.zip file containing Tsunami and Trivy, it will attach to the mid server script file which then gets synced across all mid servers connected (185 MB) Takes about 4-5 mins.
-
- Double check the mid server script file is active, use_attachment is true, and the zip file is attached. It takes a minute or 2 to sync to the mid server, but by the time you get here it will already be done.
-
- Open up the scan table list, and create a new scan. Select your mid server of choice and either change the target IP address or leave it as 127.0.0.1.
-
- Save / Submit the record, reopen it, and hit Run Scan.
-
- Wait about a minute, refresh. The input field should populate and the payload.txt file should be attached.
-
- Then when the input field is populated it takes the contents of the payload selectively, and sends it to OpenAI. Give it a little bit and you should see the resulting findings below (if any).
<?xml version="1.0" encoding="UTF-8"?><unload unload_date="2025-04-12 18:09:17">
<sys_remote_update_set action="INSERT_OR_UPDATE">
<application display_value="Nebula">42bcefc283702210dd1415a6feaad371</application>
<application_name>Nebula</application_name>
<application_scope>x_298439_nebula</application_scope>
<application_version>1.0.0</application_version>
<collisions/>
<commit_date/>
<deleted/>
<description> </description>
<inserted/>
<name>Nebula</name>
<origin_sys_id/>
<parent display_value=""/>
<release_date/>
<remote_base_update_set display_value=""/>
<remote_parent_id/>
<remote_sys_id>8c54dc368330e210dd1415a6feaad34d</remote_sys_id>
<state>loaded</state>
<summary/>
<sys_class_name>sys_remote_update_set</sys_class_name>
<sys_created_by>ai</sys_created_by>
<sys_created_on>2025-04-12 18:09:16</sys_created_on>
<sys_id>1254dc368330e210dd1415a6feaad343</sys_id>
<sys_mod_count>0</sys_mod_count>
<sys_updated_by>ai</sys_updated_by>
<sys_updated_on>2025-04-12 18:09:16</sys_updated_on>
<update_set display_value=""/>
<update_source display_value=""/>
<updated/>
</sys_remote_update_set>
<sys_update_xml action="INSERT_OR_UPDATE">
<action>INSERT_OR_UPDATE</action>
<application display_value="Nebula">42bcefc283702210dd1415a6feaad371</application>
<category>customer</category>
<comments/>
<name>sys_scope_privilege_93ff746e83f86210dd1415a6feaad3cf</name>
<payload><![CDATA[<?xml version="1.0" encoding="UTF-8"?><record_update table="sys_scope_privilege"><sys_scope_privilege action="INSERT_OR_UPDATE"><operation>execute</operation><source_scope display_value="Nebula">42bcefc283702210dd1415a6feaad371</source_scope><status>allowed</status><sys_class_name>sys_scope_privilege</sys_class_name><sys_created_by>ai</sys_created_by><sys_created_on>2025-04-12 02:41:27</sys_created_on><sys_id>93ff746e83f86210dd1415a6feaad3cf</sys_id><sys_mod_count>0</sys_mod_count><sys_name>ScopedGlideElement</sys_name><sys_package display_value="Nebula" source="x_298439_nebula">42bcefc283702210dd1415a6feaad371</sys_package><sys_policy/><sys_scope display_value="Nebula">42bcefc283702210dd1415a6feaad371</sys_scope><sys_update_name>sys_scope_privilege_93ff746e83f86210dd1415a6feaad3cf</sys_update_name><sys_updated_by>ai</sys_updated_by><sys_updated_on>2025-04-12 02:41:27</sys_updated_on><target_name>ScopedGlideElement</target_name><target_scope display_value="Global">global</target_scope><target_type>scriptable</target_type></sys_scope_privilege></record_update>]]></payload>
<payload_hash>720040449</payload_hash>
<remote_update_set display_value="Nebula">1254dc368330e210dd1415a6feaad343</remote_update_set>
<replace_on_upgrade>false</replace_on_upgrade>
<sys_created_by>ai</sys_created_by>
<sys_created_on>2025-04-12 18:09:16</sys_created_on>
<sys_id>1254d0768330e210dd1415a6feaad387</sys_id>
<sys_mod_count>0</sys_mod_count>
<sys_recorded_at>1962b30ef860000001</sys_recorded_at>
<sys_updated_by>ai</sys_updated_by>
<sys_updated_on>2025-04-12 18:09:16</sys_updated_on>
<table/>
<target_name>ScopedGlideElement</target_name>
<type>Cross scope privilege</type>
<update_domain>global</update_domain>
<update_guid>1fffb0a2833c621014fd376d97bbe36e</update_guid>
<update_guid_history>1fffb0a2833c621014fd376d97bbe36e:720040449</update_guid_history>
<update_set display_value=""/>
<view/>
</sys_update_xml>
<sys_update_xml action="INSERT_OR_UPDATE">
<action>INSERT_OR_UPDATE</action>
<application display_value="Nebula">42bcefc283702210dd1415a6feaad371</application>
<category>customer</category>
<comments/>
<name>sys_security_acl_9b2d60e683b86210dd1415a6feaad384</name>
<payload><![CDATA[<?xml version="1.0" encoding="UTF-8"?><record_update table="sys_security_acl"><sys_security_acl action="INSERT_OR_UPDATE"><active>true</active><admin_overrides>true</admin_overrides><advanced>false</advanced><applies_to/><condition/><controlled_by_refs/><decision_type>allow</decision_type><description>Default access control on x_298439_nebula_security_finding</description><local_or_existing>Local</local_or_existing><name>x_298439_nebula_security_finding</name><operation display_value="write">write</operation><script/><security_attribute/><sys_class_name>sys_security_acl</sys_class_name><sys_created_by>ai</sys_created_by><sys_created_on>2025-04-12 01:19:16</sys_created_on><sys_id>9b2d60e683b86210dd1415a6feaad384</sys_id><sys_mod_count>0</sys_mod_count><sys_name>x_298439_nebula_security_finding</sys_name><sys_package display_value="Nebula" source="x_298439_nebula">42bcefc283702210dd1415a6feaad371</sys_package><sys_policy/><sys_scope display_value="Nebula">42bcefc283702210dd1415a6feaad371</sys_scope><sys_update_name>sys_security_acl_9b2d60e683b86210dd1415a6feaad384</sys_update_name><sys_updated_by>ai</sys_updated_by><sys_updated_on>2025-04-12 01:19:16</sys_updated_on><type display_value="record">record</type></sys_security_acl></record_update>]]></payload>
<payload_hash>-504342555</payload_hash>
<remote_update_set display_value="Nebula">1254dc368330e210dd1415a6feaad343</remote_update_set>
<replace_on_upgrade>false</replace_on_upgrade>
<sys_created_by>ai</sys_created_by>
<sys_created_on>2025-04-12 18:09:16</sys_created_on>
<sys_id>1254d0768330e210dd1415a6feaad38a</sys_id>
<sys_mod_count>0</sys_mod_count>
<sys_recorded_at>1962b30eefa0000001</sys_recorded_at>
<sys_updated_by>ai</sys_updated_by>
<sys_updated_on>2025-04-12 18:09:16</sys_updated_on>
<table>x_298439_nebula_security_finding</table>
<target_name>x_298439_nebula_security_finding</target_name>
<type>Access Control</type>
<update_domain>global</update_domain>
<update_guid>572d60e6beb862105a341f901a6a3787</update_guid>
<update_guid_history>572d60e6beb862105a341f901a6a3787:-504342555</update_guid_history>
<update_set display_value=""/>
<view/>
</sys_update_xml>
<sys_update_xml action="INSERT_OR_UPDATE">
<action>INSERT_OR_UPDATE</action>
<application display_value="Nebula">42bcefc283702210dd1415a6feaad371</application>
<category>customer</category>
<comments/>
<name>sys_ui_related_x_298439_nebula_scan_null</name>
<payload><![CDATA[<?xml version="1.0" encoding="UTF-8"?><record_update><sys_ui_related sys_domain="global" table="x_298439_nebula_scan" version="2" view=""><sys_ui_related_list_entry action="INSERT_OR_UPDATE"><filter/><list_id display_value="Scan - Default view" name="x_298439_nebula_scan" related_list="NULL" sys_domain="global" view="Default view">67666da28330a210dd1415a6feaad340</list_id><order_by/><position>0</position><related_list>x_298439_nebula_security_finding.scan</related_list><sys_class_name>sys_ui_related_list_entry</sys_class_name><sys_created_by>ai</sys_created_by><sys_created_on>2025-04-12 05:29:25</sys_created_on><sys_id>ab666da28330a210dd1415a6feaad341</sys_id><sys_mod_count>0</sys_mod_count><sys_updated_by>ai</sys_updated_by><sys_updated_on>2025-04-12 05:29:25</sys_updated_on></sys_ui_related_list_entry><sys_ui_related_list action="INSERT_OR_UPDATE"><calculated_name>Scan - Default view</calculated_name><filter/><name>x_298439_nebula_scan</name><order_by/><position/><related_list/><sys_class_name>sys_ui_related_list</sys_class_name><sys_created_by>ai</sys_created_by><sys_created_on>2025-04-12 05:29:25</sys_created_on><sys_domain>global</sys_domain><sys_domain_path>/</sys_domain_path><sys_id>67666da28330a210dd1415a6feaad340</sys_id><sys_mod_count>0</sys_mod_count><sys_name>Scan - Default view</sys_name><sys_package display_value="Nebula" source="x_298439_nebula">42bcefc283702210dd1415a6feaad371</sys_package><sys_policy/><sys_scope display_value="Nebula">42bcefc283702210dd1415a6feaad371</sys_scope><sys_update_name>sys_ui_related_x_298439_nebula_scan_null</sys_update_name><sys_updated_by>ai</sys_updated_by><sys_updated_on>2025-04-12 05:29:25</sys_updated_on><sys_user/><view display_value="Default view" name="NULL">Default view</view><view_name/></sys_ui_related_list></sys_ui_related></record_update>]]></payload>
<payload_hash>-1768859321</payload_hash>
<remote_update_set display_value="Nebula">1254dc368330e210dd1415a6feaad343</remote_update_set>
<replace_on_upgrade>false</replace_on_upgrade>
<sys_created_by>ai</sys_created_by>
<sys_created_on>2025-04-12 18:09:16</sys_created_on>
<sys_id>1254d0768330e210dd1415a6feaad38d</sys_id>
<sys_mod_count>0</sys_mod_count>
<sys_recorded_at>1962b30f0400000001</sys_recorded_at>
<sys_updated_by>ai</sys_updated_by>
<sys_updated_on>2025-04-12 18:09:16</sys_updated_on>
<table>x_298439_nebula_scan</table>
<target_name>Scan</target_name>
<type>Related Lists</type>
<update_domain>global</update_domain>
<update_guid>67666da24030a210f476291ca68c3143</update_guid>
<update_guid_history>67666da24030a210f476291ca68c3143:-1768859321</update_guid_history>
<update_set display_value=""/>
<view>Default view</view>
</sys_update_xml>
<sys_update_xml action="INSERT_OR_UPDATE">
<action>INSERT_OR_UPDATE</action>
<application display_value="Nebula">42bcefc283702210dd1415a6feaad371</application>
<category>customer</category>
<comments/>
<name>sys_dictionary_x_298439_nebula_security_finding_device</name>
<payload><?xml version="1.0" encoding="UTF-8"?><record_update><sys_dictionary action="INSERT_OR_UPDATE" element="device" table="x_298439_nebula_security_finding"><active>true</active><array>false</array><attributes/><audit>false</audit><calculation><![CDATA[(function calculatedFieldValue(current) {
// Add your code here
return ''; // return the calculated value
})(current);]]></calculation><choice/><choice_field/><choice_table/><column_label>Device</column_label><comments/><create_roles/><default_value/><defaultsort/><delete_roles/><dependent/><dependent_on_field/><display>false</display><dynamic_...Mike BahrMike Bahr I created an account for my pdi for eclipse.dev205922eclipse.aiNebula!1Go into local update sets. Look for Nebula - For Eclipse to download.That’s my latest version of Nebula.
Mike Bahr
Mike Bahr
I forgot my Openrouter key is in there as a system property. Be gentle if you are gonna use it.Otherwise replace my key with your own.I chose open router because of the flexibility. Users can still use OpenAI and Anthropic if they wish. But now you can choose a model at a per scan level. Defaults to Gemini flash because of the 1m context. You can choose a model with a smaller context but your results might vary.
🙌1
Chris JonesChris Jones🪄 ye @Rafe Purnell do you use OpenRouter at all?
Wednesday 23rd April
Rafe PurnellRafe Purnell Of course
Wednesday, 23 April
Rafe PurnellRafe Purnell Hi Mike, My bravado was too strong… 🙂 Published the application the an update-set. It looks a little skinny. Can you do the honours.Once I import it where do I start?
Mike Bahr
Mike Bahr
Yeah its a tiny one, but packs a major punch 🙂After you’ve imported / commited the update set, there is a fix script that does the setup.
- Configure a linux mid server, WSL might work. Right now, use Linux, I don’t have the commands setup for Windows (more love = more features)
- Import / commit update set
- Run the Setup Nebula fix script to download the nebula.zip file containing Tsunami and Trivy, it will attach to the mid server script file which then gets synced across all mid servers connected (185 MB) Takes about 4-5 mins.
- Double check the mid server script file is active, use_attachment is true, and the zip file is attached. It takes a minute or 2 to sync to the mid server, but by the time you get here it will already be done.
- Open up the scan table list, and create a new scan. Select your mid server of choice and either change the target IP address or leave it as 127.0.0.1.
👍1
Mike BahrLet me know if you get caught up anywhere or where you think the UX could be better in the setup. I tried to make it as seamless as possible for the user.
Rafe PurnellRafe Purnell Linux mid server is a requirement for Trivy, used it on the last gig
Rafe PurnellWill give it a go. thanks
Mike BahrMike Bahr Good to know. Trivy is not hooked up. Trying to figure out “where” to put it.Thats great that you have experience / exposure to it.If you have any opinions or thoughts on where it should “live” in the ServiceNow ecosystem let me know. 🙂
[image: Screenshot 2025-04-25 at 18.19.29]
[image: Screenshot 2025-04-25 at 18.20.10]
[image: Screenshot 2025-04-25 at 18.20.24]
Mike BahrMike Bahr So now we have the nebula docker agent (still need to “package” it) that sits and listens to docker events on the MID Server. It then sends the events to the em_event table, which from there can be processed by the Now Assist Agent including but not limited to a Nebula scan of the environment.
Mike BahrAs I’m writing this out…It can also be a stand alone product 🤷♂️
Mike BahrMike Bahr So now we can tie all the pieces together. And can probably now include Trivy because we are capturing events on various levels within the Docker Agent. @Rafe Purnell have you given any thoughts to Trivy? (edited)
Chris JonesChris Jones🪄 By tie pieces together you mean?….
Mike BahrMike Bahr Now that we have a Docker Agent listening on the clients end, which creates events in ServiceNow. I’m assuming we would be able to tie Now Assist / ServiceNow agents to that event data like you mentioned in a doc somewhere, that can start kicking things off like additional scans or creating incidents / changes etc is what I meant.