ServiceNow Event Collector
This Integration is part of the ServiceNow Pack.#
Supported versions
Supported Cortex XSOAR versions: 8.4.0 and later.
Use this integration to fetch audit, case and syslog transactions logs from ServiceNow as Cortex XSIAM events. This integration was integrated and tested with Vancouver version of ServiceNow API.
Configure ServiceNow Event Collector in Cortex#
| Parameter | Description | Required |
|---|---|---|
| ServiceNow URL, in the format https://company.service-now.com/ | True | |
| Username | True | |
| Password | True | |
| Client ID | False | |
| Client Secret | False | |
| ServiceNow API Version (e.g., 'v1') | False | |
| Use OAuth Login | Select this checkbox to use OAuth 2.0 authentication. | False |
| Event Types To Fetch | Event types to fetch. Defaults to 'Audit' if no type is specified. | False |
| Maximum audit events to fetch | Maximum number of audit events per fetch. | False |
| Maximum syslog transactions events to fetch | Maximum number of syslog transactions events per fetch. | False |
| Maximum case events to fetch | Maximum number of case events per fetch. | False |
| Events Fetch Interval | False | |
| Trust any certificate (not secure) | False | |
| Use system proxy settings | False |
Commands#
You can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
service-now-get-audit-logs#
Returns events extracted from ServiceNow. This command is used for developing/debugging and is to be used with caution, as it can create events, leading to event duplication and exceeding the API request limitation.
Base Command#
service-now-get-audit-logs
Input#
| Argument Name | Description | Required |
|---|---|---|
| should_push_events | Set this argument to True in order to create events, otherwise the command will only display them. Possible values are: True, False. Default is False. | Required |
| limit | Maximum audit events to fetch. Default is 1000. | Optional |
| from_date | The date and time of the earliest event. The time format is "{yyyy}-{mm}-{dd} {hh}:{mm}:{ss}". Example: "2021-05-18 13:45:14" indicates May 18, 2021, 1:45PM. | Optional |
| offset | Starting record index from which to begin retrieving records. | Optional |
Context Output#
There is no context output for this command.
Human Readable#
Audit Events#
_time documentkey fieldname newvalue record_checkpoint sys_created_on sys_id tablename 2024-01-28T13:21:43Z 3 DELETED DELETED -1 2024-01-28 13:21:43 3 audit 2024-01-28T13:21:43Z 3 DELETED DELETED -1 2024-01-28 13:21:43 3 audit 2024-01-28T13:21:43Z 3 DELETED DELETED -1 2024-01-28 13:21:43 3 audit 2024-01-28T13:21:43Z 3 DELETED DELETED -1 2024-01-28 13:21:43 3 audit
service-now-get-syslog-transactions#
Returns syslog transactions events extracted from ServiceNow. This command is used for developing/debugging and is to be used with caution, as it can create events, leading to event duplication and exceeding the API request limitation.
Base Command#
service-now-get-syslog-transactions
Input#
| Argument Name | Description | Required |
|---|---|---|
| should_push_events | Set this argument to True in order to create events, otherwise the command will only display them. Possible values are: True, False. Default is False. | Required |
| max_fetch_syslog_transactions | Maximum syslog transactions events to fetch. Default is 1000. | Optional |
| from_date | The date and time of the earliest event. The time format is "{yyyy}-{mm}-{dd} {hh}:{mm}:{ss}". Example: "2021-05-18 13:45:14" indicates May 18, 2021, 1:45PM. | Optional |
| offset | Starting record index from which to begin retrieving records. | Optional |
Context Output#
There is no context output for this command.
Human Readable#
Syslog Transactions Events#
_time acl_time business_rule_count client_transaction cpu_time sys_created_on sys_id source_log_type 2024-01-28T13:21:43Z 3 DELETED DELETED -1 2024-01-28 13:21:43 3 test_table 2024-01-28T13:21:43Z 3 DELETED DELETED -1 2024-01-28 13:21:43 3 test_table 2024-01-28T13:21:43Z 3 DELETED DELETED -1 2024-01-28 13:21:43 3 test_table 2024-01-28T13:21:43Z 3 DELETED DELETED -1 2024-01-28 13:21:43 3 test_table
service-now-get-case-logs#
Returns case events extracted from ServiceNow. This command is used for developing/debugging and is to be used with caution, as it can create events, leading to event duplication and exceeding the API request limitation.
Base Command#
service-now-get-case-logs
Input#
| Argument Name | Description | Required |
|---|---|---|
| should_push_events | Set this argument to True in order to create events, otherwise the command will only display them. Possible values are: True, False. Default is False. | Required |
| max_fetch_case | Maximum case events to fetch. Default is 1000. | Optional |
| from_date | The date and time of the earliest event. The time format is "{yyyy}-{mm}-{dd} {hh}:{mm}:{ss}". Example: "2021-05-18 13:45:14" indicates May 18, 2021, 1:45PM. | Optional |
| offset | Starting record index from which to begin retrieving records. | Optional |
Context Output#
There is no context output for this command.
Human Readable#
Case Events#
_time acl_time business_rule_count client_transaction cpu_time sys_created_on sys_id source_log_type 2024-01-28T13:21:43Z 3 DELETED DELETED -1 2024-01-28 13:21:43 3 test_table 2024-01-28T13:21:43Z 3 DELETED DELETED -1 2024-01-28 13:21:43 3 test_table 2024-01-28T13:21:43Z 3 DELETED DELETED -1 2024-01-28 13:21:43 3 test_table 2024-01-28T13:21:43Z 3 DELETED DELETED -1 2024-01-28 13:21:43 3 test_table
service-now-oauth-login#
Generate a refresh token using your existing credentials. Use this command if you encounter access_denied or other errors related to your access token when using OAuth 2.0.
Base Command#
service-now-oauth-login