Integrate ServiceNow with Google SecOps
This document explains how to integrate ServiceNow with Google Security Operations (Google SecOps).
Integration version: 53.0
Use cases
Integrating ServiceNow with Google SecOps SOAR can help you solve the following use cases:
Automated incident ticketing and enrichment: use the Google SecOps capabilities to automatically create ServiceNow incidents from security alerts triggered in your SIEM or other security tools. You can streamline incident response workflows by reducing manual ticketing and enriching incidents with relevant information from the triggering alert.
Phishing investigation and remediation: use the Google SecOps capabilities to automate phishing investigation steps like gathering email headers, investigating attachments, and searching for similar emails within your organization. Automating repetitive tasks can accelerate phishing response times and reduce the workload of your security analyst team.
Vulnerability management and remediation: you can orchestrate vulnerability remediation workflows by automatically creating ServiceNow change requests for patching or mitigating based on vulnerability scans.
User onboarding and offboarding: you can automate user provisioning and de-provisioning tasks in various systems, including access control systems, email platforms, and applications, based on ServiceNow workflows.
Threat intelligence enrichment: use the Google SecOps capabilities to enrich security alerts with threat intelligence data from the ServiceNow platform for providing more context and prioritizing response actions.
Before you begin
Before you configure the integration in Google SecOps, configure the user access in ServiceNow.
Some actions and jobs require you to assign additional ServiceNow roles to the user that you use in the integration. For more details about the required roles, see Configure roles and minimum permissions.
Configure the user access in ServiceNow
ServiceNow uses the sys_journal_field table to synchronize with Google SecOps. By default, only ServiceNow administrator users can access the sys_journal_field table. For more information about ServiceNow roles, see Base system roles.
To access the sys_journal_field table in ServiceNow and enable OAuth 2.0 authentication, you need to configure the appropriate access permissions for the user.
To configure the user access in ServiceNow, complete the following steps:
Create a new role and add it to the user account that you use in the integration.
Create a new ACL rule. To create a new ACL, elevate the administrator privilege role. For more information about elevated privilege roles in ServiceNow, see Elevated privilege roles.
Create a new role
To create a new role in ServiceNow, complete the following steps:
Sign in to ServiceNow as an administrator.
Go to All > User Administration > Roles.
Click New and fill out the form.
As a role name, enter
secops_user.Click Submit.
Create an ACL rule
To create a new ACL rule in ServiceNow, complete the following steps:
Sign in to ServiceNow as an administrator.
To configure ACL rules, elevate your role privileges to the
security_adminrole.Go to All > System Security > Access Control (ACL).
Select the sys_journal_field table.
In the Requires role field, enter
secops_user.After completing the form, click the form header.
Click Update.
To let the user configured in the integration access other tables, enter
secops_user in the Requires role field of the corresponding table.
Assign a new role to the user
To assign the role you created to the user account used in the integration, complete the following steps:
In ServiceNow, go to All > User Administration > Users.
Select the user that you use in the integration.
Go to Roles > Edit.
Select the
secops_userrole and click Add.Click Save.
Configure roles and minimum permissions
The following activities require you to grant permissions to the ServiceNow user account that you use in the integration:
- Access the sys_journal_field table (required for the Add Comment And Wait For Reply action).
- Create, write, and modify the required tables (required for the Create Record, Update Record, and Wait For Field Update actions).
- Update an incident (required for the Close Incident and Update Incident actions).
To configure the roles required to run specific actions, refer to the following table:
| Action | Required role |
|---|---|
| List Record Comments | Any custom role with the To
assign the |
For more information about the
|
|
For more information about the
|
To assign the role to the user account that you use in the integration, complete the following steps:
In ServiceNow, Go to All > User Administration > Users.
Select the user that you use in the integration.
Go to Roles > Edit.
Select the role and click Add.
Click Save.
Enable OAuth 2.0 authentication
To enable OAuth 2.0 for the integration, upgrade your ServiceNow instance to the Washington DC release.
To authenticate with OAuth 2.0, configure the client credentials (the
Client ID, Client Secret, and the Use Oauth Authentication parameters) in
the integration parameters.
If you configure the Refresh Token parameter along with the Client ID
and Client Secret parameters, the integration authenticates using the refresh
token.
To enable OAuth 2.0 authentication for the integration, complete the following steps:
Configure OAuth 2.0 in ServiceNow
To configure OAuth 2.0 in ServiceNow, complete the following steps:
In ServiceNow, go to System Definition > Plugins.
Activate the OAuth 2.0 plugin.
Set the com.snc.platform.security.oauth.is.active system property to
True.Go to System OAuth > Application Registry.
Click New and select Create an OAuth API endpoint for external clients.
Save the client_id and client_secret values to use them in the integration.
Configure initial integration parameters
To configure the initial integration parameters, complete the following steps:
In Google SecOps, go to Response > Integrations Setup.
Optional: Select your environment.
In the Search field, enter
ServiceNow.Click settings Configure Instance.
Configure the Username, Password, Client ID, and Client Secret integration parameters.
Click Save.
Optional: Generate and configure a refresh token
To generate a refresh token, complete the following steps:
-
If your Google SecOps instance is new and has no existing cases, simulate a case.
If you have an existing case, proceed to the next step.
Optional: Simulate a case
To simulate a case in Google SecOps, follow these steps:
In the side navigation, select Cases.
On the Cases page, click add Add > Simulate Cases.
Select any of the default cases and click Create. It doesn't matter what case you choose to simulate.
Click Simulate.
If you have an environment other than default and would like to use it, select the correct environment and click Simulate.
In the Cases tab, click Refresh. The case that you simulated appears in the case list.
Run the Get Oauth Token action
Use the Google SecOps case which you simulated to manually run the Get Oauth Token action.
To run the Get Oauth Token action, complete the following steps:
In the Cases tab, select your simulated case.
In a Case View, click Manual Action.
In the manual action Search field, enter
ServiceNow.In the results under the ServiceNow integration, select Get Oauth Token.
Click Execute.
After the action is executed, navigate to the Case Wall of your simulated case. In the ServiceNow_Get Oauth Token action record, click View More.
In the JSON Result section, copy the refresh_token value.
Configure the refresh token for the integration
To configure the refresh token for the integration, complete the following steps:
In Google SecOps, go to Response > Integrations Setup.
From the integrations list, select ServiceNow.
Click settings Configure Instance.
In the Refresh Token field, paste the refresh_token value which you copied from the JSON result in the previous section.
Delete the Username and Password parameter values.
Select Use Oauth Authentication.
Click Save.
Click Test.
Integration parameters
The ServiceNow integration requires the following parameters:
| Parameter | Description |
|---|---|
Api Root |
Required. The API root of the ServiceNow instance. The default value is |
Username |
Required. The username of the ServiceNow account. |
Password |
Required. The password of the ServiceNow account. |
Incident Table |
Optional. The path to use for incident-related actions. By default, the integration uses the |
Verify SSL |
Optional. If selected, the integration validates the SSL certificate when connecting to ServiceNow. Selected by default. |
Run Remotely |
Optional. If selected, the integration runs remotely. After selecting this parameter, select the remote user (agent). Not selected by default. |
Client ID |
Optional. The client ID of the ServiceNow integration. OAuth 2.0 requires this parameter to authenticate using client credentials. You can authenticate with the refresh token or client credentials. If you configure the refresh token and client credentials, the integration uses the refresh token to authenticate. |
Client Secret |
Optional. The client secret of the ServiceNow integration. OAuth 2.0 requires this parameter to authenticate using client credentials. You can authenticate with the refresh token or client credentials. If you configure the refresh token and client credentials, the integration uses the refresh token to authenticate. |
Refresh Token |
Optional. A refresh token for the ServiceNow integration. OAuth 2.0 authentication requires this parameter to authenticate using the refresh token. The configured refresh token expires every 90 days. You can authenticate with the refresh token or client credentials. If you configure the refresh token and client credentials, the integration uses the refresh token to authenticate. |
Use Oauth Authentication |
Optional. If selected, the integration uses OAuth 2.0 to authenticate. OAuth 2.0 requires you to configure the client
credentials (the |
For instructions about how to configure an integration in Google SecOps, see Configure integrations.
You can make changes at a later stage, if needed. After you configure an integration instance, you can use it in playbooks. For more information about how to configure and support multiple instances, see Supporting multiple instances.
Actions
For additional roles that are required to run specific actions, see Configure roles and minimum permissions.
Add Attachment
Use the Add Attachment action to add attachments to a table record in ServiceNow.
This action doesn't run on Google SecOps entities.
Action inputs
The Add Attachment action requires the following parameters:
| Parameter | Description |
|---|---|
Mode |
Optional. The mode for the action. The possible values are as follows:
If you select the
If you select the
|
Table Name |
Required. A name of the table that contains the record to add the attachment to. |
Record Sys ID |
Required. A |
File Path |
Required. A comma-separated list of absolute paths for the files to attach. |
Action outputs
The Add Attachment action provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
JSON result
The following example shows the JSON result output received when using the Add Attachment action:
{
"result": {
"size_bytes": "742",
"file_name": "Example.txt",
"sys_mod_count": "0",
"average_image_color": "",
"image_width": "",
"sys_updated_on": "2020-08-16 11:43:39",
"sys_tags": "",
"table_name": "incident",
"sys_id": "2a5d8423db2210104c187b60399619b2",
"image_height": "",
"sys_updated_by": "admin",
"download_link": "https://example.service-now.com/api/now/attachment/2a5d8423db2210104c187b60399619b2/file",
"content_type": "multipart/form-data",
"sys_created_on": "2020-08-16 11:43:39",
"size_compressed": "438",
"compressed": "true",
"state": "pending",
"table_sys_id": "9d385017c611228701d22104cc95c371",
"chunk_size_bytes": "700000",
"hash": "d2acb9fe341654816e00d44bcdaf88ef0733a2838449bba870142626b94871fc",
"sys_created_by": "admin"
}
}
Output messages
The Add Attachment action can return the following output messages:
| Output message | Message description |
|---|---|
|
The action succeeded. |
Error executing action "Add Attachment". Reason:
ERROR_REASON |
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Add Attachment action:
| Script result name | Value |
|---|---|
is_success |
True or False |
Add Comment
Use the Add Comment action to add a comment to a ServiceNow incident.
This action runs on all Google SecOps entities.
Action inputs
The Add Comment action requires the following parameters:
| Parameter | Description |
|---|---|
Incident Number |
Required. The number of the incident. To configure
this parameter value, use the following format:
|
Comment |
Required. A comment to add to the incident. |
Action outputs
The Add Comment action provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Script result | Available |
Script result
The following table lists the values for the script result output when using the Add Comment action:
| Script result name | Value |
|---|---|
is_success |
True or False |
Add Comment and Wait for Reply
Use the Add Comment and Wait for Reply action to wait for adding a new comment to an incident. The action result is the content of new comments.
This action runs on all Google SecOps entities.
Action inputs
The Add Comment and Wait for Reply action requires the following parameters:
| Parameter | Description |
|---|---|
Incident Number |
Required. The number of the incident. To configure
this parameter value, use the following format:
|
Comment |
Required. A comment to add to the incident. |
Action outputs
The Add Comment and Wait for Reply action provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Script result | Available |
Script result
The following table lists the value for the script result output when using the Add Comment and Wait for Reply action:
| Script result name | Value |
|---|---|
new_comment |
Not applicable |
Add Comment To Record
Use the Add Comment To Record action to add a comment to a specific table record in ServiceNow.
If you select the Wait For Reply parameter, this action works asynchronously.
For the asynchronous mode, adjust the script timeout value in the
Google SecOps IDE for the action as needed.
This action doesn't run on Google SecOps entities.
Action inputs
The Add Comment To Record action requires the following parameters:
| Parameter | Description |
|---|---|
Table Name |
Required. The name of the table to add a comment or a note to,
such as |
Type |
Required. The type of comment or note to add. The possible values are as follows:
The default value is |
Record Sys ID |
Required. The record ID to add a comment or a work note to. |
Text |
Required. The content of a comment or work note. |
Wait For Reply |
Required. If selected, the action waits for reply. The action tracks comments if you add comments, and work notes if you add work notes. |
Action outputs
The Add Comment To Record action provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
JSON result
The following example shows the JSON result output received when using the Add Comment To Record action:
{
"sys_id": "4355183607523010ff23f6fd7c1ed0a8",
"sys_created_on": "2021-09-03 10:29:48",
"name": "incident",
"element_id": "552c48888c033300964f4932b03eb092",
"sys_tags": "",
"value": "test",
"sys_created_by": "admin",
"element": "comments"
}
Output messages
The Add Comment To Record action can return the following output messages:
| Output message | Message description |
|---|---|
Successfully added
COMMENT_OR_NOTE "
CONTENT" to TABLE_NAME
with Sys_ID SYS_ID in ServiceNow.
|
Action succeeded. |
Error executing action "Add Comment To Record". Reason:
ERROR_REASON |
Action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Add Comment To Record action:
| Script result name | Value |
|---|---|
is_success |
True or False |
Add Parent Incident
Use the Add Parent Incident action to add a parent incident for incidents in ServiceNow.
This action doesn't run on Google SecOps entities.
Action inputs
The Add Parent Incident action requires the following parameters:
| Parameter | Description |
|---|---|
Parent Incident Number |
Required. A parent incident number. The action adds all incidents in the To configure this
parameter, use the following incident format:
|
Child Incident Numbers |
Required. A comma-separated list of numbers related to the incident and used as children for the parent incident. To configure this parameter, use the following incident format:
|
Action outputs
The Add Parent Incident action provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
JSON result
The following example shows the JSON result output received when using the Add Parent Incident action:
{
"result": [
{
"parent": "",
"made_sla": "true",
"caused_by": "",
"watch_list": "",
"upon_reject": "cancel",
"sys_updated_on": "2020-10-20 07:19:11",
"child_incidents": "0",
"hold_reason": "",
"approval_history": "",
"skills": "",
"number": "INC0010009",
"resolved_by": "",
"sys_updated_by": "admin",
"opened_by": {
"link": "https://example.service-now.com/api/now/table/sys_user/ID",
"value": "ID"
},
"user_input": "",
"sys_created_on": "2020-10-20 07:19:11",
"sys_domain": {
"link": "https://example.service-now.com/api/now/table/sys_user_group/global",
"value": "global"
},
"state": "1",
"sys_created_by": "admin",
"knowledge": "false",
"order": "",
"calendar_stc": "",
"closed_at": "",
"cmdb_ci": "",
"delivery_plan": "",
"contract": "",
"impact": "3",
"active": "true",
"work_notes_list": "",
"business_service": "",
"priority": "5",
"sys_domain_path": "/",
"rfc": "",
"time_worked": "",
"expected_start": "",
"opened_at": "2020-10-20 07:18:56",
"business_duration": "",
"group_list": "",
"work_end": "",
"caller_id": {
"link": "https://example.service-now.com/api/now/table/sys_user/ID",
"value": "ID"
},
"reopened_time": "",
"resolved_at": "",
"approval_set": "",
"subcategory": "",
"work_notes": "",
"short_description": "Assessment : Assessor",
"close_code": "",
"correlation_display": "",
"delivery_task": "",
"work_start": "",
"assignment_group": "",
"additional_assignee_list": "",
"business_stc": "",
"description": "",
"calendar_duration": "",
"close_notes": "",
"notify": "1",
"service_offering": "",
"sys_class_name": "incident",
"closed_by": "",
"follow_up": "",
"parent_incident": {
"link": "https://example.service-now.com/api/now/table/incident/ID",
"value": "ID"
},
"sys_id": "2a100a1c2fc42010c518532a2799b621",
"contact_type": "",
"reopened_by": "",
"incident_state": "1",
"urgency": "3",
"problem_id": "",
"company": "",
"reassignment_count": "0",
"activity_due": "",
"assigned_to": "",
"severity": "3",
"comments": "",
"approval": "not requested",
"sla_due": "",
"comments_and_work_notes": "",
"due_date": "",
"sys_mod_count": "0",
"reopen_count": "0",
"sys_tags": "",
"escalation": "0",
"upon_approval": "proceed",
"correlation_id": "",
"location": "",
"category": "inquiry"
}
]
}
Output messages
The Add Parent Incident action can return the following output messages:
| Output message | Message description |
|---|---|
Successfully set
PARENT_INCIDENT_NUMBER as the
"Parent Incident" for the following incidents in ServiceNow:
CHILD_INCIDENT_NUMBERS. |
Action succeeded. |
|
Action failed. Check the spelling. |
Error executing action "Add Parent Incident".
Reason: ERROR_REASON |
Action failed. Check the connection to the server, input parameters, or credentials. |
Close Incident
Use the Close Incident action to close a ServiceNow incident.
This action runs on all Google SecOps entities.
This action requires you to assign the sn_incident_write role to the user in
ServiceNow. For more details, see Configure roles and minimum
permissions.
Action inputs
The Close Incident action requires the following parameters:
| Parameter | Description |
|---|---|
Incident Number |
Required. The number of the incident. To configure
this parameter value, use the following format:
|
Close Reason |
Required. A reason to close the incident. |
Action outputs
The Close Incident action provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Script result | Available |
Script result
The following table lists the value for the script result output when using the Close Incident action:
| Script result name | Value |
|---|---|
is_success |
True or False |
Create Alert Incident
Use the Create Alert Incident action to create an incident which is related to a Google SecOps alert.
This action runs on all Google SecOps entities.
Action inputs
The Create Alert Incident action requires the following parameters:
| Parameter | Description |
|---|---|
Impact |
Required. The impact level of the incident. The possible values are as follows:
1. |
Urgency |
Required. The urgency level of the incident. The possible values are as follows
1. |
Category |
Optional. The incident category. |
Assignment Group ID |
Optional. The full name of the group to assign the incident to. |
Assigned User ID |
Optional. The full name of the user to assign the incident to. |
Description |
Optional. The incident description. |
Action outputs
The Create Alert Incident action provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Script result | Available |
JSON result
The following example shows the JSON result output received when using the Create Alert Incident action:
{
"sys_tags": " ",
"user_input": " ",
"calendar_stc": " ",
"subcategory": " ",
"watch_list": " ",
"follow_up": " ",
"made_sla": "true",
"sys_created_by": "admin",
"sla_due": " ",
"number": "INC0010005",
"group_list": " ",
"reassignment_count": "0",
"assigned_to": " ",
"sys_mod_count": "0",
"notify": "1",
"resolved_by": " ",
"upon_reject": "cancel",
"additional_assignee_list": " ",
"category": "inquiry",
"closed_at": " ",
"parent_incident": " ",
"cmdb_ci": " ",
"contact_type": " ",
"impact": "1",
"rfc": " ",
"expected_start": " ",
"knowledge": "false",
"sys_updated_by":
"admin", "caused_by": " ",
"comments": " ",
"closed_by": " ",
"priority": "1",
"state": "1",
"sys_id": "ID",
"opened_at": "2020-07-10 05:13:25",
"child_incidents": "0",
"work_notes": " ",
"delivery_task": " ",
"short_description": "4187b92c-7aaa-40ec-a032-833dd5a854e6",
"comments_and_work_notes": " ",
"time_worked": " ",
"upon_approval": "proceed",
"company": " ",
"business_stc": " ",
"correlation_display": " ",
"sys_class_name": "incident",
"delivery_plan": " ",
"escalation": "0",
"description": " ",
"parent": " ",
"close_notes": " ",
"business_duration": " ",
"problem_id": " ",
"sys_updated_on": "2020-07-10 05:13:25",
"approval_history": " ",
"approval_set": " ",
"business_service": " ",
"reopened_by": " ",
"calendar_duration": " ",
"caller_id": {
"link": "https://example.service-now.com/api/now/v1/table/sys_user/ID",
"value": "ID"
},
"active": "true",
"approval": "not requested",
"service_offering": " ",
"sys_domain_path": "/",
"hold_reason": " ",
"activity_due": "2020-07-10 07:13:25",
"severity": "3",
"incident_state": "1",
"resolved_at": " ",
"location": " ",
"due_date": " ",
"work_start": " ",
"work_end": " ",
"work_notes_list": " ",
"sys_created_on": "2020-07-10 05:13:25",
"correlation_id": " ",
"contract": " ",
"reopened_time": " ",
"opened_by": {
"link": "https://example.service-now.com/api/now/v1/table/sys_user/ID",
"value": "ID"
},
"close_code": " ",
"assignment_group": " ",
"sys_domain": {
"link": "https://example.service-now.com/api/now/v1/table/sys_user_group/global",
"value": "global"
},
"order": " ",
"urgency": "1",
"reopen_count": "0"
}
Script result
The following table lists the value for the script result output when using the Create Alert Incident action:
| Script result name | Value |
|---|---|
is_success |
True or False |
Create Incident
Use the Create Incident action to create a new incident in the ServiceNow system.
This action runs on all Google SecOps entities.
Action inputs
The Create Incident action requires the following parameters:
| Parameter | Description |
|---|---|
Short Description |
Required. A short description of the incident. |
Impact |
Required. The impact level of the incident. The possible values are as follows:
1. |
Urgency |
Required. The urgency level of the incident. The possible values are as follows
1. |
Category |
Optional. The incident category. |
Assignment Group ID |
Optional. The full name of the group to assign the incident to. |
Assigned User ID |
Optional. The full name of the user to assign the incident to. |
Description |
Optional. The incident description. |
Custom Fields |
Optional. A comma-separated list of fields and values. To configure this parameter, enter the value in the following format:
|
Action outputs
The Ping action provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Script result | Available |
JSON result
The following example shows the JSON result output received when using the Create Incident action:
{
"sys_tags": " ",
"user_input": " ",
"calendar_stc": " ",
"subcategory": " ",
"watch_list": " ",
"follow_up": " ",
"made_sla": "true",
"sys_created_by": "admin",
"sla_due": " ",
"number": "INC0010005",
"group_list": " ",
"reassignment_count": "0",
"assigned_to": " ",
"sys_mod_count": "0",
"notify": "1",
"resolved_by": " ",
"upon_reject": "cancel",
"additional_assignee_list": " ",
"category": "inquiry",
"closed_at": " ",
"parent_incident": " ",
"cmdb_ci": " ",
"contact_type": " ",
"impact": "1",
"rfc": " ",
"expected_start": " ",
"knowledge": "false",
"sys_updated_by":
"admin", "caused_by": " ",
"comments": " ",
"closed_by": " ",
"priority": "1",
"state": "1",
"sys_id": "ID",
"opened_at": "2020-07-10 05:13:25",
"child_incidents": "0",
"work_notes": " ",
"delivery_task": " ",
"short_description": "4187b92c-7aaa-40ec-a032-833dd5a854e6",
"comments_and_work_notes": " ",
"time_worked": " ",
"upon_approval": "proceed",
"company": " ",
"business_stc": " ",
"correlation_display": " ",
"sys_class_name": "incident",
"delivery_plan": " ",
"escalation": "0",
"description": " ",
"parent": " ",
"close_notes": " ",
"business_duration": " ",
"problem_id": " ",
"sys_updated_on": "2020-07-10 05:13:25",
"approval_history": " ",
"approval_set": " ",
"business_service": " ",
"reopened_by": " ",
"calendar_duration": " ",
"caller_id": {
"link": "https://example.service-now.com/api/now/v1/table/sys_user/ID",
"value": "ID"
},
"active": "true",
"approval": "not requested",
"service_offering": " ",
"sys_domain_path": "/",
"hold_reason": " ",
"activity_due": "2020-07-10 07:13:25",
"severity": "3",
"incident_state": "1",
"resolved_at": " ",
"location": " ",
"due_date": " ",
"work_start": " ",
"work_end": " ",
"work_notes_list": " ",
"sys_created_on": "2020-07-10 05:13:25",
"correlation_id": " ",
"contract": " ",
"reopened_time": " ",
"opened_by": {
"link": "https://example.service-now.com/api/now/v1/table/sys_user/ID",
"value": "ID"
},
"close_code": " ",
"assignment_group": " ",
"sys_domain": {
"link": "https://example.service-now.com/api/now/v1/table/sys_user_group/global",
"value": "global"
},
"order": " ",
"urgency": "1",
"reopen_count": "0"
}
Script result
The following table lists the value for the script result output when using the Create Incident action:
| Script result name | Value |
|---|---|
incident_number |
INCIDENT_NUMBER |
Create Record
Use the Create Record action to create new records in different ServiceNow tables.
This action runs on all Google SecOps entities.
Action inputs
The Create Record action requires the following parameters:
| Parameter | Description |
|---|---|
Table Name |
Optional. The table to use for creating a record. |
Object JSON Data |
Optional. The JSON data that is required to create a record. |
Action outputs
The Create Record action provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Script result | Available |
JSON result
The following example shows the JSON result output received when using the Create Record action:
{
"sys_tags": " ",
"user_input": " ",
"calendar_stc": " ",
"subcategory": " ",
"watch_list": " ",
"follow_up": " ",
"made_sla": "true",
"sys_created_by": "admin",
"sla_due": " ",
"number": "INC0010021",
"group_list": " ",
"reassignment_count": "0",
"assigned_to": " ",
"sys_mod_count": "0",
"notify": "1",
"resolved_by": " ",
"upon_reject": "cancel",
"additional_assignee_list": " ",
"category": "inquiry",
"closed_at": " ",
"parent_incident": " ",
"cmdb_ci": " ",
"contact_type": " ",
"impact": "3",
"rfc": " ",
"expected_start": " ",
"knowledge": "false",
"sys_updated_by": "admin",
"caused_by": " ",
"comments": " ",
"closed_by": " ",
"priority": "5",
"state": "1",
"sys_id": "ID",
"opened_at": "2020-07-10 08:24:34",
"child_incidents": "0",
"work_notes": " ",
"delivery_task": " ",
"short_description": " ",
"comments_and_work_notes": " ",
"time_worked": " ",
"upon_approval": "proceed",
"company": " ",
"business_stc": " ",
"correlation_display": " ",
"sys_class_name": "incident",
"delivery_plan": " ",
"escalation": "0",
"description": " ",
"parent": " ",
"close_notes": " ",
"business_duration": " ",
"problem_id": " ",
"sys_updated_on": "2020-07-10 08:24:34",
"approval_history": " ",
"approval_set": " ",
"business_service": " ",
"reopened_by": " ",
"calendar_duration": " ",
"caller_id": " ",
"active": "true",
"approval": "not requested",
"service_offering": " ",
"sys_domain_path": "/",
"hold_reason": " ",
"activity_due": " ",
"severity": "3",
"incident_state": "1",
"resolved_at": " ",
"location": " ",
"due_date": " ",
"work_start": " ",
"work_end": " ",
"work_notes_list": " ",
"sys_created_on": "2020-07-10 08:24:34",
"correlation_id": " ",
"contract": " ",
"reopened_time": " ",
"opened_by": {
"link": "https://example.service-now.com/api/now/v1/table/sys_user/ID",
"value": "ID"
},
"close_code": " ",
"assignment_group": " ",
"sys_domain": {
"link": "https://example.service-now.com/api/now/v1/table/sys_user_group/global",
"value": "global"
},
"order": " ",
"urgency": "3",
"reopen_count": "0"
}
Script result
The following table lists the value for the script result output when using the Create Record action:
| Script result name | Value |
|---|---|
object_sys_id |
OBJECT_SYS_ID |
Download Attachments
Use the Download Attachments action to download attachments related to a table record in ServiceNow.
This action doesn't run on Google SecOps entities.
Action inputs
The Download Attachments action requires the following parameters:
| Parameter | Description |
|---|---|
Table Name |
Required. The name of the table that contains the record to
download attachments from, such as |
Record Sys ID |
Required. The Sys ID of the record to download an attachment from. |
Download Folder Path |
Required. The absolute folder path to store downloaded attachments. |
Action outputs
The Download Attachments action provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
JSON result
The following example shows the JSON result output received when using the Download Attachments action:
{
"result": [
{"absolute_file_path" : ["PATH"]
"size_bytes": "187",
"file_name": "example.txt",
"sys_mod_count": "1",
"average_image_color": "",
"image_width": "",
"sys_updated_on": "2020-10-19 09:58:39",
"sys_tags": "",
"table_name": "problem",
"sys_id": "SYS_ID",
"image_height": "",
"sys_updated_by": "system",
"download_link": "https://example.service-now.com/api/now/attachment/ID/file",
"content_type": "text/plain",
"sys_created_on": "2020-10-19 09:58:38",
"size_compressed": "172",
"compressed": "true",
"state": "available",
"table_sys_id": "57771d002f002010c518532a2799b6cc",
"chunk_size_bytes": "700000",
"hash": "a4fbb8ab71268903845b59724835274ddc66e095de553c5e0c1da8fecd04ee45",
"sys_created_by": "admin"
}
]
}
Output messages
The Ping action can return the following output messages:
| Output message | Message description |
|---|---|
|
The action succeeded. |
Error executing action "Download Attachments". Reason:
ERROR_REASON |
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Download Attachments action:
| Script result name | Value |
|---|---|
is_success |
True or False |
Get Child Incident Details
Use the Get Child Incident Details action to retrieve information about child incidents based on the parent incident in ServiceNow.
This action doesn't run on Google SecOps entities.
Action inputs
The Get Child Incident Details action requires the following parameters:
| Parameter | Description |
|---|---|
Parent Incident Number |
Required. The number of the incident to retrieve child incident
details from. To configure this parameter, enter the value in the following
format: |
Max Child Incident To Return |
Optional. The number of child incidents to return. |
Action outputs
The Get Child Incident Details action provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
Case wall table
The Get Child Incident Details action provides the following table:
Table name: Child Incident Details
Table columns:
- Sys ID (mapped as
sys_id) - Number (mapped as
number) - Short Description (mapped as
short_description) - Created At (mapped as
sys_created_on)
JSON result
The following example shows the JSON result output received when using the Get Child Incident Details action:
{
"result": [
{
"parent": "",
"made_sla": "true",
"caused_by": "",
"watch_list": "",
"upon_reject": "cancel",
"sys_updated_on": "2020-10-20 07:19:11",
"child_incidents": "0",
"hold_reason": "",
"approval_history": "",
"skills": "",
"number": "INC0010009",
"resolved_by": "",
"sys_updated_by": "admin",
"opened_by": {
"link": "https://example.service-now.com/api/now/table/sys_user/ID",
"value": "ID"
},
"user_input": "",
"sys_created_on": "2020-10-20 07:19:11",
"sys_domain": {
"link": "https://example.service-now.com/api/now/table/sys_user_group/global",
"value": "global"
},
"state": "1",
"sys_created_by": "admin",
"knowledge": "false",
"order": "",
"calendar_stc": "",
"closed_at": "",
"cmdb_ci": "",
"delivery_plan": "",
"contract": "",
"impact": "3",
"active": "true",
"work_notes_list": "",
"business_service": "",
"priority": "5",
"sys_domain_path": "/",
"rfc": "",
"time_worked": "",
"expected_start": "",
"opened_at": "2020-10-20 07:18:56",
"business_duration": "",
"group_list": "",
"work_end": "",
"caller_id": {
"link": "https://example.service-now.com/api/now/table/sys_user/ID",
"value": "ID"
},
"reopened_time": "",
"resolved_at": "",
"approval_set": "",
"subcategory": "",
"work_notes": "",
"short_description": "Assessment : ATF Assessor",
"close_code": "",
"correlation_display": "",
"delivery_task": "",
"work_start": "",
"assignment_group": "",
"additional_assignee_list": "",
"business_stc": "",
"description": "",
"calendar_duration": "",
"close_notes": "",
"notify": "1",
"service_offering": "",
"sys_class_name": "incident",
"closed_by": "",
"follow_up": "",
"parent_incident": {
"link": "https://example.service-now.com/api/now/table/incident/ID",
"value": "ID"
},
"sys_id": "2a100a1c2fc42010c518532a2799b621",
"contact_type": "",
"reopened_by": "",
"incident_state": "1",
"urgency": "3",
"problem_id": "",
"company": "",
"reassignment_count": "0",
"activity_due": "",
"assigned_to": "",
"severity": "3",
"comments": "",
"approval": "not requested",
"sla_due": "",
"comments_and_work_notes": "",
"due_date": "",
"sys_mod_count": "0",
"reopen_count": "0",
"sys_tags": "",
"escalation": "0",
"upon_approval": "proceed",
"correlation_id": "",
"location": "",
"category": "inquiry"
}
]
}
Output messages
The Get Child Incident Details action can return the following output messages:
| Output message | Message description |
|---|---|
|
The action succeeded. |
Error executing action "Get Child Incident Details". Reason:
ERROR_REASON |
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Get Child Incident Details action:
| Script result name | Value |
|---|---|
is_success |
True or False |
Get CMDB Record Details
Use the Get CMDB Record Details action to get detailed CMDB records from the same class in ServiceNow.
This action runs on all Google SecOps entities.
This action requires you to assign the itil role to the user in
ServiceNow. For more details, see Configure roles and minimum
permissions.
For more information on class names, see View and edit class definition and metadata.
Action inputs
The Get CMDB Record Details action requires the following parameters:
| Parameter | Description |
|---|---|
Class Name |
Required. A name of the class to list records from, such as
|
Sys ID |
Required. A comma-separated list of record sys IDs to retrieve details for. |
Max Relations To Return |
Optional. The number of record relations for every type to return. The default value is |
Action outputs
The Get CMDB Record Details action provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
JSON result
The following example shows the JSON result output received when using the Get CMDB Record Details action:
{
"result": {
"outbound_relations": [
{
"sys_id": "56f3a7ad7f701200bee45f19befa910f",
"type": {
"display_value": "Members::Member of",
"link": "https://example.service-now.com/api/now/table/cmdb_rel_type/ID",
"value": "ID"
},
"target": {
"display_value": "Example",
"link": "https://example.service-now.com/api/now/cmdb/instance/cmdb_ci/ID",
"value": "ID"
}
}
],
"attributes": {
"attested_date": "",
"skip_sync": "false",
"operational_status": "1",
"caption": "",
"cluster_type": "",
"sys_updated_on": "2016-01-06 19:04:07",
"attestation_score": "",
"discovery_source": "",
"first_discovered": "",
"sys_updated_by": "example.user",
"cluster_status": "",
"due_in": "",
"sys_created_on": "2016-01-06 16:47:15",
"sys_domain": {
"display_value": "global",
"link": "https://example.service-now.com/api/now/table/sys_user_group/global",
"value": "global"
},
"install_date": "",
"invoice_number": "",
"gl_account": "",
"sys_created_by": "example.user",
"warranty_expiration": "",
"cluster_version": "",
"asset_tag": "",
"fqdn": "",
"change_control": "",
"owned_by": "",
"checked_out": "",
"sys_domain_path": "/",
"delivery_date": "",
"maintenance_schedule": "",
"install_status": "1",
"cost_center": "",
"attested_by": "",
"supported_by": "",
"dns_domain": "",
"name": "SAP-LB-Win-Cluster",
"assigned": "",
"purchase_date": "",
"subcategory": "Cluster",
"short_description": "",
"assignment_group": "",
"managed_by": "",
"managed_by_group": "",
"last_discovered": "",
"can_print": "false",
"sys_class_name": "cmdb_ci_win_cluster",
"manufacturer": "",
"sys_id": "SYS_ID",
"cluster_id": "",
"po_number": "",
"checked_in": "",
"sys_class_path": "/!!/!5/!$",
"vendor": "",
"mac_address": "",
"company": "",
"model_number": "",
"justification": "",
"department": "",
"assigned_to": "",
"start_date": "",
"cost": "",
"comments": "",
"sys_mod_count": "1",
"serial_number": "",
"monitor": "false",
"model_id": "",
"ip_address": "",
"duplicate_of": "",
"sys_tags": "",
"cost_cc": "USD",
"support_group": "",
"order_date": "",
"schedule": "",
"environment": "",
"due": "",
"attested": "false",
"unverified": "false",
"correlation_id": "",
"attributes": "",
"location": "",
"asset": "",
"category": "Resource",
"fault_count": "0",
"lease_id": ""
},
"inbound_relations": [
{
"sys_id": "3b3d95297f701200bee45f19befa910c",
"type": {
"display_value": "Depends on::Used by",
"link": "https://example.service-now.com/api/now/table/cmdb_rel_type/ID",
"value": "ID"
},
"target": {
"display_value": "IP-Router-3",
"link": "https://example.service-now.com/api/now/cmdb/instance/cmdb_ci/ID",
"value": "ID"
}
}
]
}
}
Output messages
The Get CMDB Record Details action can return the following output messages:
| Output message | Message description |
|---|---|
|
The action succeeded. |
Error executing action "Get CMDB Record Details". Reason:
ERROR_REASON |
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Get CMDB Record Details action:
| Script result name | Value |
|---|---|
is_success |
True or False |
Get Oauth Token
Use the Get Oauth Token action to get an OAuth refresh token for ServiceNow.
This action requires you to configure the following integration
parameters:Username, Password, Client ID, and Client Secret.
This action doesn't run on Google SecOps entities.
Action inputs
None.
Action outputs
The Get Oauth Token action provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
JSON result
The following example shows the JSON result output received when using the Get Oauth Token action:
{
"access_token": "Na4Kb1oWpFcYNUnyAjsYldiTMxYF1Cz79Q",
"refresh_token": "0ryCENbbvfggZbNG9rFFd8_C8X0UgAQSMQkPJNStGwEEt0qNt-F1lw",
"scope": "useraccount",
"token_type": "Bearer",
"expires_in": 1799
}
Output messages
The Get Oauth Token action can return the following output messages:
| Output message | Message description |
|---|---|
Successfully generated Oauth tokens for ServiceNow. Now navigate
to the configuration tab and put "refresh_token" value in the "Refresh
Token" parameter. Note: "Username" and "Password" parameters can be
emptied. |
The action succeeded. |
Error executing action "Get Oauth Token". Reason:
ERROR_REASON |
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Get Oauth Token action:
| Script result name | Value |
|---|---|
is_success |
True or False |
Get Incident
Use the Get Incident action to retrieve information about a ServiceNow incident.
This action runs on all Google SecOps entities.
Action inputs
The Get Incident action requires the following parameters:
| Parameter | Description |
|---|---|
Incident Number |
Required. The number of the incident. To configure
this parameter value, use the following format:
|
Short Description |
Optional. A short description of the incident. |
Impact |
Optional. The impact level of the incident. The possible values are as follows:
1. |
Urgency |
Optional. The urgency level of the incident. The possible values are as follows
1. |
Category |
Optional. The incident category. |
Assignment Group ID |
Optional. The full name of the group to assign the incident to. |
Assigned User ID |
Optional. The full name of the user to assign the incident to. |
Description |
Optional. The incident description. |
Incident State |
Optional. A status name or status ID of the incident. |
Action outputs
The Get Incident action provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Script result | Available |
JSON result
The following example shows the JSON result output received when using the Get Incident action:
{
"sys_tags": " ",
"user_input": " ",
"calendar_stc": "2012",
"subcategory": " ",
"watch_list": " ",
"follow_up": " ",
"made_sla": "true",
"sys_created_by": "admin",
"sla_due": " ",
"number": "INC0010041",
"group_list": " ",
"reassignment_count": "0",
"assigned_to": " ",
"sys_mod_count": "10",
"notify": "1",
"resolved_by": {
"link": "https://example.service-now.com/api/now/v1/table/sys_user/ID",
"value": "ID"
},
"upon_reject": "cancel",
"additional_assignee_list": " ",
"category": "inquiry",
"closed_at": "2020-07-10 12:53:06",
"parent_incident": " ",
"cmdb_ci": " ",
"contact_type": " ",
"impact": "1",
"rfc": " ",
"expected_start": " ",
"knowledge": "false",
"sys_updated_by": "admin",
"caused_by": " ",
"comments": " ",
"closed_by": {
"link": "https://example.service-now.com/api/now/v1/table/sys_user/ID",
"value": "ID"
},
"priority": "1",
"state": "7",
"sys_id": "SYS_ID",
"opened_at": "2020-07-10 12:18:04",
"child_incidents": "0",
"work_notes": " ",
"delivery_task": " ",
"short_description": "sdf",
"comments_and_work_notes": " ",
"time_worked": " ",
"upon_approval": "proceed",
"company": " ",
"business_stc": "0",
"correlation_display": " ",
"sys_class_name": "incident",
"delivery_plan": " ",
"escalation": "0",
"description": " ",
"parent": " ",
"close_notes": "Closed by Caller",
"business_duration": "1970-01-01 00:00:00",
"problem_id": " ",
"sys_updated_on": "2020-07-10 13:13:57",
"approval_history": " ",
"approval_set": " ",
"business_service": " ",
"reopened_by": " ",
"calendar_duration": "1970-01-01 00:35:02",
"caller_id": {
"link": "https://example.service-now.com/api/now/v1/table/sys_user/ID",
"value": "ID"
},
"active": "false",
"approval": "not requested",
"service_offering": " ",
"sys_domain_path": "/",
"hold_reason": " ",
"activity_due": "2020-07-10 14:33:28",
"severity": "3",
"incident_state": "7",
"resolved_at": "2020-07-10 12:53:06",
"location": " ",
"due_date": " ",
"work_start": " ",
"work_end": " ",
"work_notes_list": " ",
"sys_created_on": "2020-07-10 12:18:04",
"correlation_id": " ",
"contract": " ",
"reopened_time": " ",
"opened_by": {
"link": "https://example.service-now.com/api/now/v1/table/sys_user/ID",
"value": "ID"
},
"close_code": "Closed/Resolved by Caller",
"assignment_group": " ",
"sys_domain": {
"link": "https://example.service-now.com/api/now/v1/table/sys_user_group/global",
"value": "global"
},
"order": " ",
"urgency": "1",
"reopen_count": "0"
}
Script result
The following table lists the value for the script result output when using the Get Incident action:
| Script result name | Value |
|---|---|
incident_number |
INCIDENT_NUMBER |
Get Record Details
Use the Get Record Details action to retrieve information about specific table records in ServiceNow.
This action doesn't run on Google SecOps entities.
Action inputs
The Get Record Details action requires the following parameters:
| Parameter | Description |
|---|---|
Table Name |
Required. A name of the table to search for the record in, such
as |
Record Sys ID |
Required. The record ID to retrieve the details for. |
Fields |
Optional. A comma-separated list of fields to return for the
record, such as If you don't set a value, the action returns the default fields for the record. |
Action outputs
The Get Record Details action provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
JSON result
The following example shows the JSON result output received when using the Get Record Details action:
{
"result": [
{
"parent": "",
"made_sla": "true",
"caused_by": "",
"watch_list": "",
"upon_reject": "cancel",
"sys_updated_on": "2020-10-20 07:19:11",
"child_incidents": "0",
"hold_reason": "",
"approval_history": "",
"skills": "",
"number": "INC0010009",
"resolved_by": "",
"sys_updated_by": "admin",
"opened_by": {
"link": "https://example.service-now.com/api/now/table/sys_user/ID",
"value": "ID"
},
"user_input": "",
"sys_created_on": "2020-10-20 07:19:11",
"sys_domain": {
"link": "https://example.service-now.com/api/now/table/sys_user_group/global",
"value": "global"
},
"state": "1",
"sys_created_by": "admin",
"knowledge": "false",
"order": "",
"calendar_stc": "",
"closed_at": "",
"cmdb_ci": "",
"delivery_plan": "",
"contract": "",
"impact": "3",
"active": "true",
"work_notes_list": "",
"business_service": "",
"priority": "5",
"sys_domain_path": "/",
"rfc": "",
"time_worked": "",
"expected_start": "",
"opened_at": "2020-10-20 07:18:56",
"business_duration": "",
"group_list": "",
"work_end": "",
"caller_id": {
"link": "https://example.service-now.com/api/now/table/sys_user/ID",
"value": "ID"
},
"reopened_time": "",
"resolved_at": "",
"approval_set": "",
"subcategory": "",
"work_notes": "",
"short_description": "Assessment : ATF Assessor",
"close_code": "",
"correlation_display": "",
"delivery_task": "",
"work_start": "",
"assignment_group": "",
"additional_assignee_list": "",
"business_stc": "",
"description": "",
"calendar_duration": "",
"close_notes": "",
"notify": "1",
"service_offering": "",
"sys_class_name": "incident",
"closed_by": "",
"follow_up": "",
"parent_incident": {
"link": "https://example.service-now.com/api/now/table/incident/ID",
"value": "ID"
},
"sys_id": "SYS_ID",
"contact_type": "",
"reopened_by": "",
"incident_state": "1",
"urgency": "3",
"problem_id": "",
"company": "",
"reassignment_count": "0",
"activity_due": "",
"assigned_to": "",
"severity": "3",
"comments": "",
"approval": "not requested",
"sla_due": "",
"comments_and_work_notes": "",
"due_date": "",
"sys_mod_count": "0",
"reopen_count": "0",
"sys_tags": "",
"escalation": "0",
"upon_approval": "proceed",
"correlation_id": "",
"location": "",
"category": "inquiry"
}
]
}
Output messages
The Get Record Details action can return the following output messages:
| Output message | Message description |
|---|---|
|
The action succeeded. |
Error executing action "Get Record Details". Reason:
ERROR_REASON |
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Get Record Details action:
| Script result name | Value |
|---|---|
is_success |
True or False |
Get User Details
Use the Get User Details action to retrieve information about the user
using the sys_id parameter in ServiceNow.
This action doesn't run on Google SecOps entities.
Action inputs
The Get User Details action requires the following parameters:
| Parameter | Description |
|---|---|
User Sys IDs |
Required. A comma-separated list of user |
Action outputs
The Get User Details action provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
Case wall table
The Get User Details action provides the following table:
Table name: User Details
Table columns:
- Sys ID (mapped as
sys_id) - Name (mapped as
name) - Username (mapped as
user_name) - Email (mapped as
email)
JSON result
The following example shows the JSON result output received when using the Get User Details action:
{
"result": [
{
"calendar_integration": "1",
"country": "",
"last_position_update": "",
"user_password": "example",
"last_login_time": "",
"source": "",
"sys_updated_on": "2020-08-29 02:42:42",
"building": "",
"web_service_access_only": "false",
"notification": "2",
"enable_multifactor_authn": "false",
"sys_updated_by": "user@example",
"sys_created_on": "2012-02-18 03:04:52",
"agent_status": "",
"sys_domain": {
"link": "https://example.service-now.com/api/now/table/sys_user_group/global",
"value": "global"
},
"state": "",
"vip": "false",
"sys_created_by": "admin",
"longitude": "",
"zip": "",
"home_phone": "",
"time_format": "",
"last_login": "",
"default_perspective": "",
"geolocation_tracked": "false",
"active": "true",
"sys_domain_path": "/",
"cost_center": {
"link": "https://example.service-now.com/api/now/table/cmn_cost_center/ID",
"value": "ID"
},
"phone": "",
"name": "Example User",
"employee_number": "",
"password_needs_reset": "false",
"gender": "Male",
"city": "",
"failed_attempts": "",
"user_name": "example.user",
"latitude": "",
"roles": "",
"title": "",
"sys_class_name": "sys_user",
"sys_id": "SYS_ID",
"internal_integration_user": "false",
"ldap_server": "",
"mobile_phone": "",
"street": "",
"company": {
"link": "https://example.service-now.com/api/now/table/core_company/ID",
"value": "ID"
},
"department": {
"link": "https://dev98773.service-now.com/api/now/table/cmn_department/ID",
"value": "ID"
},
"first_name": "Example",
"email": "example@example.com",
"introduction": "",
"preferred_language": "",
"manager": "",
"business_criticality": "3",
"locked_out": "false",
"sys_mod_count": "4",
"last_name": "User",
"photo": "",
"avatar": "063e38383730310042106710ce41f13b",
"middle_name": "",
"sys_tags": "",
"time_zone": "",
"schedule": "",
"on_schedule": "",
"date_format": "",
"location": {
"link": "https://example.service-now.com/api/now/table/cmn_location/ID",
"value": "ID"
}
}
]
}
Output messages
The Get User Details action can return the following output messages:
| Output message | Message description |
|---|---|
|
The action succeeded. |
Error executing action "Get User Details". Reason:
ERROR_REASON |
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Get User Details action:
| Script result name | Value |
|---|---|
is_success |
True or False |
List CMDB Records
Use the List CMDB Records action to list CMDB records from the same class in ServiceNow.
The action doesn't run on Google SecOps entities.
This action requires you to assign the itil role to the user in
ServiceNow. For more details, see Configure roles and minimum
permissions.
For more information on class names, see View and edit class definition and metadata.
How to work with the query filter (sysparm_query)
To get the correct query filter for the Query Filter parameter, complete the
following steps:
In ServiceNow, go to CMDB Query Builder using the following URL:
(https://SERVICENOW_INSTANCE/$queryBuilder.doabout:blank)In the Search CMDB Classes field, enter the class name.
Drag the required class onto the builder canvas.
In the browser, select Developer Tools and go to the Network tab.
Hold the pointer over the class that you dragged to the canvas to select the filter_alt Filter field.
In the filter_alt Filter field, enter a filter of your choice.
In the Network tab, search for requests that contain the
mapattribute.For example, the request URL is as follows:
https://example-instance.service-now.com/api/now/ui/query_parse/cmdb_ci_appl/map?sysparm_query=sys_idLIKE1%5Esys_idSTARTSWITH0%5EORsys_idSTARTSWITH2From the URL, copy the value that appears after the
sysparm_query=attribute. This value is a filter that you've created, presented as a query. The query value is as follows:sys_idLIKE1%5Esys_idSTARTSWITH0%5EORsys_idSTARTSWITH2.Decode the URL query before using it in the action.
Action inputs
The List CMDB Records action requires the following parameters:
| Parameter | Description |
|---|---|
Class Name |
Required. The name of the class to list the records from, such
as |
Query Filter |
Optional. The query filter for the results, such as
|
Max Records To Return |
Optional. The maximum number of records to return. The default value is |
Action outputs
The List CMDB Records action provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
Case wall table
The List CMDB Records action provides the following table:
Table name: CLASS_NAME Records
Table columns:
- Name (mapped as
name) - Sys ID (mapped as
sys_id)
JSON result
The following example shows the JSON result output received when using the List CMDB Records action:
{
"result": [
{
"sys_id": "SYS_ID",
"name": "Example server"
}
]
}
Output messages
The List CMDB Records action can return the following output messages:
| Output message | Message description |
|---|---|
|
The action succeeded. |
Error executing action "List CMDB Records". Reason:
ERROR_REASON |
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the List CMDB Records action:
| Script result name | Value |
|---|---|
is_success |
True or False |
List Record Comments
Use the List Record Comments action to list comments that are related to a specific table record in ServiceNow.
This action doesn't run on Google SecOps entities.
Action inputs
The List Record Comments action requires the following parameters:
| Parameter | Description |
|---|---|
Table Name |
Required. The name of the table to add a comment or a note to,
such as |
Type |
Required. The type of comment or note to add. The possible values are as follows:
The default value is |
Record Sys ID |
Required. The record ID to add a comment or a work note to. |
Max Results To Return |
Optional. The maximum number of results to return. The default value is |
Action outputs
The List Record Comments action provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
JSON result
The following example shows the JSON result output received when using the List Record Comments action:
{
"sys_id": "SYS_ID",
"sys_created_on": "2021-09-03 10:29:48",
"name": "incident",
"element_id": "552c48888c033300964f4932b03eb092",
"sys_tags": "",
"value": "test",
"sys_created_by": "admin",
"element": "comments"
}
Output messages
The List Record Comments action can return the following output messages:
| Output message | Message description |
|---|---|
|
The action succeeded. |
Error executing action "List Record Comments". Reason:
ERROR_REASON |
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the List Record Comments action:
| Script result name | Value |
|---|---|
is_success |
True or False |
List Records Related To User
Use the List Records Related To User action to list records from a table that is related to a user in ServiceNow.
This action doesn't run on Google SecOps entities.
Action inputs
The List Records Related To User action requires the following parameters:
| Parameter | Description |
|---|---|
Table Name |
Required. A name of the table to search for related records
in, such as |
Usernames |
Required. A comma-separated list of usernames to retrieve the related records for. |
Max Days Backwards |
Required. The number of days before now to fetch the related records from. |
Max Records To Return |
Optional. The number of records to return for every user. The default value is |
Action outputs
The List Records Related To User action provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
JSON result
The following example shows the JSON result output received when using the List Records Related To User action:
{
"result": [
{
"parent": "",
"made_sla": "true",
"caused_by": "",
"watch_list": "",
"upon_reject": "cancel",
"sys_updated_on": "2020-10-19 14:18:40",
"child_incidents": "0",
"hold_reason": "",
"approval_history": "",
"skills": "",
"number": "INC0010008",
"resolved_by": "",
"sys_updated_by": "admin",
"opened_by": {
"link": "https://example.service-now.com/api/now/table/sys_user/ID",
"value": "ID"
},
"user_input": "",
"sys_created_on": "2020-10-19 14:18:40",
"sys_domain": {
"link": "https://example.service-now.com/api/now/table/sys_user_group/global",
"value": "global"
},
"state": "1",
"sys_created_by": "admin",
"knowledge": "false",
"order": "",
"calendar_stc": "",
"closed_at": "",
"cmdb_ci": "",
"delivery_plan": "",
"contract": "",
"impact": "3",
"active": "true",
"work_notes_list": "",
"business_service": "",
"priority": "5",
"sys_domain_path": "/",
"rfc": "",
"time_worked": "",
"expected_start": "",
"opened_at": "2020-10-19 14:18:20",
"business_duration": "",
"group_list": "",
"work_end": "",
"caller_id": {
"link": "https://example.service-now.com/api/now/table/sys_user/ID",
"value": "ID"
},
"reopened_time": "",
"resolved_at": "",
"approval_set": "",
"subcategory": "",
"work_notes": "",
"short_description": "TEST",
"close_code": "",
"correlation_display": "",
"delivery_task": "",
"work_start": "",
"assignment_group": "",
"additional_assignee_list": "",
"business_stc": "",
"description": "",
"calendar_duration": "",
"close_notes": "",
"notify": "1",
"service_offering": "",
"sys_class_name": "incident",
"closed_by": "",
"follow_up": "",
"parent_incident": "",
"sys_id": "SYS_ID",
"contact_type": "",
"reopened_by": "",
"incident_state": "1",
"urgency": "3",
"problem_id": "",
"company": {
"link": "https://example.service-now.com/api/now/table/core_company/ID",
"value": "ID"
},
"reassignment_count": "0",
"activity_due": "",
"assigned_to": "",
"severity": "3",
"comments": "",
"approval": "not requested",
"sla_due": "",
"comments_and_work_notes": "",
"due_date": "",
"sys_mod_count": "0",
"reopen_count": "0",
"sys_tags": "",
"escalation": "0",
"upon_approval": "proceed",
"correlation_id": "",
"location": "",
"category": "inquiry"
}
]
}
Output messages
The List Records Related To User action can return the following output messages:
| Output message | Message description |
|---|---|
|
The action succeeded. |
Error executing action "List Records Related To User". Reason:
ERROR_REASON |
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the List Records Related To User action:
| Script result name | Value |
|---|---|
is_success |
True or False |
Ping
Use the Ping action to test connectivity to ServiceNow.
This action runs on all Google SecOps entities.
Action inputs
None.
Action outputs
The Ping action provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Script result | Available |
Script result
The following table lists the value for the script result output when using the Ping action:
| Script result name | Value |
|---|---|
is_success |
True or False |
Update Incident
Use the Update Incident action to update the incident information.
This action runs on all Google SecOps entities.
This action requires you to assign the sn_incident_write role to the user in
ServiceNow. For more details, see Configure roles and minimum
permissions.
Action inputs
The Update Incident action requires the following parameters:
| Parameter | Description |
|---|---|
Incident Number |
Required. The number of the incident. To configure
this parameter value, use the following format:
|
Short Description |
Optional. A short description of the incident. |
Impact |
Optional. The impact level of the incident. The possible values are as follows:
1. |
Urgency |
Optional. The urgency level of the incident. The possible values are as follows
1. |
Category |
Optional. The incident category. |
Assignment Group ID |
Optional. The full name of the group to assign the incident to. |
Assigned User ID |
Optional. The full name of the user to assign the incident to. |
Description |
Optional. The incident description. |
Incident State |
Optional. A status name or status ID of the incident. |
Custom Fields |
Optional. A comma-separated list of fields and values. To configure this parameter, enter the value in the following format:
|
Action outputs
The Update Incident action provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Script result | Available |
JSON result
The following example shows the JSON result output received when using the Update Incident action:
{
"sys_tags": " ",
"user_input": " ",
"calendar_stc": "2012",
"subcategory": " ",
"watch_list": " ",
"follow_up": " ",
"made_sla": "true",
"sys_created_by": "admin",
"sla_due": " ",
"number": "INC0010041",
"group_list": " ",
"reassignment_count": "0",
"assigned_to": " ",
"sys_mod_count": "10",
"notify": "1",
"resolved_by": {
"link": "https://example.service-now.com/api/now/v1/table/sys_user/ID",
"value": "ID"
},
"upon_reject": "cancel",
"additional_assignee_list": " ",
"category": "inquiry",
"closed_at": "2020-07-10 12:53:06",
"parent_incident": " ",
"cmdb_ci": " ",
"contact_type": " ",
"impact": "1",
"rfc": " ",
"expected_start": " ",
"knowledge": "false",
"sys_updated_by": "admin",
"caused_by": " ",
"comments": " ",
"closed_by": {
"link": "https://example.service-now.com/api/now/v1/table/sys_user/ID",
"value": "ID"
},
"priority": "1",
"state": "7",
"sys_id": "SYS_ID",
"opened_at": "2020-07-10 12:18:04",
"child_incidents": "0",
"work_notes": " ",
"delivery_task": " ",
"short_description": "sdf",
"comments_and_work_notes": " ",
"time_worked": " ",
"upon_approval": "proceed",
"company": " ",
"business_stc": "0",
"correlation_display": " ",
"sys_class_name": "incident",
"delivery_plan": " ",
"escalation": "0",
"description": " ",
"parent": " ",
"close_notes": "Closed by Caller",
"business_duration": "1970-01-01 00:00:00",
"problem_id": " ",
"sys_updated_on": "2020-07-10 13:13:57",
"approval_history": " ",
"approval_set": " ",
"business_service": " ",
"reopened_by": " ",
"calendar_duration": "1970-01-01 00:35:02",
"caller_id": {
"link": "https://example.service-now.com/api/now/v1/table/sys_user/ID",
"value": "ID"
},
"active": "false",
"approval": "not requested",
"service_offering": " ",
"sys_domain_path": "/",
"hold_reason": " ",
"activity_due": "2020-07-10 14:33:28",
"severity": "3",
"incident_state": "7",
"resolved_at": "2020-07-10 12:53:06",
"location": " ",
"due_date": " ",
"work_start": " ",
"work_end": " ",
"work_notes_list": " ",
"sys_created_on": "2020-07-10 12:18:04",
"correlation_id": " ",
"contract": " ",
"reopened_time": " ",
"opened_by": {
"link": "https://example.service-now.com/api/now/v1/table/sys_user/ID",
"value": "ID"
},
"close_code": "Closed/Resolved by Caller",
"assignment_group": " ",
"sys_domain": {
"link": "https://example.service-now.com/api/now/v1/table/sys_user_group/global",
"value": "global"
},
"order": " ",
"urgency": "1",
"reopen_count": "0"
}
Script result
The following table lists the value for the script result output when using the Update Incident action:
| Script result name | Value |
|---|---|
incident_number |
INCIDENT_NUMBER |
Update Record
Use the Update Record action to update available records that belong to different tables in ServiceNow.
This action runs on all Google SecOps entities.
Action inputs
The Update Record action requires the following parameters:
| Parameter | Description |
|---|---|
Table Name |
Optional. The table to use for updating a record. |
Object JSON Data |
Optional. The JSON data that is required to update a record. |
Record Sys ID |
Optional. The Sys ID of the updated record. |
Action outputs
The Update Record action provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Script result | Available |
JSON result
The following example shows the JSON result output received when using the Update Record action:
{
"sys_tags": " ",
"user_input": " ",
"calendar_stc": " ",
"subcategory": " ",
"watch_list": " ",
"follow_up": " ",
"made_sla": "true",
"sys_created_by": "admin",
"sla_due": " ",
"number": "INC0010021",
"group_list": " ",
"reassignment_count": "0",
"assigned_to": " ",
"sys_mod_count": "0",
"notify": "1",
"resolved_by": " ",
"upon_reject": "cancel",
"additional_assignee_list": " ",
"category": "inquiry",
"closed_at": " ",
"parent_incident": " ",
"cmdb_ci": " ",
"contact_type": " ",
"impact": "3",
"rfc": " ",
"expected_start": " ",
"knowledge": "false",
"sys_updated_by": "admin",
"caused_by": " ",
"comments": " ",
"closed_by": " ",
"priority": "5",
"state": "1",
"sys_id": "SYS_ID",
"opened_at": "2020-07-10 08:24:34",
"child_incidents": "0",
"work_notes": " ",
"delivery_task": " ",
"short_description": " ",
"comments_and_work_notes": " ",
"time_worked": " ",
"upon_approval": "proceed",
"company": " ",
"business_stc": " ",
"correlation_display": " ",
"sys_class_name": "incident",
"delivery_plan": " ",
"escalation": "0",
"description": " ",
"parent": " ",
"close_notes": " ",
"business_duration": " ",
"problem_id": " ",
"sys_updated_on": "2020-07-10 08:24:34",
"approval_history": " ",
"approval_set": " ",
"business_service": " ",
"reopened_by": " ",
"calendar_duration": " ",
"caller_id": " ",
"active": "true",
"approval": "not requested",
"service_offering": " ",
"sys_domain_path": "/",
"hold_reason": " ",
"activity_due": " ",
"severity": "3",
"incident_state": "1",
"resolved_at": " ",
"location": " ",
"due_date": " ",
"work_start": " ",
"work_end": " ",
"work_notes_list": " ",
"sys_created_on": "2020-07-10 08:24:34",
"correlation_id": " ",
"contract": " ",
"reopened_time": " ",
"opened_by": {
"link": "https://example.service-now.com/api/now/v1/table/sys_user/ID",
"value": "ID"
},
"close_code": " ",
"assignment_group": " ",
"sys_domain": {
"link": "https://example.service-now.com/api/now/v1/table/sys_user_group/global",
"value": "global"
},
"order": " ",
"urgency": "3",
"reopen_count": "0"
}
Script result
The following table lists the value for the script result output when using the Update Record action:
| Script result name | Value |
|---|---|
record_sys_id |
RECORD_SYS_ID
|
Wait For Comments
Use the Wait For Comments action to wait for comments related to a specific table record in ServiceNow.
This action works asynchronously. Adjust the script timeout value in the Google SecOps IDE for the action as needed.
This action doesn't run on Google SecOps entities.
Action inputs
The Wait For Comments action requires the following parameters:
| Parameter | Description |
|---|---|
Table Name |
Required. The name of the table to add a comment or a note to,
such as |
Type |
Required. The type of comment or note to add. The possible values are as follows:
The default value is |
Record Sys ID |
Required. The record ID to add a comment or a work note to. |
Wait Mode |
Optional. The wait mode for the action. The possible values are as follows:
If you select the If you
select the If you
select the If you select the The default value is |
Text |
Optional. The text that the action waits for. This
parameter is only relevant if you select the
|
Action outputs
The Wait For Comments action provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
JSON result
The following example shows the JSON result output received when using the Wait For Comments action:
{
"sys_id": "SYS_ID",
"sys_created_on": "2021-09-03 10:29:48",
"name": "incident",
"element_id": "552c48888c033300964f4932b03eb092",
"sys_tags": "",
"value": "test",
"sys_created_by": "admin",
"element": "comments"
}
Output messages
The Wait For Comments action can return the following output messages:
| Output message | Message description |
|---|---|
|
The action succeeded. |
Error executing action "Wait For Comments". Reason:
ERROR_REASON |
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Wait For Comments action:
| Script result name | Value |
|---|---|
is_success |
True or False |
Wait for Field Update
Use the Wait for Field Update action to wait for a field update of the data record in ServiceNow.
This action runs on all Google SecOps entities.
Action inputs
The Wait for Field Update action requires the following parameters:
| Parameter | Description |
|---|---|
Table Name |
Required. The name of the table to create a record,
such as |
Record Sys ID |
Required. The Sys ID of the record to update. |
Field - Column Name |
Required. The name of the column to update. |
Field - Values |
Required. The values that are expected in the column, such as
|
Action outputs
The Wait for Field Update action provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Script result | Available |
Script result
The following table lists the value for the script result output when using the Wait for Field Update action:
| Script result name | Value |
|---|---|
updated_field |
UPDATED_FIELD |
Wait for Status Update
Use the Wait for Status Update action to wait for a status update of the data record in ServiceNow.
This action runs on all Google SecOps entities.
Action inputs
The Wait for Status Update action requires the following parameters:
| Parameter | Description |
|---|---|
Incident Number |
Required. The number of the incident. To configure
this parameter value, use the following format:
|
Statuses |
Required. A list of incident statuses to expect, such as
|
Action outputs
The Wait for Status Update action provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Script result | Available |
Script result
The following table lists the value for the script result output when using the Wait for Status Update action:
| Script result name | Value |
|---|---|
new_status |
STATUS |
Connectors
For more information about configuring connectors in Google SecOps, see Ingest your data (connectors).
ServiceNow Connector
Use the ServiceNow Connector to retrieve incidents from ServiceNow.
How to work with the dynamic list
In the ServiceNow Connector connector, the dynamic list lets you modify the
sysparm_query query which the connector sends to ServiceNow. You can filter
every field supported by that record type.
To filter out the data, configure every dynamic list item to contain one field
in the following format: FIELD_NAME=VALUE.
The example of the field is as follows: category=security.
When you select the Use whitelist as a blacklist parameter, the connector
modifies the query to work as a blocklist instead.
Connector inputs
The ServiceNow Connector requires the following parameters:
| Parameter | Description |
|---|---|
Environment |
Required. A Google SecOps environment to run the connector. |
Run Every |
Required. The iteration period to run the connector. By default, the connector runs every 10 seconds. |
Product Field Name |
Required. The name of the field where the product name is stored. The default value is The
product name primarily impacts mapping. To streamline and improve the
mapping process for the connector, the default value
|
Event Field Name |
Required. Enter the source field name to retrieve the event field name. The default value is |
Rule Generator |
Optional. The field name that determines the rule generator. |
Api Root |
Required. The address of the ServiceNow instance. To configure this parameter, enter the value in the following format:
|
Username |
Required. The username for your ServiceNow instance. |
Password |
Required. The password for your ServiceNow instance. |
Verify SSL |
Optional. If selected, the integration validates the SSL certificate when connecting to ServiceNow. Selected by default. |
Days Backwards |
Optional. The number of hours before the first connector iteration to retrieve the incidents. This parameter can apply to the initial connector iteration after you enable the connector for the first time or the fallback value for an expired connector timestamp. The default value
is |
Max Incidents per Cycle |
Optional. The number of incidents to retrieve in every connector iteration. The default value is |
Environments Whitelist |
Optional. A comma-separated list of environments (domains) for
the connector to ingest into Google SecOps, such as
|
Use whitelist as a blacklist |
Optional. If selected, the connector uses the dynamic list as a blocklist. Not selected by default. |
PythonProcessTimeout |
Required. The timeout limit in seconds for the Python process running the current script. The default value is |
Incident Table |
Optional. The API root path that ServiceNow uses for actions revolving around incidents. By default, the integration uses the
|
Client ID |
Optional. The client ID of the ServiceNow application. OAuth 2.0 requires this parameter. |
Client Secret |
Optional. The client secret value of the ServiceNow application. OAuth 2.0 requires this parameter. |
Refresh Token |
Optional. The refresh token of the ServiceNow application. OAuth 2.0 requires this parameter. |
Use Oauth Authentication |
Optional. If selected, the integration uses OAuth 2.0 to
authenticate. If you select this parameter, configure the
Not selected by default. |
Server Time Zone |
Optional. The time zone that is configured in the server, such
as |
Table Name |
Optional. The name of the table to retrieve records from,
such as |
Event Name |
Optional. The name of a Google SecOps event,
such as |
Proxy Server Address |
Optional. The address of the proxy server to use. |
Proxy Username |
Optional. The proxy username to authenticate with. |
Proxy Password |
Optional. The proxy password to authenticate with. |
Get User Information |
Optional. If selected, the connector additionally retrieves the information about users that are related to the incident. |
Connector rules
The connector supports proxies.
The connector supports dynamic lists and blocklists.
Jobs
The ServiceNow integration includes the following jobs:
Sync Closed Incidents
Use the Sync Closed Incidents job to synchronize closed ServiceNow incidents and Google SecOps alerts.
Job inputs
The Sync Closed Incidents job requires the following parameters:
| Parameter | Description |
|---|---|
Scheduler |
Required. An iteration period to run the connector. |
Api Root |
Required. The address for the ServiceNow instance. To configure this parameter, enter the value in the following format:
|
Username |
Required. The username for your ServiceNow instance. |
Password |
Required. The password for your ServiceNow instance. |
Verify SSL |
Optional. If selected, the integration validates the SSL certificate when connecting to ServiceNow. Selected by default. |
Client ID |
Optional. The client ID of the ServiceNow integration. OAuth 2.0 requires this parameter to authenticate using client credentials. You can authenticate with the refresh token or client credentials. If you configure the refresh token and client credentials, the integration uses the refresh token to authenticate. |
Client Secret |
Optional. The client secret of the ServiceNow integration. OAuth 2.0 requires this parameter to authenticate using client credentials. You can authenticate with the refresh token or client credentials. If you configure the refresh token and client credentials, the integration uses the refresh token to authenticate. |
Refresh Token |
Optional. A refresh token for the ServiceNow integration. OAuth 2.0 requires this parameter to authenticate using the refresh token. The configured refresh token expires every 90 days. You can authenticate with the refresh token or client credentials. If you configure the refresh token and client credentials, the integration uses the refresh token to authenticate. |
Use Oauth Authentication |
Optional. If selected, the integration uses OAuth 2.0 to authenticate. OAuth 2.0 requires either the
client credentials ( |
Max Hours Backwards |
Optional. The number of hours before the first job iteration to synchronize incident statuses. This parameter applies only once to the initial job iteration after you enable the job for the first time. The default value is |
Table Name |
Required. The name of the table to search for the records,
such as |
Sync Incidents
Use the Sync Incidents job to synchronize the ServiceNow incident fields and attachments that are related to cases and alerts in Google SecOps.
This job requires you to configure the ITIL (itil) role for the user that
you use in the integration. For more information about the ITIL role in
ServiceNow, see Base system
roles.
For the job to work, add the ServiceNow Incident Sync tag to the case and the
TICKET_ID value to a case or an alert, depending on the Sync Level
parameter. An example of the TICKET_ID value is as follows:
INC0000050,INC0000051.
Ticket_ID is a context value and you can set it using the Set Scope Context
Value
action from the Siemplify integration.
Job inputs
The Sync Incidents job requires the following parameters:
| Parameter | Description |
|---|---|
Scheduler |
Required. The iteration period to run the connector. |
Api Root |
Required. The address of the ServiceNow instance. To configure this parameter, enter the value in the following format:
|
Username |
Required. The username for your ServiceNow instance. |
Password |
Required. The password for your ServiceNow instance. |
Sync Level |
Required. A synchronization level for the job. The possible values are as follows:
The default value is |
Max Hours Backwards |
Required. The number of hours before the first job iteration to synchronize cases from. This parameter applies only once to the initial job iteration after you enable the job for the first time. The default value is |
Verify SSL |
Required. If selected, the integration validates the SSL certificate when connecting to ServiceNow. Selected by default. |
Sync Table Record Comments
Use the Sync Table Record Comments job to synchronize comments in ServiceNow table records and Google SecOps cases.
Job inputs
The Sync Table Record Comments job requires the following parameters:
| Parameter | Description |
|---|---|
Scheduler |
Required. An iteration period to run the connector. |
Api Root |
Required. The address of the ServiceNow instance. To configure this parameter, enter the value in the following format:
|
Username |
Required. The username for your ServiceNow instance. |
Password |
Required. The password for your ServiceNow instance. |
Verify SSL |
Optional. If selected, the integration validates the SSL certificate when connecting to ServiceNow. Selected by default. |
Client ID |
Optional. The client ID of the ServiceNow integration. OAuth 2.0 requires this parameter to authenticate using client credentials. You can authenticate with the refresh token or client credentials. If you configure the refresh token and client credentials, the integration uses the refresh token to authenticate. |
Client Secret |
Optional. The client secret of the ServiceNow integration. OAuth 2.0 requires this parameter to authenticate using client credentials. You can authenticate with the refresh token or client credentials. If you configure the refresh token and client credentials, the integration uses the refresh token to authenticate. |
Refresh Token |
Optional. A refresh token for the ServiceNow integration. OAuth 2.0 requires this parameter to authenticate using the refresh token. The configured refresh token expires every 90 days. You can authenticate with the refresh token or client credentials. If you configure the refresh token and client credentials, the integration uses the refresh token to authenticate. |
Use Oauth Authentication |
Optional. If selected, the integration uses OAuth 2.0 to authenticate. OAuth 2.0 requires you to configure the
client credentials ( |
Table Name |
Required. The name of the table to search for the records,
such as |
Sync Table Record Comments By Tag
Use the Sync Table Record Comments By Tag job to synchronize comments in ServiceNow table records and Google SecOps cases.
This job requires the case to possess the following tags:
ServiceNow TABLE_NAMEServiceNow TicketId: TICKET_ID
Job inputs
The Sync Table Record Comments By Tag job requires the following parameters:
| Parameter | Description |
|---|---|
Scheduler |
Required. The iteration period to run the connector. |
Api Root |
Required. The address of the ServiceNow instance. To configure this parameter, enter the value in the following format:
|
Username |
Required. The username for your ServiceNow instance. |
Password |
Required. The password for your ServiceNow instance. |
Table Name |
Required. The name of the table to search for the record in,
such as |
Verify SSL |
Optional. If selected, the integration validates the SSL certificate when connecting to ServiceNow. Selected by default. |
Need more help? Get answers from Community members and Google SecOps professionals.