ServiceNow Destination Setup

Create incidents in ServiceNow for detection alerts using the Table API.

Prerequisites

ServiceNow instance with API access
ServiceNow user with incident creation permissions

Setup Steps

1. Create ServiceNow API User

In your ServiceNow instance:

Navigate to User Administration → Users
Create a new user or select existing user
Assign required roles:
- itil - Incident management permissions
- rest_api_explorer - API access permissions

2. Test API Access

Verify the user can access the incident API:

curl -u "username:password" \
  "https://your-instance.service-now.com/api/now/table/incident?sysparm_limit=1"

Expected Response: JSON response with incident data

3. Configure in Query.ai

Contact your Query.ai administrator to configure the ServiceNow destination with:

Required Configuration:

Instance URL (e.g., https://your-instance.service-now.com)
Username (stored securely)
Password (stored securely)

Optional Configuration:

Timeout in seconds (default: 30)

Incident Fields

ServiceNow incidents are created with the following fields:

ServiceNow Field	Value	Notes
`short_description`	Detection name	Incident title
`description`	Detection details	Full description with all metadata (max 1000 chars)
`correlation_id`	Detection ID	Used for deduplication
`impact`	1-3	CRITICAL=1, HIGH=2, MEDIUM/LOW=3
`urgency`	1-3	CRITICAL=1, HIGH=2, MEDIUM/LOW=3
`category`	"Security"	Fixed value
`subcategory`	"Security Detection"	Fixed value

Impact and Urgency Mapping

Detection severity maps to ServiceNow impact and urgency:

Detection Severity	Impact	Urgency
CRITICAL	1 (High)	1 (High)
HIGH	2 (Medium)	2 (Medium)
MEDIUM	3 (Low)	3 (Low)
LOW	3 (Low)	3 (Low)

Description Field Contents

The description field includes:

Detection name and description
Run type (SCHEDULED or MANUAL)
Match operator, threshold, and eagerness
Match exhaustiveness (if available)
Search ID and Trace ID (if available for debugging)
Replay link for investigation

Note: Descriptions are automatically truncated at 1000 characters (ServiceNow field limit).

Testing

Test Credentials

Test your ServiceNow credentials with curl:

curl -u "username:password" \
  -X POST "https://your-instance.service-now.com/api/now/table/incident" \
  -H "Content-Type: application/json" \
  -d '{
    "short_description": "Test Incident from Query.ai",
    "description": "This is a test incident created via API",
    "category": "Security"
  }'

Expected Response:

{
  "result": {
    "number": "INC0012345",
    "sys_id": "abc123...",
    ...
  }
}

Test with Detection

Create a test detection with low threshold
Add ServiceNow destination
Click Run Now
Check ServiceNow for new incident

Troubleshooting

Common Issues

Error	Cause	Solution
`401 Unauthorized`	Invalid credentials	Verify username/password, check user roles
`Request timed out`	Slow ServiceNow response	Increase timeout value, check network connectivity
Incident not created	Detection didn't match	Verify detection outcome is `MATCHED`, check destination is enabled
Description truncated	Description too long	Normal behavior - descriptions auto-truncate at 1000 chars
Missing fields	Insufficient permissions	Verify user has `itil` role

Verify User Permissions

Log into ServiceNow as admin
Navigate to User Administration → Users
Open the API user
Check Roles tab includes itil and rest_api_explorer

View Logs

Contact your Query.ai administrator to review CloudWatch logs:

aws logs tail /aws/lambda/detection-outcome-handler --follow

Look for ServiceNow-related errors in the logs.

Multiple Instances

Create separate destinations for different ServiceNow environments:

Example Use Cases:

Production incidents → Production ServiceNow
Test detections → Development ServiceNow
Different teams → Different ServiceNow instances

Each destination uses different instance URLs and credentials.

Configuration Options

Required

instance_url

ServiceNow instance URL
Format: https://your-instance.service-now.com
Do not include trailing slash or API path

username (secret)

ServiceNow API username
Stored securely in AWS Secrets Manager
Should be dedicated API user (not personal account)

password (secret)

ServiceNow API password
Stored securely in AWS Secrets Manager
Rotate every 90 days

Optional

timeout

Request timeout in seconds
Default: 30
Increase if ServiceNow responses are slow
Maximum: 300 (5 minutes)

ServiceNow Workflow Integration

Assignment Rules

Configure ServiceNow assignment rules to automatically assign incidents:

Navigate to System Policy → Assignment Rules
Create rule for Security category
Assign to appropriate group or user
Set conditions based on impact/urgency

Notifications

Configure ServiceNow notifications for new security incidents:

Navigate to System Notification → Email → Notifications
Create notification for incident creation
Filter by category = "Security"
Configure recipients

Business Rules

Create business rules to automate incident processing:

Navigate to System Definition → Business Rules
Create rule triggered on incident insert
Add conditions for Security category
Define actions (e.g., send to SIEM, create change request)

Incident Investigation

When ServiceNow incident is created:

Open incident in ServiceNow
Review description for detection details
Click replay link to investigate in Query.ai
Document findings in incident work notes
Update incident state as investigation progresses

Security Best Practices

Never Commit Credentials: Always store credentials in Secrets Manager
Use Dedicated API User: Don't use personal accounts for automation
Rotate Credentials: Rotate passwords every 90 days
Least Privilege: Grant only required roles (itil, rest_api_explorer)
Monitor Usage: Review API user activity logs
Secure Network: Use HTTPS only, consider IP allowlisting

Credential Rotation

To rotate ServiceNow credentials:

Create new password in ServiceNow for API user
Update password in Query.ai configuration
Test with a manual detection run
Verify incidents are created successfully
Old password can be disabled

ServiceNow Incidents Destination Setup