ServiceNow
This document provides guidance on how to integrate ServiceNow with Google Security Operations SOAR.
Integration version: 49.0
Use cases
Integrating ServiceNow with Google SecOps SOAR can help you solve the following use cases:
Automated incident ticketing and enrichment: use the Google SecOps capabilities to automatically create ServiceNow incidents from security alerts triggered in your SIEM or other security tools. You can streamline incident response workflows by reducing manual ticketing and enriching incidents with relevant information from the triggering alert.
Phishing investigation and remediation: use the Google SecOps capabilities to automate phishing investigation steps like gathering email headers, investigating attachments, and searching for similar emails within your organization. Automating repetitive tasks can accelerate phishing response times and reduce the workload of your security analyst team.
Vulnerability management and remediation: you can orchestrate vulnerability remediation workflows by automatically creating ServiceNow change requests for patching or mitigating based on vulnerability scans.
User onboarding and offboarding: you can automate user provisioning and de-provisioning tasks in various systems, including access control systems, email platforms, and applications, based on ServiceNow workflows.
Threat intelligence enrichment: use the Google SecOps capabilities to enrich security alerts with threat intelligence data from the ServiceNow platform for providing more context and prioritizing response actions.
Before you begin
The following activities require you to grant permissions to the ServiceNow user account that you use in the integration:
- Access the sys_journal_field table (required for the Add Comment And Wait For Reply action).
- Create, write, and modify the required tables (required for the Create Record, Update Record, and Wait For Field Update actions).
- Update an incident (required for the Close Incidents and Update Incidents actions).
By default, non-admin users cannot access the sys_journal_field table that is used for synchronizing with Google SecOps. To access the sys_journal_field table, create a new ACL rule. Creating a new ACL rule requires elevated administrator permissions.
Before configuring the OAuth v2.0 flow, complete the following steps:
Create a new role in ServiceNow and add it to the user account used in integration.
Create a new ACL rule in ServiceNow.
Create a new role
To create a new role in ServiceNow, complete the following steps:
Sign in to ServiceNow as an administrator.
Go to All > User Administration > Roles.
Click New and fill out the form.
As a role name, enter
secops_user.Click Submit.
Create an ACL rule
To create a new ACL rule in ServiceNow, complete the following steps:
Sign in to ServiceNow as an administrator.
To configure ACL rules, elevate your role privileges to the
security_adminrole.Go to All > System Security > Access Control (ACL).
Select the sys_journal_field table.
In the Requires role field, enter
secops_user.After completing the form, click the form header.
Click Update.
To let the user configured in the integration access other tables, enter
secops_userin the Requires role field of the corresponding table.
Assign a new role to the user
To assign the role you created to the user account used in the integration, complete the following steps:
In ServiceNow, go to All > User Administration > Users.
Select the user that you use in the integration.
Go to Roles > Edit.
Select the
secops_userrole and click Add.Click Save.
Enable OAuth 2.0 authentication
If your ServiceNow instance is upgraded to the Washington DC release, you
can select to authenticate with a refresh token or client credentials.
To authenticate using client credentials, configure the Client ID and
Client Secret parameters and select the Use Oauth Authentication parameter.
If you also configure the Refresh Token parameter along with the Client ID and
Client Secret parameters, the integration authenticates using the refresh
token.
To enable OAuth 2.0 authentication for the integration, complete the following steps:
Configure OAuth 2.0 in ServiceNow.
Configure initial integration parameters.
Optional: Generate and configure the refresh token in Google SecOps.
Configure OAuth 2.0 in ServiceNow
To configure OAuth 2.0 in ServiceNow, complete the following steps:
In ServiceNow, go to System Definition > Plugins.
Activate the OAuth 2.0 plugin.
Set the com.snc.platform.security.oauth.is.active system property to
True.Go to System OAuth > Application Registry.
Click New and select Create an OAuth API endpoint for external clients.
Save the client_id and client_secret values to use them in the integration.
Configure initial integration parameters
To configure the initial integration parameters, complete the following steps:
In Google SecOps, go to Response > Integrations Setup.
Optional: Select your environment.
In the Search field, enter
ServiceNow.Click settings Configure Instance.
Configure the Username, Password, Client ID, and Client Secret integration parameters.
Click Save.
Optional: Generate and configure a refresh token
Generating a refresh token requires running manual actions on an existing case. If your Google SecOps instance is new and has no existing cases, simulate a case.
Simulate case
To simulate a case in Google SecOps, follow these steps:
In the side navigation, select Cases.
On the Cases page, click add Add > Simulate Cases.
Select any of the default cases and click Create. It doesn't matter what case you choose to simulate.
Click Simulate.
If you have an environment other than default and would like to use it, select the correct environment and click Simulate.
In the Cases tab, click Refresh. The case that you simulated appears in the case list.
Run the Get Oauth Token action
Use the Google SecOps case which you simulated to manually run the Get Oauth Token action.
To run the Get Oauth Token action, complete the following steps:
In the Cases tab, select your simulated case.
In a Case View, click Manual Action.
In the manual action Search field, type in
ServiceNow.In the results under the ServiceNow integration, select Get Oauth Token.
Click Execute.
After the action is executed, navigate to the Case Wall of your simulated case. In the ServiceNow_Get Oauth Token action record, click View More.
In the JSON Result section, copy the refresh_token value.
Configure the refresh token for integration
To configure the refresh token for integration, complete the following steps:
In Google SecOps, go to Response > Integrations Setup.
From the integrations list, select ServiceNow.
Click settings Configure Instance.
In the Refresh Token field, paste the refresh_token value you've copied from the JSON result in the previous section.
Delete the Username and Password parameter values.
Select Use Oauth Authentication.
Click Save.
Click Test.
Integrate ServiceNow with Google SecOps
The integration requires the following parameters:
| Parameter | Description |
|---|---|
Api Root |
Required The API root of the ServiceNow instance. The default value is
|
Username |
Required The username of the ServiceNow account. |
Password |
Required The password of the ServiceNow account. |
Incident Table |
Optional The path to use for incident-related actions. By default, the integration uses the |
Verify SSL |
Optional If selected, the integration verifies that the SSL certificate for connecting to the ServiceNow server is valid. Selected by default. |
Run Remotely |
Optional If selected, the integration runs remotely. After selecting this parameter, select the remote user (agent). Not selected by default. |
Client ID |
Optional The client ID of the ServiceNow integration. The OAuth 2.0 authentication requires this parameter to authenticate using client credentials. You can authenticate either with the refresh token or client credentials. If you configure the refresh token and client credentials, the integration uses the refresh token to authenticate. |
Client Secret |
Optional The client secret of the ServiceNow integration. The OAuth 2.0 authentication requires this parameter to authenticate using client credentials. You can authenticate either with the refresh token or client credentials. If you configure the refresh token and client credentials, the integration uses the refresh token to authenticate. |
Refresh Token |
Optional A refresh token for the ServiceNow integration. The OAuth 2.0 authentication requires this parameter to authenticate using the refresh token. The configured refresh token expires every 90 days. You can authenticate either with the refresh token or client credentials. If you configure the refresh token and client credentials, the integration uses the refresh token to authenticate. |
Use Oauth Authentication |
Optional If selected, the integration uses the OAuth 2.0 authentication. The OAuth 2.0 authentication requires either the
client credentials (the |
For more information about configuring an integration in Google SecOps, see Configure integrations.
You can make changes at a later stage, if necessary. After configuring an instance, you can use it in playbooks. For more information about configuring and supporting multiple instances, see Supporting multiple instances.
Actions
The Close Incident and Update Incident actions require you to configure an additional role in ServiceNow.
Add Attachment
Use the Add Attachment action to add attachments to a table record in ServiceNow.
This action doesn't run on Google SecOps entities.
Action inputs
The Add Attachment action requires the following parameters:
| Parameter | Description |
|---|---|
Mode |
Optional The mode for the action. If you select the
If you select the
The possible values are as follows:
|
Table Name |
Required A name of the table that contains the record to add the attachment to. |
Record Sys ID |
Required A |
File Path |
Required A comma-separated list of absolute paths for the files to attach. |
Action outputs
The Add Attachment action provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
JSON result
The following example shows the JSON result output received when using the Add Attachment action:
{
"result": {
"size_bytes": "742",
"file_name": "Example.txt",
"sys_mod_count": "0",
"average_image_color": "",
"image_width": "",
"sys_updated_on": "2020-08-16 11:43:39",
"sys_tags": "",
"table_name": "incident",
"sys_id": "2a5d8423db2210104c187b60399619b2",
"image_height": "",
"sys_updated_by": "admin",
"download_link": "https://example.service-now.com/api/now/attachment/2a5d8423db2210104c187b60399619b2/file",
"content_type": "multipart/form-data",
"sys_created_on": "2020-08-16 11:43:39",
"size_compressed": "438",
"compressed": "true",
"state": "pending",
"table_sys_id": "9d385017c611228701d22104cc95c371",
"chunk_size_bytes": "700000",
"hash": "d2acb9fe341654816e00d44bcdaf88ef0733a2838449bba870142626b94871fc",
"sys_created_by": "admin"
}
}
Output messages
The Add Attachment action can return the following output messages:
| Output message | Message description |
|---|---|
|
The action succeeded. |
Error executing action "Add Attachment". Reason:
ERROR_REASON |
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Add Attachment action:
| Script result name | Value |
|---|---|
is_success |
True or False |
Add Comment
Use the Add Comment action to add a comment to a ServiceNow incident.
This action runs on all Google SecOps entities.
Action inputs
The Add Comment action requires the following parameters:
| Parameter | Description |
|---|---|
Incident Number |
Required The number of the incident. To configure
this parameter value, use the following format:
|
Comment |
Required A comment to add to the incident. |
Action outputs
The Add Comment action provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Script result | Available |
Script result
The following table lists the values for the script result output when using the Add Comment action:
| Script result name | Value |
|---|---|
is_success |
True or False |
Add Comment and Wait for Reply
Use the Add Comment and Wait for Reply action to wait for adding a new comment to an incident. The action result is the content of new comments.
This action runs on all Google SecOps entities.
Action inputs
The Add Comment and Wait for Reply action requires the following parameters:
| Parameter | Description |
|---|---|
Incident Number |
Required The number of the incident. To configure
this parameter value, use the following format:
|
Comment |
Required A comment to add to the incident. |
Action outputs
The Add Comment and Wait for Reply action provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Script result | Available |
Script result
The following table lists the value for the script result output when using the Add Comment and Wait for Reply action:
| Script result name | Value |
|---|---|
new_comment |
Not applicable |
Add Comment To Record
Use the Add Comment To Record action to add a comment to a specific table record in ServiceNow.
If you select the Wait For Reply parameter, this action works asynchronously.
For the asynchronous mode, adjust the script timeout value in the
Google SecOps IDE for the action as needed.
This action doesn't run on Google SecOps entities.
Action inputs
The Add Comment To Record action requires the following parameters:
| Parameter | Description |
|---|---|
Table Name |
Required The name of the table to add a comment or a note to,
such as |
Type |
Required The type of the comment to add. The possible values are as follows:
The default value is |
Record Sys ID |
Required The record ID to add a comment or a work note to. |
Text |
Required The content of a comment or work note. |
Wait For Reply |
Required If selected, the action waits for reply. The action tracks comments if you add comments, and work notes if you add work notes. |
Action outputs
The Add Comment To Record action provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
JSON result
The following example shows the JSON result output received when using the Add Comment To Record action:
{
"sys_id": "4355183607523010ff23f6fd7c1ed0a8",
"sys_created_on": "2021-09-03 10:29:48",
"name": "incident",
"element_id": "552c48888c033300964f4932b03eb092",
"sys_tags": "",
"value": "test",
"sys_created_by": "admin",
"element": "comments"
}
Output messages
The Add Comment To Record action can return the following output messages:
| Output message | Message description |
|---|---|
Successfully added
COMMENT_OR_NOTE "
CONTENT" to TABLE_NAME
with Sys_ID SYS_ID in ServiceNow.
|
Action succeeded. |
Error executing action "Add Comment To Record". Reason:
ERROR_REASON |
Action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Add Comment To Record action:
| Script result name | Value |
|---|---|
is_success |
True or False |
Add Parent Incident
Use the Add Parent Incident action to add a parent incident for incidents in ServiceNow.
This action doesn't run on Google SecOps entities.
Action inputs
The Add Parent Incident action requires the following parameters:
| Parameter | Description |
|---|---|
Parent Incident Number |
Required A parent incident number. The action adds all incidents in the To configure this
parameter, use the following incident format:
|
Child Incident Numbers |
Required A comma-separated list of numbers related to the incident and used as children for the parent incident. To configure this parameter, provide the value in the following format:
|
Action outputs
The Add Parent Incident action provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
JSON result
The following example shows the JSON result output received when using the Add Parent Incident action:
{
"result": [
{
"parent": "",
"made_sla": "true",
"caused_by": "",
"watch_list": "",
"upon_reject": "cancel",
"sys_updated_on": "2020-10-20 07:19:11",
"child_incidents": "0",
"hold_reason": "",
"approval_history": "",
"skills": "",
"number": "INC0010009",
"resolved_by": "",
"sys_updated_by": "admin",
"opened_by": {
"link": "https://example.service-now.com/api/now/table/sys_user/ID",
"value": "ID"
},
"user_input": "",
"sys_created_on": "2020-10-20 07:19:11",
"sys_domain": {
"link": "https://example.service-now.com/api/now/table/sys_user_group/global",
"value": "global"
},
"state": "1",
"sys_created_by": "admin",
"knowledge": "false",
"order": "",
"calendar_stc": "",
"closed_at": "",
"cmdb_ci": "",
"delivery_plan": "",
"contract": "",
"impact": "3",
"active": "true",
"work_notes_list": "",
"business_service": "",
"priority": "5",
"sys_domain_path": "/",
"rfc": "",
"time_worked": "",
"expected_start": "",
"opened_at": "2020-10-20 07:18:56",
"business_duration": "",
"group_list": "",
"work_end": "",
"caller_id": {
"link": "https://example.service-now.com/api/now/table/sys_user/ID",
"value": "ID"
},
"reopened_time": "",
"resolved_at": "",
"approval_set": "",
"subcategory": "",
"work_notes": "",
"short_description": "Assessment : Assessor",
"close_code": "",
"correlation_display": "",
"delivery_task": "",
"work_start": "",
"assignment_group": "",
"additional_assignee_list": "",
"business_stc": "",
"description": "",
"calendar_duration": "",
"close_notes": "",
"notify": "1",
"service_offering": "",
"sys_class_name": "incident",
"closed_by": "",
"follow_up": "",
"parent_incident": {
"link": "https://example.service-now.com/api/now/table/incident/ID",
"value": "ID"
},
"sys_id": "2a100a1c2fc42010c518532a2799b621",
"contact_type": "",
"reopened_by": "",
"incident_state": "1",
"urgency": "3",
"problem_id": "",
"company": "",
"reassignment_count": "0",
"activity_due": "",
"assigned_to": "",
"severity": "3",
"comments": "",
"approval": "not requested",
"sla_due": "",
"comments_and_work_notes": "",
"due_date": "",
"sys_mod_count": "0",
"reopen_count": "0",
"sys_tags": "",
"escalation": "0",
"upon_approval": "proceed",
"correlation_id": "",
"location": "",
"category": "inquiry"
}
]
}
Output messages
The Add Parent Incident action can return the following output messages:
| Output message | Message description |
|---|---|
Successfully set
PARENT_INCIDENT_NUMBER as the
"Parent Incident" for the following incidents in ServiceNow:
CHILD_INCIDENT_NUMBERS. |
Action succeeded. |
|
Action failed. Check the spelling. |
Error executing action "Add Parent Incident".
Reason: ERROR_REASON |
Action failed. Check the connection to the server, input parameters, or credentials. |
Close Incident
Use the Close Incident action to close a ServiceNow incident.
This action requires an additional role configured in ServiceNow. To assign the role to the user account used in the integration, complete the following steps:
In ServiceNow, Go to All > User Administration > Users.
Select the user that you use in the integration.
Go to Roles > Edit.
Select the
sn_incident_writerole and click Add.Click Save.
This action runs on all Google SecOps entities.
Action inputs
The Close Incident action requires the following parameters:
| Parameter | Description |
|---|---|
Incident Number |
Required The number of the incident. To configure
this parameter value, use the following format:
|
Close Reason |
Required A reason to close the incident. |
Action outputs
The Close Incident action provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Script result | Available |
Script result
The following table lists the value for the script result output when using the Close Incident action:
| Script result name | Value |
|---|---|
is_success |
True or False |
Create Alert Incident
Use the Create Alert Incident action to create an incident which is related to a Google SecOps alert.
This action runs on all Google SecOps entities.
Action inputs
The Create Alert Incident action requires the following parameters:
| Parameter | Description |
|---|---|
Impact |
Required The impact level of the incident. The possible values are as follows:
|
Urgency |
Required The urgency level of the incident. The possible values are as follows
|
Category |
Optional The incident category. |
Assignment Group ID |
Optional The full name of the group to assign the incident to. |
Assigned User ID |
Optional The full name of the user to assign the incident to. |
Description |
Optional The incident description. |
Action outputs
The Create Alert Incident action provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Script result | Available |
JSON result
The following example shows the JSON result output received when using the Create Alert Incident action:
{
"sys_tags": " ",
"user_input": " ",
"calendar_stc": " ",
"subcategory": " ",
"watch_list": " ",
"follow_up": " ",
"made_sla": "true",
"sys_created_by": "admin",
"sla_due": " ",
"number": "INC0010005",
"group_list": " ",
"reassignment_count": "0",
"assigned_to": " ",
"sys_mod_count": "0",
"notify": "1",
"resolved_by": " ",
"upon_reject": "cancel",
"additional_assignee_list": " ",
"category": "inquiry",
"closed_at": " ",
"parent_incident": " ",
"cmdb_ci": " ",
"contact_type": " ",
"impact": "1",
"rfc": " ",
"expected_start": " ",
"knowledge": "false",
"sys_updated_by":
"admin", "caused_by": " ",
"comments": " ",
"closed_by": " ",
"priority": "1",
"state": "1",
"sys_id": "ID",
"opened_at": "2020-07-10 05:13:25",
"child_incidents": "0",
"work_notes": " ",
"delivery_task": " ",
"short_description": "4187b92c-7aaa-40ec-a032-833dd5a854e6",
"comments_and_work_notes": " ",
"time_worked": " ",
"upon_approval": "proceed",
"company": " ",
"business_stc": " ",
"correlation_display": " ",
"sys_class_name": "incident",
"delivery_plan": " ",
"escalation": "0",
"description": " ",
"parent": " ",
"close_notes": " ",
"business_duration": " ",
"problem_id": " ",
"sys_updated_on": "2020-07-10 05:13:25",
"approval_history": " ",
"approval_set": " ",
"business_service": " ",
"reopened_by": " ",
"calendar_duration": " ",
"caller_id": {
"link": "https://example.service-now.com/api/now/v1/table/sys_user/ID",
"value": "ID"
},
"active": "true",
"approval": "not requested",
"service_offering": " ",
"sys_domain_path": "/",
"hold_reason": " ",
"activity_due": "2020-07-10 07:13:25",
"severity": "3",
"incident_state": "1",
"resolved_at": " ",
"location": " ",
"due_date": " ",
"work_start": " ",
"work_end": " ",
"work_notes_list": " ",
"sys_created_on": "2020-07-10 05:13:25",
"correlation_id": " ",
"contract": " ",
"reopened_time": " ",
"opened_by": {
"link": "https://example.service-now.com/api/now/v1/table/sys_user/ID",
"value": "ID"
},
"close_code": " ",
"assignment_group": " ",
"sys_domain": {
"link": "https://example.service-now.com/api/now/v1/table/sys_user_group/global",
"value": "global"
},
"order": " ",
"urgency": "1",
"reopen_count": "0"
}
Script result
The following table lists the value for the script result output when using the Create Alert Incident action:
| Script result name | Value |
|---|---|
is_success |
True or False |
Create Incident
Use the Create Incident action to create a new incident in the ServiceNow system.
This action runs on all Google SecOps entities.
Action inputs
The Create Incident action requires the following parameters:
| Parameter | Description |
|---|---|
Short Description |
Required A short description of the incident. |
Impact |
Required The impact level of the incident. The possible values are as follows:
|
Urgency |
Required The urgency level of the incident. The possible values are as follows
|
Category |
Optional The incident category. |
Assignment Group ID |
Optional The full name of the group to assign the incident to. |
Assigned User ID |
Optional The full name of the user to assign the incident to. |
Description |
Optional The incident description. |
Custom Fields |
Optional A comma-separated list of fields and values. To configure this parameter, provide the value in the following format:
|
Action outputs
The Ping action provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Script result | Available |
JSON result
The following example shows the JSON result output received when using the Create Incident action:
{
"sys_tags": " ",
"user_input": " ",
"calendar_stc": " ",
"subcategory": " ",
"watch_list": " ",
"follow_up": " ",
"made_sla": "true",
"sys_created_by": "admin",
"sla_due": " ",
"number": "INC0010005",
"group_list": " ",
"reassignment_count": "0",
"assigned_to": " ",
"sys_mod_count": "0",
"notify": "1",
"resolved_by": " ",
"upon_reject": "cancel",
"additional_assignee_list": " ",
"category": "inquiry",
"closed_at": " ",
"parent_incident": " ",
"cmdb_ci": " ",
"contact_type": " ",
"impact": "1",
"rfc": " ",
"expected_start": " ",
"knowledge": "false",
"sys_updated_by":
"admin", "caused_by": " ",
"comments": " ",
"closed_by": " ",
"priority": "1",
"state": "1",
"sys_id": "ID",
"opened_at": "2020-07-10 05:13:25",
"child_incidents": "0",
"work_notes": " ",
"delivery_task": " ",
"short_description": "4187b92c-7aaa-40ec-a032-833dd5a854e6",
"comments_and_work_notes": " ",
"time_worked": " ",
"upon_approval": "proceed",
"company": " ",
"business_stc": " ",
"correlation_display": " ",
"sys_class_name": "incident",
"delivery_plan": " ",
"escalation": "0",
"description": " ",
"parent": " ",
"close_notes": " ",
"business_duration": " ",
"problem_id": " ",
"sys_updated_on": "2020-07-10 05:13:25",
"approval_history": " ",
"approval_set": " ",
"business_service": " ",
"reopened_by": " ",
"calendar_duration": " ",
"caller_id": {
"link": "https://example.service-now.com/api/now/v1/table/sys_user/ID",
"value": "ID"
},
"active": "true",
"approval": "not requested",
"service_offering": " ",
"sys_domain_path": "/",
"hold_reason": " ",
"activity_due": "2020-07-10 07:13:25",
"severity": "3",
"incident_state": "1",
"resolved_at": " ",
"location": " ",
"due_date": " ",
"work_start": " ",
"work_end": " ",
"work_notes_list": " ",
"sys_created_on": "2020-07-10 05:13:25",
"correlation_id": " ",
"contract": " ",
"reopened_time": " ",
"opened_by": {
"link": "https://example.service-now.com/api/now/v1/table/sys_user/ID",
"value": "ID"
},
"close_code": " ",
"assignment_group": " ",
"sys_domain": {
"link": "https://example.service-now.com/api/now/v1/table/sys_user_group/global",
"value": "global"
},
"order": " ",
"urgency": "1",
"reopen_count": "0"
}
Script result
The following table lists the value for the script result output when using the Create Incident action:
| Script result name | Value |
|---|---|
incident_number |
INCIDENT_NUMBER |
Create Record
Use the Create Record action to create new records in different ServiceNow tables.
This action runs on all Google SecOps entities.
Action inputs
The Create Record action requires the following parameters:
| Parameter | Description |
|---|---|
Table Name |
Optional The table to use for creating a record. |
Object JSON Data |
Optional The JSON data that is required to create a record. |
Action outputs
The Create Record action provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Script result | Available |
JSON result
The following example shows the JSON result output received when using the Create Record action:
{
"sys_tags": " ",
"user_input": " ",
"calendar_stc": " ",
"subcategory": " ",
"watch_list": " ",
"follow_up": " ",
"made_sla": "true",
"sys_created_by": "admin",
"sla_due": " ",
"number": "INC0010021",
"group_list": " ",
"reassignment_count": "0",
"assigned_to": " ",
"sys_mod_count": "0",
"notify": "1",
"resolved_by": " ",
"upon_reject": "cancel",
"additional_assignee_list": " ",
"category": "inquiry",
"closed_at": " ",
"parent_incident": " ",
"cmdb_ci": " ",
"contact_type": " ",
"impact": "3",
"rfc": " ",
"expected_start": " ",
"knowledge": "false",
"sys_updated_by": "admin",
"caused_by": " ",
"comments": " ",
"closed_by": " ",
"priority": "5",
"state": "1",
"sys_id": "ID",
"opened_at": "2020-07-10 08:24:34",
"child_incidents": "0",
"work_notes": " ",
"delivery_task": " ",
"short_description": " ",
"comments_and_work_notes": " ",
"time_worked": " ",
"upon_approval": "proceed",
"company": " ",
"business_stc": " ",
"correlation_display": " ",
"sys_class_name": "incident",
"delivery_plan": " ",
"escalation": "0",
"description": " ",
"parent": " ",
"close_notes": " ",
"business_duration": " ",
"problem_id": " ",
"sys_updated_on": "2020-07-10 08:24:34",
"approval_history": " ",
"approval_set": " ",
"business_service": " ",
"reopened_by": " ",
"calendar_duration": " ",
"caller_id": " ",
"active": "true",
"approval": "not requested",
"service_offering": " ",
"sys_domain_path": "/",
"hold_reason": " ",
"activity_due": " ",
"severity": "3",
"incident_state": "1",
"resolved_at": " ",
"location": " ",
"due_date": " ",
"work_start": " ",
"work_end": " ",
"work_notes_list": " ",
"sys_created_on": "2020-07-10 08:24:34",
"correlation_id": " ",
"contract": " ",
"reopened_time": " ",
"opened_by": {
"link": "https://example.service-now.com/api/now/v1/table/sys_user/ID",
"value": "ID"
},
"close_code": " ",
"assignment_group": " ",
"sys_domain": {
"link": "https://example.service-now.com/api/now/v1/table/sys_user_group/global",
"value": "global"
},
"order": " ",
"urgency": "3",
"reopen_count": "0"
}
Script result
The following table lists the value for the script result output when using the Create Record action:
| Script result name | Value |
|---|---|
object_sys_id |
OBJECT_SYS_ID |
Download Attachments
Use the Download Attachments action to download attachments related to a table record in ServiceNow.
This action doesn't run on Google SecOps entities.
Action inputs
The Download Attachments action requires the following parameters:
| Parameter | Description |
|---|---|
Table Name |
Required The name of the table that contains the record to
download attachments from, such as |
Record Sys ID |
Required The Sys ID of the record to download an attachment from. |
Download Folder Path |
Required The absolute folder path to store downloaded attachments. |
Action outputs
The Download Attachments action provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
JSON result
The following example shows the JSON result output received when using the Download Attachments action:
{
"result": [
{"absolute_file_path" : ["PATH"]
"size_bytes": "187",
"file_name": "example.txt",
"sys_mod_count": "1",
"average_image_color": "",
"image_width": "",
"sys_updated_on": "2020-10-19 09:58:39",
"sys_tags": "",
"table_name": "problem",
"sys_id": "SYS_ID",
"image_height": "",
"sys_updated_by": "system",
"download_link": "https://example.service-now.com/api/now/attachment/ID/file",
"content_type": "text/plain",
"sys_created_on": "2020-10-19 09:58:38",
"size_compressed": "172",
"compressed": "true",
"state": "available",
"table_sys_id": "57771d002f002010c518532a2799b6cc",
"chunk_size_bytes": "700000",
"hash": "a4fbb8ab71268903845b59724835274ddc66e095de553c5e0c1da8fecd04ee45",
"sys_created_by": "admin"
}
]
}
Output messages
The Ping action can return the following output messages:
| Output message | Message description |
|---|---|
|
The action succeeded. |
Error executing action "Download Attachments". Reason:
ERROR_REASON |
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Download Attachments action:
| Script result name | Value |
|---|---|
is_success |
True or False |
Get Child Incident Details
Use the Get Child Incident Details action to retrieve information about child incidents based on the parent incident in ServiceNow.
This action doesn't run on Google SecOps entities.
Action inputs
The Get Child Incident Details action requires the following parameters:
| Parameter | Description |
|---|---|
Parent Incident Number |
Required The number of the incident to retrieve child incident
details from. To configure this parameter, provide the value in the following
format: |
Max Child Incident To Return |
Optional The number of child incidents to return. |
Action outputs
The Get Child Incident Details action provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
Case wall table
The Get Child Incident Details action provides the following table:
Table name: Child Incident Details
Table columns:
- Sys ID (mapped as
sys_id) - Number (mapped as
number) - Short Description (mapped as
short_description) - Created At (mapped as
sys_created_on)
JSON result
The following example shows the JSON result output received when using the Get Child Incident Details action:
{
"result": [
{
"parent": "",
"made_sla": "true",
"caused_by": "",
"watch_list": "",
"upon_reject": "cancel",
"sys_updated_on": "2020-10-20 07:19:11",
"child_incidents": "0",
"hold_reason": "",
"approval_history": "",
"skills": "",
"number": "INC0010009",
"resolved_by": "",
"sys_updated_by": "admin",
"opened_by": {
"link": "https://example.service-now.com/api/now/table/sys_user/ID",
"value": "ID"
},
"user_input": "",
"sys_created_on": "2020-10-20 07:19:11",
"sys_domain": {
"link": "https://example.service-now.com/api/now/table/sys_user_group/global",
"value": "global"
},
"state": "1",
"sys_created_by": "admin",
"knowledge": "false",
"order": "",
"calendar_stc": "",
"closed_at": "",
"cmdb_ci": "",
"delivery_plan": "",
"contract": "",
"impact": "3",
"active": "true",
"work_notes_list": "",
"business_service": "",
"priority": "5",
"sys_domain_path": "/",
"rfc": "",
"time_worked": "",
"expected_start": "",
"opened_at": "2020-10-20 07:18:56",
"business_duration": "",
"group_list": "",
"work_end": "",
"caller_id": {
"link": "https://example.service-now.com/api/now/table/sys_user/ID",
"value": "ID"
},
"reopened_time": "",
"resolved_at": "",
"approval_set": "",
"subcategory": "",
"work_notes": "",
"short_description": "Assessment : ATF Assessor",
"close_code": "",
"correlation_display": "",
"delivery_task": "",
"work_start": "",
"assignment_group": "",
"additional_assignee_list": "",
"business_stc": "",
"description": "",
"calendar_duration": "",
"close_notes": "",
"notify": "1",
"service_offering": "",
"sys_class_name": "incident",
"closed_by": "",
"follow_up": "",
"parent_incident": {
"link": "https://example.service-now.com/api/now/table/incident/ID",
"value": "ID"
},
"sys_id": "2a100a1c2fc42010c518532a2799b621",
"contact_type": "",
"reopened_by": "",
"incident_state": "1",
"urgency": "3",
"problem_id": "",
"company": "",
"reassignment_count": "0",
"activity_due": "",
"assigned_to": "",
"severity": "3",
"comments": "",
"approval": "not requested",
"sla_due": "",
"comments_and_work_notes": "",
"due_date": "",
"sys_mod_count": "0",
"reopen_count": "0",
"sys_tags": "",
"escalation": "0",
"upon_approval": "proceed",
"correlation_id": "",
"location": "",
"category": "inquiry"
}
]
}
Output messages
The Get Child Incident Details action can return the following output messages:
| Output message | Message description |
|---|---|
|
The action succeeded. |
Error executing action "Get Child Incident Details". Reason:
ERROR_REASON |
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Get Child Incident Details action:
| Script result name | Value |
|---|---|
is_success |
True or False |
Get CMDB Record Details
Use the Get CMDB Record Details action to get detailed CMDB records from the same class in ServiceNow.
This action runs on all Google SecOps entities.
For more information on class names, see View and edit class definition and metadata in the ServiceNow product documentation.
Action inputs
The Get CMDB Record Details action requires the following parameters:
| Parameter | Description |
|---|---|
Class Name |
Required A name of the class to list records from, such as
|
Sys ID |
Required A comma-separated list of record sys IDs to retrieve details for. |
Max Relations To Return |
Optional The number of record relations for every type to return. The default value is 50. |
Action outputs
The Get CMDB Record Details action provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
JSON result
The following example shows the JSON result output received when using the Get CMDB Record Details action:
{
"result": {
"outbound_relations": [
{
"sys_id": "56f3a7ad7f701200bee45f19befa910f",
"type": {
"display_value": "Members::Member of",
"link": "https://example.service-now.com/api/now/table/cmdb_rel_type/ID",
"value": "ID"
},
"target": {
"display_value": "Example",
"link": "https://example.service-now.com/api/now/cmdb/instance/cmdb_ci/ID",
"value": "ID"
}
}
],
"attributes": {
"attested_date": "",
"skip_sync": "false",
"operational_status": "1",
"caption": "",
"cluster_type": "",
"sys_updated_on": "2016-01-06 19:04:07",
"attestation_score": "",
"discovery_source": "",
"first_discovered": "",
"sys_updated_by": "example.user",
"cluster_status": "",
"due_in": "",
"sys_created_on": "2016-01-06 16:47:15",
"sys_domain": {
"display_value": "global",
"link": "https://example.service-now.com/api/now/table/sys_user_group/global",
"value": "global"
},
"install_date": "",
"invoice_number": "",
"gl_account": "",
"sys_created_by": "example.user",
"warranty_expiration": "",
"cluster_version": "",
"asset_tag": "",
"fqdn": "",
"change_control": "",
"owned_by": "",
"checked_out": "",
"sys_domain_path": "/",
"delivery_date": "",
"maintenance_schedule": "",
"install_status": "1",
"cost_center": "",
"attested_by": "",
"supported_by": "",
"dns_domain": "",
"name": "SAP-LB-Win-Cluster",
"assigned": "",
"purchase_date": "",
"subcategory": "Cluster",
"short_description": "",
"assignment_group": "",
"managed_by": "",
"managed_by_group": "",
"last_discovered": "",
"can_print": "false",
"sys_class_name": "cmdb_ci_win_cluster",
"manufacturer": "",
"sys_id": "SYS_ID",
"cluster_id": "",
"po_number": "",
"checked_in": "",
"sys_class_path": "/!!/!5/!$",
"vendor": "",
"mac_address": "",
"company": "",
"model_number": "",
"justification": "",
"department": "",
"assigned_to": "",
"start_date": "",
"cost": "",
"comments": "",
"sys_mod_count": "1",
"serial_number": "",
"monitor": "false",
"model_id": "",
"ip_address": "",
"duplicate_of": "",
"sys_tags": "",
"cost_cc": "USD",
"support_group": "",
"order_date": "",
"schedule": "",
"environment": "",
"due": "",
"attested": "false",
"unverified": "false",
"correlation_id": "",
"attributes": "",
"location": "",
"asset": "",
"category": "Resource",
"fault_count": "0",
"lease_id": ""
},
"inbound_relations": [
{
"sys_id": "3b3d95297f701200bee45f19befa910c",
"type": {
"display_value": "Depends on::Used by",
"link": "https://example.service-now.com/api/now/table/cmdb_rel_type/ID",
"value": "ID"
},
"target": {
"display_value": "IP-Router-3",
"link": "https://example.service-now.com/api/now/cmdb/instance/cmdb_ci/ID",
"value": "ID"
}
}
]
}
}
Output messages
The Get CMDB Record Details action can return the following output messages:
| Output message | Message description |
|---|---|
|
The action succeeded. |
Error executing action "Get CMDB Record Details". Reason:
ERROR_REASON |
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Get CMDB Record Details action:
| Script result name | Value |
|---|---|
is_success |
True or False |
Get Oauth Token
Use the Get Oauth Token action to get an OAuth refresh token for ServiceNow.
This action requires you to provide the Username, Password, Client ID, and
Client Secret parameters in the integration configuration tab.
This action doesn't run on Google SecOps entities.
Action inputs
None.
Action outputs
The Get Oauth Token action provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
JSON result
The following example shows the JSON result output received when using the Get Oauth Token action:
{
"access_token": "Na4Kb1oWpFcYNUnyAjsYldiTMxYF1Cz79Q",
"refresh_token": "0ryCENbbvfggZbNG9rFFd8_C8X0UgAQSMQkPJNStGwEEt0qNt-F1lw",
"scope": "useraccount",
"token_type": "Bearer",
"expires_in": 1799
}
Output messages
The Get Oauth Token action can return the following output messages:
| Output message | Message description |
|---|---|
Successfully generated Oauth tokens for ServiceNow. Now navigate
to the configuration tab and put "refresh_token" value in the "Refresh
Token" parameter. Note: "Username" and "Password" parameters can be
emptied. |
The action succeeded. |
Error executing action "Get Oauth Token". Reason:
ERROR_REASON |
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Get Oauth Token action:
| Script result name | Value |
|---|---|
is_success |
True or False |
Get Record Details
Use the Get Record Details action to retrieve information about specific table records in ServiceNow.
This action doesn't run on Google SecOps entities.
Action inputs
The Get Record Details action requires the following parameters:
| Parameter | Description |
|---|---|
Table Name |
Required A name of the table to search for the record in, such
as |
Record Sys ID |
Required The record ID to retrieve the details for. |
Fields |
Optional A comma-separated list of fields to return for the
record, such as If you provide no value, the action returns the default fields for the record. |
Action outputs
The Get Record Details action provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
JSON result
The following example shows the JSON result output received when using the Get Record Details action:
{
"result": [
{
"parent": "",
"made_sla": "true",
"caused_by": "",
"watch_list": "",
"upon_reject": "cancel",
"sys_updated_on": "2020-10-20 07:19:11",
"child_incidents": "0",
"hold_reason": "",
"approval_history": "",
"skills": "",
"number": "INC0010009",
"resolved_by": "",
"sys_updated_by": "admin",
"opened_by": {
"link": "https://example.service-now.com/api/now/table/sys_user/ID",
"value": "ID"
},
"user_input": "",
"sys_created_on": "2020-10-20 07:19:11",
"sys_domain": {
"link": "https://example.service-now.com/api/now/table/sys_user_group/global",
"value": "global"
},
"state": "1",
"sys_created_by": "admin",
"knowledge": "false",
"order": "",
"calendar_stc": "",
"closed_at": "",
"cmdb_ci": "",
"delivery_plan": "",
"contract": "",
"impact": "3",
"active": "true",
"work_notes_list": "",
"business_service": "",
"priority": "5",
"sys_domain_path": "/",
"rfc": "",
"time_worked": "",
"expected_start": "",
"opened_at": "2020-10-20 07:18:56",
"business_duration": "",
"group_list": "",
"work_end": "",
"caller_id": {
"link": "https://example.service-now.com/api/now/table/sys_user/ID",
"value": "ID"
},
"reopened_time": "",
"resolved_at": "",
"approval_set": "",
"subcategory": "",
"work_notes": "",
"short_description": "Assessment : ATF Assessor",
"close_code": "",
"correlation_display": "",
"delivery_task": "",
"work_start": "",
"assignment_group": "",
"additional_assignee_list": "",
"business_stc": "",
"description": "",
"calendar_duration": "",
"close_notes": "",
"notify": "1",
"service_offering": "",
"sys_class_name": "incident",
"closed_by": "",
"follow_up": "",
"parent_incident": {
"link": "https://example.service-now.com/api/now/table/incident/ID",
"value": "ID"
},
"sys_id": "SYS_ID",
"contact_type": "",
"reopened_by": "",
"incident_state": "1",
"urgency": "3",
"problem_id": "",
"company": "",
"reassignment_count": "0",
"activity_due": "",
"assigned_to": "",
"severity": "3",
"comments": "",
"approval": "not requested",
"sla_due": "",
"comments_and_work_notes": "",
"due_date": "",
"sys_mod_count": "0",
"reopen_count": "0",
"sys_tags": "",
"escalation": "0",
"upon_approval": "proceed",
"correlation_id": "",
"location": "",
"category": "inquiry"
}
]
}
Output messages
The Get Record Details action can return the following output messages:
| Output message | Message description |
|---|---|
|
The action succeeded. |
Error executing action "Get Record Details". Reason:
ERROR_REASON |
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Get Record Details action:
| Script result name | Value |
|---|---|
is_success |
True or False |
Get Incident
Use the Get Incident action to retrieve information about a ServiceNow incident.
This action runs on all Google SecOps entities.
Action inputs
The Get Incident action requires the following parameters:
| Parameter | Description |
|---|---|
Incident Number |
Required The number of the incident. To configure
this parameter value, use the following format:
|
Short Description |
Optional A short description of the incident. |
Impact |
Optional The impact level of the incident. The possible values are as follows:
|
Urgency |
Optional The urgency level of the incident. The possible values are as follows
|
Category |
Optional The incident category. |
Assignment Group ID |
Optional The full name of the group to assign the incident to. |
Assigned User ID |
Optional The full name of the user to assign the incident to. |
Description |
Optional The incident description. |
Incident State |
Optional A status name or status ID of the incident. |
Action outputs
The Get Incident action provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Script result | Available |
JSON result
The following example shows the JSON result output received when using the Get Incident action:
{
"sys_tags": " ",
"user_input": " ",
"calendar_stc": "2012",
"subcategory": " ",
"watch_list": " ",
"follow_up": " ",
"made_sla": "true",
"sys_created_by": "admin",
"sla_due": " ",
"number": "INC0010041",
"group_list": " ",
"reassignment_count": "0",
"assigned_to": " ",
"sys_mod_count": "10",
"notify": "1",
"resolved_by": {
"link": "https://example.service-now.com/api/now/v1/table/sys_user/ID",
"value": "ID"
},
"upon_reject": "cancel",
"additional_assignee_list": " ",
"category": "inquiry",
"closed_at": "2020-07-10 12:53:06",
"parent_incident": " ",
"cmdb_ci": " ",
"contact_type": " ",
"impact": "1",
"rfc": " ",
"expected_start": " ",
"knowledge": "false",
"sys_updated_by": "admin",
"caused_by": " ",
"comments": " ",
"closed_by": {
"link": "https://example.service-now.com/api/now/v1/table/sys_user/ID",
"value": "ID"
},
"priority": "1",
"state": "7",
"sys_id": "SYS_ID",
"opened_at": "2020-07-10 12:18:04",
"child_incidents": "0",
"work_notes": " ",
"delivery_task": " ",
"short_description": "sdf",
"comments_and_work_notes": " ",
"time_worked": " ",
"upon_approval": "proceed",
"company": " ",
"business_stc": "0",
"correlation_display": " ",
"sys_class_name": "incident",
"delivery_plan": " ",
"escalation": "0",
"description": " ",
"parent": " ",
"close_notes": "Closed by Caller",
"business_duration": "1970-01-01 00:00:00",
"problem_id": " ",
"sys_updated_on": "2020-07-10 13:13:57",
"approval_history": " ",
"approval_set": " ",
"business_service": " ",
"reopened_by": " ",
"calendar_duration": "1970-01-01 00:35:02",
"caller_id": {
"link": "https://example.service-now.com/api/now/v1/table/sys_user/ID",
"value": "ID"
},
"active": "false",
"approval": "not requested",
"service_offering": " ",
"sys_domain_path": "/",
"hold_reason": " ",
"activity_due": "2020-07-10 14:33:28",
"severity": "3",
"incident_state": "7",
"resolved_at": "2020-07-10 12:53:06",
"location": " ",
"due_date": " ",
"work_start": " ",
"work_end": " ",
"work_notes_list": " ",
"sys_created_on": "2020-07-10 12:18:04",
"correlation_id": " ",
"contract": " ",
"reopened_time": " ",
"opened_by": {
"link": "https://example.service-now.com/api/now/v1/table/sys_user/ID",
"value": "ID"
},
"close_code": "Closed/Resolved by Caller",
"assignment_group": " ",
"sys_domain": {
"link": "https://example.service-now.com/api/now/v1/table/sys_user_group/global",
"value": "global"
},
"order": " ",
"urgency": "1",
"reopen_count": "0"
}
Script result
The following table lists the value for the script result output when using the Get Incident action:
| Script result name | Value |
|---|---|
incident_number |
INCIDENT_NUMBER |
Get User Details
Use the Get User Details action to retrieve information about the user
using the sys_id parameter in ServiceNow.
This action doesn't run on Google SecOps entities.
Action inputs
The Get User Details action requires the following parameters:
| Parameter | Description |
|---|---|
User Sys IDs |
Required A comma-separated list of user |
Action outputs
The Get User Details action provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
Case wall table
The Get User Details action provides the following table:
Table name: User Details
Table columns:
- Sys ID (mapped as
sys_id) - Name (mapped as
name) - Username (mapped as
user_name) - Email (mapped as
email)
JSON result
The following example shows the JSON result output received when using the Get User Details action:
{
"result": [
{
"calendar_integration": "1",
"country": "",
"last_position_update": "",
"user_password": "example",
"last_login_time": "",
"source": "",
"sys_updated_on": "2020-08-29 02:42:42",
"building": "",
"web_service_access_only": "false",
"notification": "2",
"enable_multifactor_authn": "false",
"sys_updated_by": "user@example",
"sys_created_on": "2012-02-18 03:04:52",
"agent_status": "",
"sys_domain": {
"link": "https://example.service-now.com/api/now/table/sys_user_group/global",
"value": "global"
},
"state": "",
"vip": "false",
"sys_created_by": "admin",
"longitude": "",
"zip": "",
"home_phone": "",
"time_format": "",
"last_login": "",
"default_perspective": "",
"geolocation_tracked": "false",
"active": "true",
"sys_domain_path": "/",
"cost_center": {
"link": "https://example.service-now.com/api/now/table/cmn_cost_center/ID",
"value": "ID"
},
"phone": "",
"name": "Example User",
"employee_number": "",
"password_needs_reset": "false",
"gender": "Male",
"city": "",
"failed_attempts": "",
"user_name": "example.user",
"latitude": "",
"roles": "",
"title": "",
"sys_class_name": "sys_user",
"sys_id": "SYS_ID",
"internal_integration_user": "false",
"ldap_server": "",
"mobile_phone": "",
"street": "",
"company": {
"link": "https://example.service-now.com/api/now/table/core_company/ID",
"value": "ID"
},
"department": {
"link": "https://dev98773.service-now.com/api/now/table/cmn_department/ID",
"value": "ID"
},
"first_name": "Example",
"email": "example@example.com",
"introduction": "",
"preferred_language": "",
"manager": "",
"business_criticality": "3",
"locked_out": "false",
"sys_mod_count": "4",
"last_name": "User",
"photo": "",
"avatar": "063e38383730310042106710ce41f13b",
"middle_name": "",
"sys_tags": "",
"time_zone": "",
"schedule": "",
"on_schedule": "",
"date_format": "",
"location": {
"link": "https://example.service-now.com/api/now/table/cmn_location/ID",
"value": "ID"
}
}
]
}
Output messages
The Get User Details action can return the following output messages:
| Output message | Message description |
|---|---|
|
The action succeeded. |
Error executing action "Get User Details". Reason:
ERROR_REASON |
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Get User Details action:
| Script result name | Value |
|---|---|
is_success |
True or False |
List CMDB Records
Use the List CMDB Records action to list CMDB records from the same class in ServiceNow.
The action doesn't run on Google SecOps entities.
For more information on class names, see View and edit class definition and metadata in the ServiceNow product documentation.
How to work with the query filter (sysparm_query)
To get the correct filter, complete the following steps:
Navigate to the CMDB Query Builder using the following URL:
(https://SERVICENOW_INSTANCE/$queryBuilder.doabout:blank)In the Search CMDB Classes field, enter the class name.
Drag the required class onto the builder canvas.
In the browser, select Developer Tools and go to the Network tab.
Hold the pointer over the class that you dragged to the canvas to check the filter icon.
Create a filter of your choice.
In the Network tab, search for requests that contain the
mapattribute.For example, the request URL is as follows:
https://dev98773.service-now.com/api/now/ui/query_parse/cmdb_ci_appl/map?sysparm_query=sys_idLIKE1%5Esys_idSTARTSWITH0%5EORsys_idSTARTSWITH2From the URL, copy the value that appears after the
sysparm_query=attribute. This value is a filter that you've created, presented as a query. The query value is as follows:sys_idLIKE1%5Esys_idSTARTSWITH0%5EORsys_idSTARTSWITH2.Decode the URL query before using it in actions.
Action inputs
The List CMDB Records action requires the following parameters:
| Parameter | Description |
|---|---|
Class Name |
Required The name of the class to list the records from, such
as |
Query Filter |
Optional The query filter for the results, such as
|
Max Records To Return |
Optional The maximum number of records to return. The default value is 50. |
Action outputs
The List CMDB Records action provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
Case wall table
The List CMDB Records action provides the following table:
Table name: CLASS_NAME Records
Table columns:
- Name (mapped as
name) - Sys ID (mapped as
sys_id)
JSON result
The following example shows the JSON result output received when using the List CMDB Records action:
{
"result": [
{
"sys_id": "SYS_ID",
"name": "Example server"
}
]
}
Output messages
The List CMDB Records action can return the following output messages:
| Output message | Message description |
|---|---|
|
The action succeeded. |
Error executing action "List CMDB Records". Reason:
ERROR_REASON |
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the List CMDB Records action:
| Script result name | Value |
|---|---|
is_success |
True or False |
List Record Comments
Use the List Record Comments action to list comments that are related to a specific table record in ServiceNow.
This action doesn't run on Google SecOps entities.
Action inputs
The List Record Comments action requires the following parameters:
| Parameter | Description |
|---|---|
Table Name |
Required The name of the table to add a comment or a note to,
such as |
Type |
Required The type of the comment to add. The possible values are as follows:
The default value is |
Record Sys ID |
Required The record ID to add a comment or a work note to. |
Max Results To Return |
Optional The maximum number of results to return. The default value is 50. |
Action outputs
The List Record Comments action provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
JSON result
The following example shows the JSON result output received when using the List Record Comments action:
{
"sys_id": "SYS_ID",
"sys_created_on": "2021-09-03 10:29:48",
"name": "incident",
"element_id": "552c48888c033300964f4932b03eb092",
"sys_tags": "",
"value": "test",
"sys_created_by": "admin",
"element": "comments"
}
Output messages
The List Record Comments action can return the following output messages:
| Output message | Message description |
|---|---|
|
The action succeeded. |
Error executing action "List Record Comments". Reason:
ERROR_REASON |
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the List Record Comments action:
| Script result name | Value |
|---|---|
is_success |
True or False |
List Records Related To User
Use the List Records Related To User action to list records from a table that is related to a user in ServiceNow.
This action doesn't run on Google SecOps entities.
Action inputs
The List Records Related To User action requires the following parameters:
| Parameter | Description |
|---|---|
Table Name |
Required A name of the table to search for related records
in, such as |
Usernames |
Required A comma-separated list of usernames to retrieve the related records for. |
Max Days Backwards |
Required The number of days before now to fetch the related records from. |
Max Records To Return |
Optional The number of records to return for every user. The default value is 50. |
Action outputs
The List Records Related To User action provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
JSON result
The following example shows the JSON result output received when using the List Records Related To User action:
{
"result": [
{
"parent": "",
"made_sla": "true",
"caused_by": "",
"watch_list": "",
"upon_reject": "cancel",
"sys_updated_on": "2020-10-19 14:18:40",
"child_incidents": "0",
"hold_reason": "",
"approval_history": "",
"skills": "",
"number": "INC0010008",
"resolved_by": "",
"sys_updated_by": "admin",
"opened_by": {
"link": "https://example.service-now.com/api/now/table/sys_user/ID",
"value": "ID"
},
"user_input": "",
"sys_created_on": "2020-10-19 14:18:40",
"sys_domain": {
"link": "https://example.service-now.com/api/now/table/sys_user_group/global",
"value": "global"
},
"state": "1",
"sys_created_by": "admin",
"knowledge": "false",
"order": "",
"calendar_stc": "",
"closed_at": "",
"cmdb_ci": "",
"delivery_plan": "",
"contract": "",
"impact": "3",
"active": "true",
"work_notes_list": "",
"business_service": "",
"priority": "5",
"sys_domain_path": "/",
"rfc": "",
"time_worked": "",
"expected_start": "",
"opened_at": "2020-10-19 14:18:20",
"business_duration": "",
"group_list": "",
"work_end": "",
"caller_id": {
"link": "https://example.service-now.com/api/now/table/sys_user/ID",
"value": "ID"
},
"reopened_time": "",
"resolved_at": "",
"approval_set": "",
"subcategory": "",
"work_notes": "",
"short_description": "TEST",
"close_code": "",
"correlation_display": "",
"delivery_task": "",
"work_start": "",
"assignment_group": "",
"additional_assignee_list": "",
"business_stc": "",
"description": "",
"calendar_duration": "",
"close_notes": "",
"notify": "1",
"service_offering": "",
"sys_class_name": "incident",
"closed_by": "",
"follow_up": "",
"parent_incident": "",
"sys_id": "SYS_ID",
"contact_type": "",
"reopened_by": "",
"incident_state": "1",
"urgency": "3",
"problem_id": "",
"company": {
"link": "https://example.service-now.com/api/now/table/core_company/ID",
"value": "ID"
},
"reassignment_count": "0",
"activity_due": "",
"assigned_to": "",
"severity": "3",
"comments": "",
"approval": "not requested",
"sla_due": "",
"comments_and_work_notes": "",
"due_date": "",
"sys_mod_count": "0",
"reopen_count": "0",
"sys_tags": "",
"escalation": "0",
"upon_approval": "proceed",
"correlation_id": "",
"location": "",
"category": "inquiry"
}
]
}
Output messages
The List Records Related To User action can return the following output messages:
| Output message | Message description |
|---|---|
|
The action succeeded. |
Error executing action "List Records Related To User". Reason:
ERROR_REASON |
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the List Records Related To User action:
| Script result name | Value |
|---|---|
is_success |
True or False |
Ping
Use the Ping action to test connectivity to ServiceNow.
This action runs on all Google SecOps entities.
Action inputs
None.
Action outputs
The Ping action provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Script result | Available |
Script result
The following table lists the value for the script result output when using the Ping action:
| Script result name | Value |
|---|---|
is_success |
True or False |
Update Incident
Use the Update Incident action to update the incident information.
This action runs on all Google SecOps entities.
This action requires an additional role configured in ServiceNow. To assign the role to the user account used in the integration, complete the following steps:
In ServiceNow, Go to All > User Administration > Users.
Select the user that you use in the integration.
Go to Roles > Edit.
Select the
sn_incident_writerole and click Add.Click Save.
Action inputs
The Update Incidents action requires the following parameters:
| Parameter | Description |
|---|---|
Incident Number |
Required The number of the incident. To configure
this parameter value, use the following format:
|
Short Description |
Optional A short description of the incident. |
Impact |
Optional The impact level of the incident. The possible values are as follows:
|
Urgency |
Optional The urgency level of the incident. The possible values are as follows
|
Category |
Optional The incident category. |
Assignment Group ID |
Optional The full name of the group to assign the incident to. |
Assigned User ID |
Optional The full name of the user to assign the incident to. |
Description |
Optional The incident description. |
Incident State |
Optional A status name or status ID of the incident. |
Custom Fields |
Optional A comma-separated list of fields and values. To configure this parameter, provide the value in the following format:
|
Action outputs
The Update Incident action provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Script result | Available |
JSON result
The following example shows the JSON result output received when using the Update Incident action:
{
"sys_tags": " ",
"user_input": " ",
"calendar_stc": "2012",
"subcategory": " ",
"watch_list": " ",
"follow_up": " ",
"made_sla": "true",
"sys_created_by": "admin",
"sla_due": " ",
"number": "INC0010041",
"group_list": " ",
"reassignment_count": "0",
"assigned_to": " ",
"sys_mod_count": "10",
"notify": "1",
"resolved_by": {
"link": "https://example.service-now.com/api/now/v1/table/sys_user/ID",
"value": "ID"
},
"upon_reject": "cancel",
"additional_assignee_list": " ",
"category": "inquiry",
"closed_at": "2020-07-10 12:53:06",
"parent_incident": " ",
"cmdb_ci": " ",
"contact_type": " ",
"impact": "1",
"rfc": " ",
"expected_start": " ",
"knowledge": "false",
"sys_updated_by": "admin",
"caused_by": " ",
"comments": " ",
"closed_by": {
"link": "https://example.service-now.com/api/now/v1/table/sys_user/ID",
"value": "ID"
},
"priority": "1",
"state": "7",
"sys_id": "SYS_ID",
"opened_at": "2020-07-10 12:18:04",
"child_incidents": "0",
"work_notes": " ",
"delivery_task": " ",
"short_description": "sdf",
"comments_and_work_notes": " ",
"time_worked": " ",
"upon_approval": "proceed",
"company": " ",
"business_stc": "0",
"correlation_display": " ",
"sys_class_name": "incident",
"delivery_plan": " ",
"escalation": "0",
"description": " ",
"parent": " ",
"close_notes": "Closed by Caller",
"business_duration": "1970-01-01 00:00:00",
"problem_id": " ",
"sys_updated_on": "2020-07-10 13:13:57",
"approval_history": " ",
"approval_set": " ",
"business_service": " ",
"reopened_by": " ",
"calendar_duration": "1970-01-01 00:35:02",
"caller_id": {
"link": "https://example.service-now.com/api/now/v1/table/sys_user/ID",
"value": "ID"
},
"active": "false",
"approval": "not requested",
"service_offering": " ",
"sys_domain_path": "/",
"hold_reason": " ",
"activity_due": "2020-07-10 14:33:28",
"severity": "3",
"incident_state": "7",
"resolved_at": "2020-07-10 12:53:06",
"location": " ",
"due_date": " ",
"work_start": " ",
"work_end": " ",
"work_notes_list": " ",
"sys_created_on": "2020-07-10 12:18:04",
"correlation_id": " ",
"contract": " ",
"reopened_time": " ",
"opened_by": {
"link": "https://example.service-now.com/api/now/v1/table/sys_user/ID",
"value": "ID"
},
"close_code": "Closed/Resolved by Caller",
"assignment_group": " ",
"sys_domain": {
"link": "https://example.service-now.com/api/now/v1/table/sys_user_group/global",
"value": "global"
},
"order": " ",
"urgency": "1",
"reopen_count": "0"
}
Script result
The following table lists the value for the script result output when using the Update Incident action:
| Script result name | Value |
|---|---|
incident_number |
INCIDENT_NUMBER |
Update Record
Use the Update Record action to update available records that belong to different tables in ServiceNow.
This action runs on all Google SecOps entities.
Action inputs
The Update Record action requires the following parameters:
| Parameter | Description |
|---|---|
Table Name |
Optional The table to use for updating a record. |
Object JSON Data |
Optional The JSON data that is required to update a record. |
Record Sys ID |
Optional The Sys ID of the updated record. |
Action outputs
The Update Record action provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Script result | Available |
JSON result
The following example shows the JSON result output received when using the Update Record action:
{
"sys_tags": " ",
"user_input": " ",
"calendar_stc": " ",
"subcategory": " ",
"watch_list": " ",
"follow_up": " ",
"made_sla": "true",
"sys_created_by": "admin",
"sla_due": " ",
"number": "INC0010021",
"group_list": " ",
"reassignment_count": "0",
"assigned_to": " ",
"sys_mod_count": "0",
"notify": "1",
"resolved_by": " ",
"upon_reject": "cancel",
"additional_assignee_list": " ",
"category": "inquiry",
"closed_at": " ",
"parent_incident": " ",
"cmdb_ci": " ",
"contact_type": " ",
"impact": "3",
"rfc": " ",
"expected_start": " ",
"knowledge": "false",
"sys_updated_by": "admin",
"caused_by": " ",
"comments": " ",
"closed_by": " ",
"priority": "5",
"state": "1",
"sys_id": "SYS_ID",
"opened_at": "2020-07-10 08:24:34",
"child_incidents": "0",
"work_notes": " ",
"delivery_task": " ",
"short_description": " ",
"comments_and_work_notes": " ",
"time_worked": " ",
"upon_approval": "proceed",
"company": " ",
"business_stc": " ",
"correlation_display": " ",
"sys_class_name": "incident",
"delivery_plan": " ",
"escalation": "0",
"description": " ",
"parent": " ",
"close_notes": " ",
"business_duration": " ",
"problem_id": " ",
"sys_updated_on": "2020-07-10 08:24:34",
"approval_history": " ",
"approval_set": " ",
"business_service": " ",
"reopened_by": " ",
"calendar_duration": " ",
"caller_id": " ",
"active": "true",
"approval": "not requested",
"service_offering": " ",
"sys_domain_path": "/",
"hold_reason": " ",
"activity_due": " ",
"severity": "3",
"incident_state": "1",
"resolved_at": " ",
"location": " ",
"due_date": " ",
"work_start": " ",
"work_end": " ",
"work_notes_list": " ",
"sys_created_on": "2020-07-10 08:24:34",
"correlation_id": " ",
"contract": " ",
"reopened_time": " ",
"opened_by": {
"link": "https://example.service-now.com/api/now/v1/table/sys_user/ID",
"value": "ID"
},
"close_code": " ",
"assignment_group": " ",
"sys_domain": {
"link": "https://example.service-now.com/api/now/v1/table/sys_user_group/global",
"value": "global"
},
"order": " ",
"urgency": "3",
"reopen_count": "0"
}
Script result
The following table lists the value for the script result output when using the Update Record action:
| Script result name | Value |
|---|---|
record_sys_id |
RECORD_SYS_ID
|
Wait For Comments
Use the Wait For Comments action to wait for comments related to a specific table record in ServiceNow.
This action works asynchronously. Adjust the script timeout value in the Google SecOps IDE for the action as needed.
This action doesn't run on Google SecOps entities.
Action inputs
The Wait For Comments action requires the following parameters:
| Parameter | Description |
|---|---|
Table Name |
Required The name of the table to add a comment or a note to,
such as |
Type |
Required The type of the comment to add. The possible values are as follows:
The default value is |
Record Sys ID |
Required The record ID to add a comment or a work note to. |
Wait Mode |
Optional The wait mode for the action. If you select the If you
select the If you
select the If you select the The possible values are as follows:
The default value is |
Text |
Optional The text that the action waits for. This
parameter is only relevant if you select the
|
Action outputs
The Wait For Comments action provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
JSON result
The following example shows the JSON result output received when using the Wait For Comments action:
{
"sys_id": "SYS_ID",
"sys_created_on": "2021-09-03 10:29:48",
"name": "incident",
"element_id": "552c48888c033300964f4932b03eb092",
"sys_tags": "",
"value": "test",
"sys_created_by": "admin",
"element": "comments"
}
Output messages
The Wait For Comments action can return the following output messages:
| Output message | Message description |
|---|---|
|
The action succeeded. |
Error executing action "Wait For Comments". Reason:
ERROR_REASON |
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Wait For Comments action:
| Script result name | Value |
|---|---|
is_success |
True or False |
Wait for Field Update
Use the Wait for Field Update action to wait for a field update of the data record in ServiceNow.
This action runs on all Google SecOps entities.
Action inputs
The Wait for Field Update action requires the following parameters:
| Parameter | Description |
|---|---|
Table Name |
Required The name of the table to create a record,
such as |
Record Sys ID |
Required The Sys ID of the record to update. |
Field - Column Name |
Required The name of the column to update. |
Field - Values |
Required The values that are expected in the column, such as
|
Action outputs
The Wait for Field Update action provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Script result | Available |
Script result
The following table lists the value for the script result output when using the Wait for Field Update action:
| Script result name | Value |
|---|---|
updated_field |
UPDATED_FIELD |
Wait for Status Update
Use the Wait for Status Update action to wait for a status update of the data record in ServiceNow.
This action runs on all Google SecOps entities.
Action inputs
The Wait for Status Update action requires the following parameters:
| Parameter | Description |
|---|---|
Incident Number |
Required The number of the incident. To configure
this parameter value, use the following format:
|
Statuses |
Required A list of incident statuses to expect, such as
|
Action outputs
The Wait for Status Update action provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Script result | Available |
Script result
The following table lists the value for the script result output when using the Wait for Status Update action:
| Script result name | Value |
|---|---|
new_status |
STATUS |
Connectors
For more information about configuring connectors in Google SecOps, see Ingest your data (connectors).
ServiceNow Connector
Use the ServiceNow Connector to retrieve incidents from ServiceNow.
How to work with the dynamic list
In the ServiceNow Connector connector, the dynamic list lets you modify the
sysparm_query query that is sent to ServiceNow. You can filter every field
supported by that record type.
To filter out the data, configure every dynamic list item to contain one field in the following format:
FIELD_NAME=VALUE.
The example of the field is as follows: category=security.
When you select the Use whitelist as a blacklist parameter, the connector
modifies the query to work as a blocklist instead.
Connector inputs
The ServiceNow Connector requires the following parameters:
| Parameter | Description |
|---|---|
Environment |
Required A Google SecOps environment to run the connector. |
Run Every |
Required The iteration period to run the connector. By default, the connector runs every 10 seconds. |
Product Field Name |
Required Enter the source field name to retrieve the product field name. The default value is |
Event Field Name |
Required Enter the source field name to retrieve the event field name. The default value is |
Rule Generator |
Optional The field name that determines the rule generator. |
Api Root |
Required The address of the ServiceNow instance. To configure this parameter, provide the value in the following format:
|
Username |
Required The username for your ServiceNow instance. |
Password |
Required The password for your ServiceNow instance. |
Verify SSL |
Optional If selected, the integration verifies that the SSL certificate for connecting to the ServiceNow server is valid. Selected by default. |
Days Backwards |
Optional The number of days before the first connector iteration to retrieve the incidents from. This parameter applies only once to the initial connector iteration after you enable the connector for the first time. The default value is 5 days. |
Max Incidents per Cycle |
Optional The number of incidents to retrieve in every connector iteration. The default value is 10. |
Environments Whitelist |
Optional A comma-separated list of environments (domains) for
the connector to ingest into Google SecOps, such as
|
Use whitelist as a blacklist |
Optional If selected, the connector uses the dynamic list as a blocklist. Not selected by default. |
PythonProcessTimeout |
Required The timeout limit in seconds for the Python process running the current script. The default value is 60. |
Incident Table |
Optional The API root path that ServiceNow uses for actions revolving around incidents. By default, the integration uses the
|
Client ID |
Optional The client ID of the ServiceNow application. The OAuth 2.0 authentication requires this parameter. |
Client Secret |
Optional The client secret value of the ServiceNow application. The OAuth 2.0 authentication requires this parameter. |
Refresh Token |
Optional The refresh token of the ServiceNow application. The OAuth 2.0 authentication requires this parameter. |
Use Oauth Authentication |
Optional If selected, the integration uses OAuth 2.0
authentication. If you select this parameter, also configure the
Not selected by default. |
Server Time Zone |
Optional The time zone that is configured in the server, such
as |
Table Name |
Optional The name of the table to retrieve records from,
such as |
Event Name |
Optional The name of a Google SecOps event,
such as |
Proxy Server Address |
Optional The address of the proxy server to use. |
Proxy Username |
Optional The proxy username to authenticate with. |
Proxy Password |
Optional The proxy password to authenticate with. |
Get User Information |
Optional If selected, the connector additionally retrieves the informations about users that are related to the incident. |
Connector rules
The connector supports proxies.
The connector supports dynamic lists and blocklists.
Jobs
The ServiceNow integration includes the following jobs:
Sync Closed Incidents
Use the Sync Closed Incidents job to synchronize closed ServiceNow incidents and Google SecOps alerts.
Job inputs
The Sync Closed Incidents job requires the following parameters:
| Parameter | Description |
|---|---|
Scheduler |
Required An iteration period to run the connector. |
Api Root |
Required The address for the ServiceNow instance. To configure this parameter, provide the value in the following format:
|
Username |
Required The username for your ServiceNow instance. |
Password |
Required The password for your ServiceNow instance. |
Verify SSL |
Optional If selected, the integration verifies that the SSL certificate for connecting to the ServiceNow server is valid. Selected by default. |
Client ID |
Optional The client ID of the ServiceNow integration. The OAuth 2.0 authentication requires this parameter to authenticate using client credentials. You can authenticate either with the refresh token or client credentials. If you configure the refresh token and client credentials, the integration uses the refresh token to authenticate. |
Client Secret |
Optional The client secret of the ServiceNow integration. The OAuth 2.0 authentication requires this parameter to authenticate using client credentials. You can authenticate either with the refresh token or client credentials. If you configure the refresh token and client credentials, the integration uses the refresh token to authenticate. |
Refresh Token |
Optional A refresh token for the ServiceNow integration. The OAuth 2.0 authentication requires this parameter to authenticate using the refresh token. The configured refresh token expires every 90 days. You can authenticate either with the refresh token or client credentials. If you configure the refresh token and client credentials, the integration uses the refresh token to authenticate. |
Use Oauth Authentication |
Optional If selected, the integration uses the OAuth 2.0 authentication. The OAuth 2.0 authentication requires either the
client credentials ( |
Max Hours Backwards |
Optional The number of hours before the first job iteration to synchronize incident statuses. This parameter applies only once to the initial job iteration after you enable the job for the first time. The default value is 24 hours. |
Table Name |
Required The name of the table to search for the record in,
such as |
Sync Incidents
Use the Sync Incidents job to synchronize the ServiceNow incident fields and attachments that are related to cases and alerts in Google SecOps.
For the job to work, add the ServiceNow Incident Sync tag to the case and the
TICKET_ID value to a case or an alert, depending on the Sync Level
parameter. An example of the TICKET_ID value is as follows:
INC0000050,INC0000051.
Ticket_ID is a context value and you can set it using the Set Scope Context
Value action from the
Siemplify
integration.
Job inputs
The Sync Incidents job requires the following parameters:
| Parameter | Description |
|---|---|
Scheduler |
Required The iteration period to run the connector. |
Api Root |
Required The address of the ServiceNow instance. To configure this parameter, provide the value in the following format:
|
Username |
Required The username for your ServiceNow instance. |
Password |
Required The password for your ServiceNow instance. |
Sync Level |
Required A synchronization level for the job. The possible values are as follows:
The default value is |
Max Hours Backwards |
Required The number of hours before the first job iteration to synchronize cases from. This parameter applies only once to the initial job iteration after you enable the job for the first time. The default value is 24 hours. |
Verify SSL |
Required If selected, the integration verifies that the SSL certificate for connecting to the ServiceNow server is valid. Selected by default. |
Sync Table Record Comments
Use the Sync Table Record Comments job to synchronize comments in ServiceNow table records and Google SecOps cases.
Job inputs
The Sync Table Record Comments job requires the following parameters:
| Parameter | Description |
|---|---|
Scheduler |
Required An iteration period to run the connector. |
Api Root |
Required The address of the ServiceNow instance. To configure this parameter, provide the value in the following format:
|
Username |
Required The username for your ServiceNow instance. |
Password |
Required The password for your ServiceNow instance. |
Verify SSL |
Optional If selected, the integration verifies that the SSL certificate for connecting to the ServiceNow server is valid. Selected by default. |
Client ID |
Optional The client ID of the ServiceNow integration. The OAuth 2.0 authentication requires this parameter to authenticate using client credentials. You can authenticate either with the refresh token or client credentials. If you configure the refresh token and client credentials, the integration uses the refresh token to authenticate. |
Client Secret |
Optional The client secret of the ServiceNow integration. The OAuth 2.0 authentication requires this parameter to authenticate using client credentials. You can authenticate either with the refresh token or client credentials. If you configure the refresh token and client credentials, the integration uses the refresh token to authenticate. |
Refresh Token |
Optional A refresh token for the ServiceNow integration. The OAuth 2.0 authentication requires this parameter to authenticate using the refresh token. The configured refresh token expires every 90 days. You can authenticate either with the refresh token or client credentials. If you configure the refresh token and client credentials, the integration uses the refresh token to authenticate. |
Use Oauth Authentication |
Optional If selected, the integration uses the OAuth 2.0 authentication. The OAuth 2.0 authentication requires either the
client credentials ( |
Table Name |
Required The name of the table to search for the record in,
such as |
Sync Table Record Comments By Tag
Use the Sync Table Record Comments By Tag job to synchronize comments in ServiceNow table records and Google SecOps cases.
This job requires the case to possess the following tags:
ServiceNow TABLE_NAMEServiceNow TicketId: TICKET_ID
Job inputs
The Sync Table Record Comments By Tag job requires the following parameters:
| Parameter | Description |
|---|---|
Scheduler |
Required The iteration period to run the connector. |
Api Root |
Required The address of the ServiceNow instance. To configure this parameter, provide the value in the following format:
|
Username |
Required The username for your ServiceNow instance. |
Password |
Required The password for your ServiceNow instance. |
Table Name |
Required The name of the table to search for the record in,
such as |
Verify SSL |
Optional If selected, the integration verifies that the SSL certificate for connecting to the ServiceNow server is valid. Selected by default. |