ServiceNow v2

IT service management. Demisto interfaces with ServiceNow to help streamline security-related service management and IT operations. For example, you can use the ‘ServiceNow’ integration in order to:

  • View, create, update or delete a ServiceNow ticket directly from the Demisto CLI and enrich it with Demisto data.
  • View, create, update and delete records from any ServiceNow table.
  • Query ServiceNow data with the ServiceNow query syntax.

Please refer to ServiceNow documentation for additional information. We especially recommend the Operators available for filters and queries page: https://docs.servicenow.com/bundle/istanbul-servicenow-platform/page/use/common-ui-elements/reference/r_OpAvailableFiltersQueries.html

This integration was integrated and tested with the Orlando version of ServiceNow.

Use cases#

  1. Get, update, create, and delete ServiceNow tickets, as well as add links and comments, or upload files to the tickets.
  2. Fetch newly created incidents.
  3. Get, update, create, delete records from any ServiceNow table.

Wrapper Scripts#

There are 3 scripts that serve as examples for wrapping the following generic commands: servicenow-query-table - ServiceNowQueryIncident servicenow-create-record - ServiceNowCreateIncident servicenow-update-record - ServiceNowUpdateIncident

You can use these scripts if you want to wrap these commands around a ServiceNow table of your choice. These scripts are wrapped around the incident table, so to wrap them around another table simply copy the scripts and edit the code, arguments and outputs accordingly.

Configure ServiceNow v2 on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for ServiceNow v2.

  3. Click Add instance to create and configure a new integration instance.

  4. To ensure that mirroring works:

    1. Select the Fetches incidents radio button.

    2. Under Classifier, select ServiceNow Classifier.

    3. Under Incident type, select ServiceNowTicket.

    4. Under Mapper (incoming), select ServiceNow - Incoming Mapper.

    5. Under Mapper (outgoing), select ServiceNow - Outgoing Mapper.

    6. To enable mirroring when closing an incident or ticket in Cortex XSOAR and ServiceNow, select the Close Mirrored XSOAR Incident and Close Mirrored ServiceNow Ticket checkboxes, respectively.

      image

Instance Creation Flow#

The integration supports two types of authorization:

  1. Basic authorization using username and password.
  2. OAuth 2.0 authorization.

OAuth 2.0 Authorization#

To use OAuth 2.0 authorization follow the next steps:

  1. Login to your ServiceNow instance and create an endpoint for XSOAR to access your instance (please see Snow OAuth for more information).
  2. Copy the Client Id and Client Secret (press the lock next to the client secret to reveal it) that were automatically generated when creating the endpoint into the Username and Password fields of the instance configuration.
  3. Select the Use OAuth Login checkbox and click the Done button.
  4. Run the command !servicenow-oauth-login from the XSOAR CLI and fill in the username and password of the ServiceNow instance. This step generates an access token to the ServiceNow instance and is required only in the first time after configuring a new instance in the XSOAR platform.
  5. (Optional) Test the created instance by running the !servicenow-oauth-test command.

Notes:

  1. When running the !servicenow-oauth-login command, a refresh token is generated and will be used to produce new access tokens after the current access token has expired.
  2. Every time the refresh token expires you will have to run the servicenow-oauth-login command again. Hence, we recommend to set the Refresh Token Lifespan field in the endpoint created in step 1 to a long period (can be set to several years).

Using Multi Factor Authentication (MFA)#

MFA can be used both when using basic authorization and when using OAuth 2.0 authorization, however we strongly recommend using OAuth 2.0 when using MFA. If MFA is enabled for your user, follow the next steps:

  1. Open the Google Authenticator application on your mobile device and make note of the number. The number refreshes every 30 seconds.
  2. Enter your username and password, and append the One Time Password (OTP) that you currently see on your mobile device to your password without any extra spaces. For example, if your password is 12345 and the current OTP code is 424 058, enter 12345424058.

Notes:

  1. When using basic authorization, you will have to update your password with the current OTP every time the current code expires (30 seconds), hence we recommend using OAuth 2.0 authorization.
  2. For using OAuth 2.0 see the above instructions. The OTP code should be appended to the password parameter in the !servicenow-oauth-login command.
ParameterDescriptionRequired
urlServiceNow URL, in the format https://company.service-now.com/True
credentialsUsernameFalse
use_oauthUse OAuthFalse
proxyUse system proxy settingsFalse
insecureTrust any certificate (not secure)False
ticket_typeDefault ticket type on which to run ticket commands and fetch incidentsFalse
api_versionServiceNow API Version (e.g. 'v1')False
isFetchFetch incidentsFalse
sysparm_queryThe query to use when fetching incidentsFalse
fetch_limitHow many incidents to fetch each timeFalse
fetch_timeFirst fetch timestamp (<number> <time unit>, e.g., 12 hours, 7 days, 3 months, 1 year)False
timestamp_fieldTimestamp field to filter by (e.g., `opened_at`) This is how the filter is applied to the query: "ORDERBYopened_at^opened_at>[Last Run]". To prevent duplicate incidents, this field is mandatory for fetching incidents.False
incidentTypeIncident typeFalse
get_attachmentsGet incident attachmentsFalse
mirror_directionChoose whenever to mirror the incident. You can mirror only In (from ServiceNow to XSOAR), only out (from XSOAR to ServiceNow), or both directions.False
comment_tagChoose the tag to add to an entry to mirror it as a comment in ServiceNow.False
work_notes_tagChoose the tag to add to an entry to mirror it as a work note in ServiceNow.False
file_tagChoose the tag to add to an entry to mirror it as a file in ServiceNow.False
update_timestamp_fieldTimestamp field to query for updates as part of the mirroring flow.False
mirror_limitThe maximum number of incidents to mirror incoming each timeFalse
close_incidentClose XSOAR Incident. When selected, closing the ServiceNow ticket is mirrored in Cortex XSOAR.False
close_ticketClose ServiceNow Ticket. When selected, closing the XSOAR incident is mirrored in ServiceNow.False
proxyUse system proxy settingsFalse
insecureTrust any certificate (not secure)False
  1. Click Test to validate the URLs, token, and connection.
  2. Click Done.

Fetch Incidents#

The integration fetches newly created tickets according to the following parameters, which you define in the instance configuration: ticket_type, query, and limit. For the first fetch, the integration will fetch incidents that were created 10 minutes earlier. After that, it will fetch incidents that were created after the timestamp of the last fetch.

Configure Incident Mirroring#

This feature is compliant with XSOAR version 6.0 and above. This part walks you through setting up the ServiceNow v2 integration to mirror incidents from ServiceNow in Cortex XSOAR. It includes steps for configuring the integration and incoming and outgoing mappers. However, it does not cover every option available in the integration nor classification and mapping features. For information about Classification and Mapping visit: Classification and Mapping.

When mirroring incidents, you can make changes in ServiceNow that will be reflected in Cortex XSOAR, or vice versa. You can also attach files from either of the systems, which will then be available in the other system.

This is made possible by the addition of 3 new functions in the integration, which are applied with the following options:

  • External schema support
  • Can sync mirror in
  • Can sync mirror out

image

STEP 1 - Modify the incoming mapper.#

  1. Navigate to Classification and Mapping and click ServiceNow - Incoming Mapper.
  2. Under the Incident Type dropdown, select ServiceNow Ticket.
  3. Change the mapping according to your needs.
  4. Save your changes.
5 fields have been added to support the mirroring feature:#
  • dbotMirrorDirection - determines whether mirroring is incoming, outgoing, or both. Default is Both.

    • You can choose the mirror direction when configuring the ServiceNow instance using the Incident Mirroring Direction field.
  • dbotMirrorId - determines the incident ID in the 3rd party integration. In this case, the ServiceNow sys ID field.

  • dbotMirrorInstance - determines the ServiceNow instance with which to mirror.

  • dbotMirrorLastSync - determines the field by which to indicate the last time that the systems synchronized.

  • dbotMirrorTags - determines the tags that you need to add in Cortex XSOAR for entries to be pushed to ServiceNow.

    • You can set the tags in the instance configuration, using Comment Entry Tag, Work Note Entry Tag and File Entry Tag.

image

STEP 2 - Modify the outgoing mapper.#

  1. Under Classification and Mapping, click ServiceNow - Outgoing Mapper. The left side of the screen shows the ServiceNow fields to which to map and the right side of the screen shows the Cortex XSOAR fields by which you are mapping.
  2. Under the Incident Type dropdown, select ServiceNow Ticket.
  3. Under Schema Type, select incident. The Schema Type represents the ServiceNow entity that you are mapping to. In our example it is an incident, but it can also be any other kind of ticket that ServiceNow supports.
  4. On the right side of the screen, under Incident, select the incident based on which you want to match.
  5. Change the mapping according to your needs.
  6. Save your changes.

image

STEP 3 - Create an incident in ServiceNow. For purposes of this use case, it can be a very simple incident#

STEP 4 - In Cortex XSOAR, the new ticket will be ingested in approximately one minute.#

  1. Add a note to the incident. In the example below, we have written A comment from Cortex XSOAR to ServiceNow.
  2. Click Actions > Tags and add the comments tag.
  3. Add a file to the incident and mark it with the ForServiceNow tag.

image 4. Navigate back to the incident in ServiceNow and within approximately one minute, the changes will be reflected there, too.

  • You can make additional changes like closing the incident or changing severity and those will be reflected in both systems.

image

Notes

  • The final 'source of truth' for the incident for Cortex XSOAR are the values in Cortex XSOAR. Meaning, if you change the severity in Cortex XSOAR and then change it back in ServiceNow, the final value that will be presented is the one in Cortex XSOAR.
  • The integration queries ServiceNow for modified records based on the timestamp field set in the update_timestamp_field integration parameter and the limit set in the mirror_limit integration parameter. If more records are modified in the timeframe when they are queried than are configured in the limit parameter, the extra records won't be mirrored in and the incidents in Cortex XSOAR will not be updated.

Commands#

You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

servicenow-login#


This function should be used once before running any command when using OAuth authentication.

Base Command#

servicenow-login

Input#

Argument NameDescriptionRequired
usernameThe username that should be used for login.Required
passwordThe password that should be used for login.Required

Context Output#

There is no context output for this command.

Command Example#

!servicenow-login username=username password=password

Context Example#

{}

Human Readable Output#

Logged in successfully#

servicenow-test#


Test the instance configuration when using OAuth authorization.

Base Command#

servicenow-test

Input#

There are no input arguments for this command.

Context Output#

There is no context output for this command.

Command Example#

!servicenow-test

Context Example#

{}

Human Readable Output#

Instance Configured Successfully#

servicenow-get-ticket#


Retrieves ticket information by ticket ID.

Base Command#

servicenow-get-ticket

Input#

Argument NameDescriptionRequired
idTicket system ID for which to retrieve information.Optional
ticket_typeTicket type. Can be "incident", "problem", "change_request", "sc_request", "sc_task", or "sc_req_item". Default is "incident".Optional
numberTicket number to retrieve.Optional
get_attachmentsIf "true" will retrieve ticket attachments. Default is "false".Optional
custom_fieldsCustom fields on which to query. For example: state_code=AR,time_zone=PST.Optional
additional_fieldsAdditional fields to display in the War Room entry and incident context.Optional

Context Output#

PathTypeDescription
ServiceNow.Ticket.IDstringServiceNow ticket ID.
ServiceNow.Ticket.OpenedBystringServiceNow ticket opener ID.
ServiceNow.Ticket.CreatedOndateServiceNow ticket creation date.
ServiceNow.Ticket.AssigneestringServiceNow ticket assignee ID.
ServiceNow.Ticket.StatestringServiceNow ticket state.
ServiceNow.Ticket.SummarystringServiceNow ticket short summary.
ServiceNow.Ticket.NumberstringServiceNow ticket number.
ServiceNow.Ticket.ActivebooleanServiceNow ticket active.
ServiceNow.Ticket.AdditionalCommentsstringServiceNow ticket comments.
ServiceNow.Ticket.PrioritystringServiceNow ticket priority.
ServiceNow.Ticket.OpenedAtdateServiceNow ticket opening time.
ServiceNow.Ticket.ResolvedBystringServiceNow ticket resolver ID.
ServiceNow.Ticket.CloseCodestringServiceNow ticket close code.
File.InfostringAttachment file info.
File.NamestringAttachment file name.
File.SizenumberAttachment file size.
File.SHA1stringAttachment file SHA1 hash.
File.SHA256stringAttachment file SHA256 hash.
File.EntryIDstringAttachment file entry ID.
File.TypestringAttachment file type.
File.MD5stringAttachment file MD5 hash.

Command Example#

!servicenow-get-ticket number=INC0000040

Context Example#

{
"ServiceNow": {
"Ticket": {
"Active": "true",
"Assignee": "admin",
"CreatedOn": "2020-01-26 00:43:54",
"Creator": "admin",
"ID": "id",
"Number": "INC0000040",
"OpenedAt": "2020-01-26 00:42:45",
"OpenedBy": "admin",
"Priority": "3 - Moderate",
"State": "3",
"Summary": "JavaScript error on hiring page of corporate website"
}
},
"Ticket": {
"Active": "true",
"Assignee": "admin",
"CreatedOn": "2020-01-26 00:43:54",
"Creator": "admin",
"ID": "id",
"Number": "INC0000040",
"OpenedAt": "2020-01-26 00:42:45",
"OpenedBy": "admin",
"Priority": "3 - Moderate",
"State": "3",
"Summary": "JavaScript error on hiring page of corporate website"
}
}

Human Readable Output#

ServiceNow ticket#

System IDNumberImpactUrgencySeverityPriorityStateCreated OnCreated ByActiveDescriptionOpened AtShort Description
idINC00000402 - Medium2 - Medium3 - Low3 - Moderate3 - On Hold2020-01-26 00:43:54admintrueSeeing JavaScript error message on hiring page on Explorer and Firefox.2020-01-26 00:42:45JavaScript error on hiring page of corporate website

servicenow-create-ticket#


Creates new ServiceNow ticket.

Base Command#

servicenow-create-ticket

Input#

Argument NameDescriptionRequired
short_descriptionShort description of the ticket.Optional
ticket_typeTicket type. Can be "incident", "problem", "change_request", "sc_request", "sc_task", or "sc_req_item". Default is "incident".Optional
urgencyTicket urgency. You can either select from the predefined options or enter another value, for example: "Urgent" or "5".Optional
severityTicket severity. You can either select from the predefined options or enter another value, for example: "Urgent" or "5".Optional
impactTicket impact.Optional
activeWhether to set the ticket as Active. Can be "true" or "false".Optional
activity_dueThe ticket activity due date, in the format "2016-07-02 21:51:11".Optional
additional_assignee_listList of users assigned to the ticket.Optional
approval_historyTicket history approval.Optional
approval_setThe ticket approval set date, in the format "2016-07-02 21:51:11".Optional
assigned_toUser assigned to the ticket.Optional
business_durationBusiness duration, in the format: YYYY-MM-DD HH:MM:SS.Optional
business_serviceBusiness service.Optional
business_stcBusiness source.Optional
calendar_durationCalendar duration, in the format: YYYY-MM-DD HH:MM:SS.Optional
caller_idCaller ID (UID format).Optional
categoryCategory of the ticket.Optional
caused_byUID FormatOptional
close_codeTicket's close code. Can be "Solved (Work Around)", "Solved (Permanently)", "Solved Remotely (Work Around)", "Solved Remotely (Permanently)", "Not Solved (Not Reproducible)", "Not Solved (Too Costly)", or "Closed/Resolved by Caller".Optional
close_notesClose notes of the ticket.Optional
closed_atWhen the ticket was closed, in the format: YYYY-MM-DD HH:MM:SS.Optional
closed_byUser who closed the ticket.Optional
cmdb_ciUID Format.Optional
commentsFormat type journal input.Optional
comments_and_work_notesFormat type journal input.Optional
companyCompany (UID format).Optional
contact_typeContact type.Optional
correlation_displayCorrelation display.Optional
correlation_idCorrelation ID.Optional
delivery_planDelivery plan (UID format).Optional
displayWhether to display comments, work notes, and so on. Can be "true" or "false".Optional
descriptionTicket description.Optional
due_dateTicket due date, in the format: YYYY-MM-DD HH:MM:SS.Optional
escalationEscalationOptional
expected_startExpected start date/time, in the format: YYYY-MM-DD HH:MM:SS.Optional
follow_upFollow up date/time, in the format: YYYY-MM-DD HH:MM:SS.Optional
group_listUID format list (group).Optional
knowledgeWhether the ticket is solved in the knowledge base. Can be "true" or "false".Optional
locationLocation of the ticket.Optional
made_slaSLA of the ticket.Optional
notifyWhether to be notified about this ticket. Can be "1" or "0".Optional
orderOrder number.Optional
parentUID FormatOptional
parent_incidentUID FormatOptional
problem_idUID FormatOptional
reassignment_countThe number of users included in this ticket.Optional
reopen_countHow many times the ticket has been reopened.Optional
resolved_atThe date/time that the ticket was resolved, in the format: YYYY-MM-DD HH:MM:SS.Optional
resolved_byID of the user that resolved the ticket.Optional
rfcUIDOptional
sla_dueSLA due date/time, in the format: YYYY-MM-DD HH:MM:SS.Optional
subcategoryTicket subcategory.Optional
sys_updated_byLast updated by.Optional
sys_updated_onLast date/time that the system was updated, in the format: YYYY-MM-DD HH:MM:SS.Optional
user_inputInput from the end user.Optional
watch_listA list of watched tickets.Optional
work_endFormat: YYYY-MM-DD HH:MM:SSOptional
work_notesFormat journal listOptional
work_notes_listList work notes UIDs.Optional
work_startDate/time when work started on the ticket.Optional
assignment_groupThe sys_id of the group to assign.Optional
incident_stateThe number that represents the incident state.Optional
numberTicket number.Optional
priorityPriority of the ticket.Optional
templateTemplate name to use as a base to create new tickets.Optional
custom_fieldsCustom (user defined) fields in the format: fieldname1=value;fieldname2=value; custom fields start with a "u_".Optional
change_typeType of Change Request ticket. Can be "normal", "standard", or "emergency". Default is "normal".Optional
stateState of the ticket, for example: "Closed" or "7" or "7 - Closed".Optional
opened_atDate/time the ticket was opened, in the format: YYYY-MM-DD HH:MM:SS.Optional
callerCaller system ID.Optional
approvalTicket approval.Optional
additional_fieldsAdditional fields in the format: fieldname1=value;fieldname2=value;Optional
input_display_valueFlag that indicates whether to set field values using the display value or the actual value. True will treat the input value as the display value. False treats the input values as actual values. The default setting is false.Optional

For more information regarding the input_display_value Argument, please see: https://docs.servicenow.com/bundle/orlando-platform-administration/page/administer/exporting-data/concept/query-parameters-display-value.html

Context Output#

PathTypeDescription
ServiceNow.Ticket.IDstringServiceNow ticket ID.
ServiceNow.Ticket.OpenedBystringServiceNow ticket opener ID.
ServiceNow.Ticket.CreatedOndateServiceNow ticket creation date.
ServiceNow.Ticket.AssigneestringServiceNow ticket assignee ID.
ServiceNow.Ticket.StatestringServiceNow ticket state.
ServiceNow.Ticket.SummarystringServiceNow ticket short summary.
ServiceNow.Ticket.NumberstringServiceNow ticket number.
ServiceNow.Ticket.ActivebooleanServiceNow ticket active.
ServiceNow.Ticket.AdditionalCommentsstringServiceNow ticket comments.
ServiceNow.Ticket.PrioritystringServiceNow ticket priority.
ServiceNow.Ticket.OpenedAtdateServiceNow ticket opening time.
ServiceNow.Ticket.ResolvedBystringServiceNow ticket resolver ID.
ServiceNow.Ticket.CloseCodestringServiceNow ticket close code.

Command Example#

!servicenow-create-ticket active=true severity="2 - Medium" short_description="Ticket example"

Context Example#

{
"ServiceNow": {
"Ticket": {
"Active": "true",
"CreatedOn": "2020-05-10 09:04:06",
"Creator": "admin",
"ID": "id",
"Number": "INC0010002",
"OpenedAt": "2020-05-10 09:04:06",
"OpenedBy": "admin",
"Priority": "5 - Planning",
"State": "1",
"Summary": "Ticket exmaple"
}
},
"Ticket": {
"Active": "true",
"CreatedOn": "2020-05-10 09:04:06",
"Creator": "admin",
"ID": "id",
"Number": "INC0010002",
"OpenedAt": "2020-05-10 09:04:06",
"OpenedBy": "admin",
"Priority": "5 - Planning",
"State": "1",
"Summary": "Ticket example"
}
}

Human Readable Output#

ServiceNow ticket was created successfully.#

System IDNumberImpactUrgencySeverityPriorityStateCreated OnCreated ByActiveOpened AtShort Description
idINC00100023 - Low3 - Low2 - Medium5 - Planning1 - New2020-05-10 09:04:06admintrue2020-05-10 09:04:06Ticket example

servicenow-update-ticket#


Updates the specified ticket.

Base Command#

servicenow-update-ticket

Input#

Argument NameDescriptionRequired
short_descriptionShort description of the ticket.Optional
ticket_typeTicket type. Can be "incident", "problem", "change_request", "sc_request", "sc_task", or "sc_req_item". Default is "incident".Optional
urgencyTicket urgency. You can either select from the predefined options or enter another value, for example: "Urgent" or "5".Optional
severityTicket severity. You can either select from the predefined options or enter another value, for example: "Urgent" or "5".Optional
impactTicket impact.Optional
activeWhether the ticket is Active. Can be "true" or "false".Optional
activity_dueThe ticket activity due date, in the format: "2016-07-02 21:51:11".Optional
additional_assignee_listList of users assigned to the ticket.Optional
approval_historyTicket history approval.Optional
approval_setThe ticket approval set date/time, in the format: "2016-07-02 21:51:11".Optional
assigned_toUser assigned to the ticket.Optional
business_durationBusiness duration, in the format: YYYY-MM-DD HH:MM:SS.Optional
business_serviceBusiness service.Optional
business_stcBusiness source.Optional
calendar_durationCalendar duration, in the format: YYYY-MM-DD HH:MM:SS.Optional
caller_idCaller ID (UID format).Optional
categoryCategory name.Optional
caused_byUID format.Optional
close_codeTicket's close code. Ticket's close code. Can be "Solved (Work Around)", "Solved (Permanently)", "Solved Remotely (Work Around)", "Solved Remotely (Permanently)", "Not Solved (Not Reproducible)", "Not Solved (Too Costly)", or "Closed/Resolved by Caller".Optional
close_notesClose notes of the ticket.Optional
closed_atDate/time the ticket was closed, in the format: YYYY-MM-DD HH:MM:SS.Optional
closed_byUser who closed the ticket.Optional
cmdb_ciUID Format.Optional
commentsFormat type journal input.Optional
comments_and_work_notesFormat type journal input.Optional
companyUID Format.Optional
contact_typeContact type.Optional
correlation_displayCorrelation display.Optional
correlation_idCorrelation ID.Optional
delivery_planUID Format.Optional
displayWhether to display comments, work notes, and so on. Can be "true" or "false".Optional
descriptionTicket description.Optional
due_dateTicket due date, in the format: YYYY-MM-DD HH:MM:SS.Optional
escalationEscalation.Optional
expected_startExpected start date/time, in the format: YYYY-MM-DD HH:MM:SS.Optional
follow_upFollow up date/time, in the format: YYYY-MM-DD HH:MM:SS.Optional
group_listUID format list.Optional
knowledgeWhether the ticket is solved in the knowledge base. Can be "true" or "false".Optional
locationLocation of the ticket.Optional
made_slaSLA of the ticket.Optional
notifyWhether to be notified about this ticket. Can be "1" or "0".Optional
orderOrder number.Optional
parentParent (UID format).Optional
parent_incidentParent incident (UID format).Optional
problem_idProblem ID (UID format).Optional
reassignment_countThe number of users included in this ticket.Optional
reopen_countThe number of times the ticket has been reopened.Optional
resolved_atDate/time the ticket was resolved, in the format: YYYY-MM-DD HH:MM:SS.Optional
resolved_byResolved by (UID format).Optional
rfcUIDOptional
sla_dueSLA due date/time, in the format: YYYY-MM-DD HH:MM:SS.Optional
subcategoryTicket subcategory.Optional
sys_updated_byLast updated byOptional
sys_updated_onDate/time the system was last updated.Optional
user_inputInput from the end user.Optional
watch_listA list of watched tickets.Optional
work_endFormat: YYYY-MM-DD HH:MM:SSOptional
work_notesFormat journal list.Optional
work_notes_listComma-separated list of work notes UIDs.Optional
work_startDate/time when work started on the ticket.Optional
assignment_groupAssignment group UID.Optional
incident_stateNumber representing the incident state.Optional
numberTicket number.Optional
priorityPriority of the ticket.Optional
idSystem ID of the ticket to update.Required
custom_fieldsCustom (user defined) fields in the format: fieldname1=value;fieldname2=value; custom fields start with a "u_".Optional
change_typeType of Change Request ticket. Can be "normal", "standard", or "emergency". Default is "normal".Optional
stateState of the ticket, for example: "Closed" or "7" or "7 - Closed".Optional
callerCaller system ID.Optional
approvalTicket approval.Optional
additional_fieldsAdditional fields in the format: fieldname1=value;fieldname2=value;Optional
input_display_valueFlag that indicates whether to set field values using the display value or the actual value. True will treat the input value as the display value. False treats the input values as actual values. The default setting is false.Optional

For more information regarding the input_display_value Argument, please see: https://docs.servicenow.com/bundle/orlando-platform-administration/page/administer/exporting-data/concept/query-parameters-display-value.html

Context Output#

There is no context output for this command.

Command Example#

!servicenow-update-ticket id=id severity="2 - Medium"

Context Example#

{
"ServiceNow": {
"Ticket": {
"Active": "true",
"Assignee": "admin",
"CreatedOn": "2020-01-26 00:43:54",
"Creator": "admin",
"ID": "id",
"Number": "INC0000040",
"OpenedAt": "2020-01-26 00:42:45",
"OpenedBy": "admin",
"Priority": "3 - Moderate",
"State": "3",
"Summary": "JavaScript error on hiring page of corporate website"
}
}
}

Human Readable Output#

ServiceNow ticket updated successfully#

Ticket type: incident |Active|Created By|Created On|Description|Impact|Number|Opened At|Priority|Severity|Short Description|State|System ID|Urgency| |---|---|---|---|---|---|---|---|---|---|---|---|---| | true | admin | 2020-01-26 00:43:54 | Seeing JavaScript error message on hiring page on Explorer and Firefox. | 2 - Medium | INC0000040 | 2020-01-26 00:42:45 | 3 - Moderate | 2 - Medium | JavaScript error on hiring page of corporate website | 3 - On Hold | 471d4732a9fe198100affbf655e59172 | 2 - Medium |

servicenow-delete-ticket#


Deletes a ticket from ServiceNow.

Base Command#

servicenow-delete-ticket

Input#

Argument NameDescriptionRequired
idTicket System IDRequired
ticket_typeTicket type. Can be "incident", "problem", "change_request", "sc_request", "sc_task", or "sc_req_item".Optional

Context Output#

There is no context output for this command.

Command Example#

!servicenow-delete-ticket id=id

Context Example#

{}

Human Readable Output#

Ticket with ID id was successfully deleted.

servicenow-query-tickets#


Retrieves ticket information according to the supplied query.

Base Command#

servicenow-query-tickets

Input#

Argument NameDescriptionRequired
limitThe maximum number of tickets to retrieve.Optional
ticket_typeTicket type. Can be "incident", "problem", "change_request", "sc_request", "sc_task", or "sc_req_item". Default is "incident".Optional
queryThe query to run. To learn about querying in ServiceNow, see https://docs.servicenow.com/bundle/istanbul-servicenow-platform/page/use/common-ui-elements/reference/r_OpAvailableFiltersQueries.htmlOptional
offsetStarting record index to begin retrieving records from.Optional
additional_fieldsAdditional fields to present in the War Room entry and incident context.Optional
system_paramsSystem parameters in the format: fieldname1=value;fieldname2=value. For example: "sysparm_display_value=true;sysparm_exclude_reference_link=True"Optional

Context Output#

PathTypeDescription
Ticket.IDstringThe unique ticket identifier.
Ticket.CreatorstringA string field that indicates the user who created the ticket.
Ticket.CreatedOndateThe date/time when the ticket was created.
Ticket.AssigneestringSpecifies the user assigned to complete the ticket. By default, this field uses a reference qualifier to only display users with the itil role.
Ticket.StatestringStatus of the ticket.
Ticket.SummarystringA human-readable title for the record.
Ticket.NumberstringThe display value of the ticket.
Ticket.ActivebooleanSpecifies whether work is still being done on a task or whether the work for the task is complete.
Ticket.AdditionalCommentsUnknownComments about the task record.
Ticket.PrioritystringSpecifies the ticket priority for the assignee.
Ticket.OpenedAtdateThe date/time when the ticket was first opened.
Ticket.EscalationstringIndicates how long the ticket has been open.

Command Example#

!servicenow-query-tickets limit="3" query="impact<2^short_descriptionISNOTEMPTY" ticket_type="incident"

Context Example#

{
"ServiceNow": {
"Ticket": [
{
"Active": "false",
"Assignee": "admin",
"CloseCode": "Closed/Resolved by Caller",
"CreatedOn": "2018-08-24 18:24:13",
"Creator": "admin",
"ID": "id",
"Number": "INC0000001",
"OpenedAt": "2020-01-23 23:09:51",
"OpenedBy": "admin",
"Priority": "1 - Critical",
"ResolvedBy": "admin",
"State": "7",
"Summary": "Can't read email"
},
{
"Active": "true",
"Assignee": "admin",
"CreatedOn": "2018-08-13 22:30:06",
"Creator": "admin",
"ID": "id",
"Number": "INC0000002",
"OpenedAt": "2020-01-17 23:07:12",
"OpenedBy": "admin",
"Priority": "1 - Critical",
"State": "3",
"Summary": "Network file shares access issue"
},
{
"Active": "true",
"Assignee": "admin",
"CreatedOn": "2018-08-28 14:41:46",
"Creator": "admin",
"ID": "id",
"Number": "INC0000003",
"OpenedAt": "2020-01-24 23:07:30",
"OpenedBy": "admin",
"Priority": "1 - Critical",
"State": "2",
"Summary": "Wireless access is down in my area"
}
]
},
"Ticket": [
{
"Active": "false",
"Assignee": "admin",
"CloseCode": "Closed/Resolved by Caller",
"CreatedOn": "2018-08-24 18:24:13",
"Creator": "admin",
"ID": "id",
"Number": "INC0000001",
"OpenedAt": "2020-01-23 23:09:51",
"OpenedBy": "admin",
"Priority": "1 - Critical",
"ResolvedBy": "admin",
"State": "7",
"Summary": "Can't read email"
},
{
"Active": "true",
"Assignee": "admin",
"CreatedOn": "2018-08-13 22:30:06",
"Creator": "admin",
"ID": "id",
"Number": "INC0000002",
"OpenedAt": "2020-01-17 23:07:12",
"OpenedBy": "admin",
"Priority": "1 - Critical",
"State": "3",
"Summary": "Network file shares access issue"
},
{
"Active": "true",
"Assignee": "admin",
"CreatedOn": "2018-08-28 14:41:46",
"Creator": "admin",
"ID": "id",
"Number": "INC0000003",
"OpenedAt": "2020-01-24 23:07:30",
"OpenedBy": "admin",
"Priority": "1 - Critical",
"State": "2",
"Summary": "Wireless access is down in my area"
}
]
}

Human Readable Output#

ServiceNow tickets#

System IDNumberImpactUrgencySeverityPriorityStateCreated OnCreated ByActiveClose NotesClose CodeDescriptionOpened AtResolved ByResolved AtShort Description
idINC00000011 - High1 - High1 - High1 - Critical7 - Closed2018-08-24 18:24:13patfalseClosed before close notes were made mandatory
Closed/Resolved by CallerUser can't access email on mail.company.com.
2020-01-23 23:09:51admin2020-04-24 19:56:12Can't read email
idINC00000021 - High1 - High1 - High1 - Critical3 - On Hold2018-08-13 22:30:06pattrueUser can't get to any of his files on the file server.2020-01-17 23:07:12Network file shares access issue
idINC00000031 - High1 - High1 - High1 - Critical2 - In Progress2018-08-28 14:41:46admintrueI just moved from floor 2 to floor 3 and my laptop cannot connect to any wireless network.2020-01-24 23:07:30Wireless access is down in my area

servicenow-add-link#


Adds a link to the specified ticket.

Base Command#

servicenow-add-link

Input#

Argument NameDescriptionRequired
idTicket System ID.Required
ticket_typeTicket type. Can be "incident", "problem", "change_request", "sc_request", "sc_task", or "sc_req_item". Default is "incident".Optional
linkThe actual link to publish in ServiceNow ticket, in a valid URL format, for example, http://www.demisto.com.Required
post-as-commentWhether to publish the link as comment on the ticket. Can be "true" or "false". If false will publish the link as WorkNote.Optional
textThe text to represent the link.Optional

Context Output#

There is no context output for this command.

Command Example#

!servicenow-add-link id=id link="http://www.demisto.com" text=demsito_link

Context Example#

{}

Human Readable Output#

Link successfully added to ServiceNow ticket#

System IDNumberImpactUrgencySeverityPriorityStateCreated OnCreated ByActiveDescriptionOpened AtShort Description
idINC00000402 - Medium2 - Medium2 - Medium3 - Moderate3 - On Hold2020-01-26 00:43:54admintrueSeeing JavaScript error message on hiring page on Explorer and Firefox.2020-01-26 00:42:45JavaScript error on hiring page of corporate website

servicenow-add-comment#


Adds a comment to the specified ticket, by ticket ID.

Base Command#

servicenow-add-comment

Input#

Argument NameDescriptionRequired
idTicket System ID.Required
ticket_typeTicket type. Can be "incident", "problem", "change_request", "sc_request", "sc_task", or "sc_req_item". Default is "incident".Optional
commentComment to add.Required
post-as-commentWhether to publish the note as comment on the ticket. Can be "true" or "false". Default is "false".Optional

Context Output#

There is no context output for this command.

Command Example#

!servicenow-add-comment id=id comment="Nice work!"

Context Example#

{}

Human Readable Output#

Comment successfully added to ServiceNow ticket#

System IDNumberImpactUrgencySeverityPriorityStateCreated OnCreated ByActiveDescriptionOpened AtShort Description
idINC00000402 - Medium2 - Medium2 - Medium3 - Moderate3 - On Hold2020-01-26 00:43:54admintrueSeeing JavaScript error message on hiring page on Explorer and Firefox.2020-01-26 00:42:45JavaScript error on hiring page of corporate website

servicenow-upload-file#


Uploads a file to the specified ticket.

Base Command#

servicenow-upload-file

Input#

Argument NameDescriptionRequired
idTicket System ID.Required
ticket_typeTicket type. Can be "incident", "problem", "change_request", "sc_request", "sc_task", or "sc_req_item". Default is "incident".Optional
file_idWar Room entry ID that includes the file.Required
file_nameFilename of the uploaded file to override the existing file name in the entry.Optional

Context Output#

PathTypeDescription
ServiceNow.Ticket.File.FilenamestringName of the file.
ServiceNow.Ticket.File.LinkstringDownload link for the file.
ServiceNow.Ticket.File.SystemIDstringSystem ID of the file.

Command Example#

Human Readable Output#

servicenow-get-record#


Retrieves record information, by record ID.

Base Command#

servicenow-get-record

Input#

Argument NameDescriptionRequired
idRecord System ID.Required
fieldsComma-separated list of table fields to display and output to the context, for example: name,tag,company. ID field is added by default.Optional
table_nameThe name of the table from which to get the record.Required

Context Output#

PathTypeDescription
ServiceNow.Record.IDstringThe unique record identifier for the record.
ServiceNow.Record.UpdatedBystringA string field that indicates the user who most recently updated the record.
ServiceNow.Record.UpdatedAtdateA time-stamp field that indicates the date and time of the most recent update.
ServiceNow.Record.CreatedBystringA string field that indicates the user who created the record.
ServiceNow.Record.CreatedOndateA time-stamp field that indicates when a record was created.

Command Example#

!servicenow-get-record table_name=alm_asset id=id fields=asset_tag,sys_updated_by,display_name

Context Example#

{
"ServiceNow": {
"Record": {
"ID": "id",
"asset_tag": "P1000807",
"display_name": "P1000807 - Apple MacBook Pro 17\"",
"sys_updated_by": "system"
}
}
}

Human Readable Output#

ServiceNow record#

IDasset_tagdisplay_namesys_updated_by
idP1000807P1000807 - Apple MacBook Pro 17"system

servicenow-query-table#


Queries the specified table in ServiceNow.

Base Command#

servicenow-query-table

Input#

Argument NameDescriptionRequired
table_nameThe name of the table to queryRequired
limitThe maximum number of tickets to retrieve.Optional
queryThe query to run. For more information about querying in ServiceNow, see https://docs.servicenow.com/bundle/istanbul-servicenow-platform/page/use/common-ui-elements/reference/r_OpAvailableFiltersQueries.htmlOptional
fieldsComma-separated list of table fields to display and output to the context, for example: name,tag,company. ID field is added by default.Optional
offsetStarting record index to begin retrieving records from.Optional
system_paramsSystem parameters in the format: fieldname1=value;fieldname2=value. For example: "sysparm_display_value=true;sysparm_exclude_reference_link=True"Optional

Context Output#

PathTypeDescription
ServiceNow.Results.IDstringThe unique record identifier for the record.
ServiceNow.Results.UpdatedBystringA string field that indicates the user who most recently updated the record.
ServiceNow.Results.UpdatedAtdateA time-stamp field that indicates the date and time of the most recent update.
ServiceNow.Results.CreatedBystringA string field that indicates the user who created the record.
ServiceNow.Results.CreatedOndateA time-stamp field that indicates when a record was created.

Command Example#

!servicenow-query-table table_name=alm_asset fields=asset_tag,sys_updated_by,display_name query=display_nameCONTAINSMacBook limit=4

Context Example#

{
"ServiceNow": {
"Record": [
{
"ID": "id",
"asset_tag": "P1000637",
"display_name": "P1000637 - Apple MacBook Air 13\"",
"sys_updated_by": "system"
},
{
"ID": "id",
"asset_tag": "P1000412",
"display_name": "P1000412 - Apple MacBook Pro 17\"",
"sys_updated_by": "system"
},
{
"ID": "id",
"asset_tag": "P1000563",
"display_name": "P1000563 - Apple MacBook Pro 15\"",
"sys_updated_by": "system"
},
{
"ID": "id",
"asset_tag": "P1000626",
"display_name": "P1000626 - Apple MacBook Air 13\"",
"sys_updated_by": "system"
}
]
}
}

Human Readable Output#

ServiceNow records#

IDasset_tagdisplay_namesys_updated_by
idP1000637P1000637 - Apple MacBook Air 13"system
idP1000412P1000412 - Apple MacBook Pro 17"system
idP1000563P1000563 - Apple MacBook Pro 15"system
idP1000626P1000626 - Apple MacBook Air 13"system

servicenow-create-record#


Creates a new record in the specified ServiceNow table.

Base Command#

servicenow-create-record

Input#

Argument NameDescriptionRequired
table_nameThe name of the table in which to create a record.Required
fieldsFields and their values to create the record with, in the format: fieldname1=value;fieldname2=value;...Optional
custom_fieldsCustom (user defined) fields in the format: fieldname1=value;fieldname2=value;...Optional
input_display_valueFlag that indicates whether to set field values using the display value or the actual value. True will treat the input value as the display value. False treats the input values as actual values. The default setting is false.Optional

For more information regarding the input_display_value Argument, please see: https://docs.servicenow.com/bundle/orlando-platform-administration/page/administer/exporting-data/concept/query-parameters-display-value.html

Context Output#

PathTypeDescription
ServiceNow.Record.IDstringThe unique record identifier for the record.
ServiceNow.Record.UpdatedBystringA string field that indicates the user who most recently updated the record.
ServiceNow.Record.UpdatedAtdateA time-stamp field that indicates the date and time of the most recent update.
ServiceNow.Record.CreatedBystringA string field that indicates the user who created the record.
ServiceNow.Record.CreatedOndateA time-stamp field that indicates when a record was created.

Command Example#

!servicenow-create-record table_name=alm_asset fields="asset_tag=P1000807"

Context Example#

{
"ServiceNow": {
"Record": {
"CreatedAt": "2020-05-10 09:04:27",
"CreatedBy": "admin",
"ID": "id",
"UpdatedAt": "2020-05-10 09:04:27",
"UpdatedBy": "admin"
}
}
}

Human Readable Output#

ServiceNow record created successfully#

CreatedAtCreatedByIDUpdatedAtUpdatedBy
2020-05-10 09:04:27adminid2020-05-10 09:04:27admin

servicenow-update-record#


Updates a record in the specified ServiceNow table.

Base Command#

servicenow-update-record

Input#

Argument NameDescriptionRequired
table_nameThe name of the table to update the record in.Required
idThe system ID of the ticket to update.Required
fieldsFields and their values to update in the record, in the format: fieldname1=value;fieldname2=value;...Optional
custom_fieldsCustom (user defined) fields and their values to update in the record, in the format: fieldname1=value;fieldname2=value;...Optional
input_display_valueFlag that indicates whether to set field values using the display value or the actual value. True will treat the input value as the display value. False treats the input values as actual values. The default setting is false.Optional

For more information regarding the input_display_value Argument, please see: https://docs.servicenow.com/bundle/orlando-platform-administration/page/administer/exporting-data/concept/query-parameters-display-value.html

Context Output#

PathTypeDescription
ServiceNow.Record.IDstringThe unique record identifier for the record.
ServiceNow.Record.UpdatedBystringA string field that indicates the user who most recently updated the record.
ServiceNow.Record.UpdatedAtdateA time-stamp field that indicates the date and time of the most recent update.
ServiceNow.Record.CreatedBystringA string field that indicates the user who created the record.
ServiceNow.Record.CreatedOndateA time-stamp field that indicates when a record was created.

Command Example#

!servicenow-update-record table_name=alm_asset id=id custom_fields="display_name=test4"

Context Example#

{
"ServiceNow": {
"Record": {
"CreatedAt": "2019-07-16 08:14:09",
"CreatedBy": "admin",
"ID": "id",
"UpdatedAt": "2020-05-09 19:08:42",
"UpdatedBy": "system"
}
}
}

Human Readable Output#

ServiceNow record with ID 01a92c0d3790200044e0bfc8bcbe5d36 updated successfully#

CreatedAtCreatedByIDUpdatedAtUpdatedBy
2019-07-16 08:14:09adminid2020-05-09 19:08:42system

servicenow-delete-record#


Deletes a record in the specified ServiceNow table.

Base Command#

servicenow-delete-record

Input#

Argument NameDescriptionRequired
table_nameThe table name.Required
idThe system ID of the ticket to delete.Required

Context Output#

There is no context output for this command.

Command Example#

!servicenow-delete-record table_name=alm_asset id=id

Context Example#

{}

Human Readable Output#

ServiceNow record with ID id was successfully deleted.

servicenow-list-table-fields#


Lists API fields for the specified ServiceNow table.

Base Command#

servicenow-list-table-fields

Input#

Argument NameDescriptionRequired
table_nameTable nameRequired

Context Output#

PathTypeDescription
ServiceNow.FieldstringTable API field name.

Command Example#

!servicenow-list-table-fields table_name=alm_asset

Context Example#

{
"ServiceNow": {
"Field": [
{
"Name": "parent"
},
{
"Name": "skip_sync"
},
{
"Name": "residual_date"
},
{
"Name": "residual"
},
{
"Name": "sys_updated_on"
},
{
"Name": "request_line"
},
{
"Name": "sys_updated_by"
},
{
"Name": "due_in"
},
{
"Name": "model_category"
},
{
"Name": "sys_created_on"
},
{
"Name": "sys_domain"
},
{
"Name": "disposal_reason"
},
{
"Name": "model"
},
{
"Name": "install_date"
},
{
"Name": "gl_account"
},
{
"Name": "invoice_number"
},
{
"Name": "sys_created_by"
},
{
"Name": "warranty_expiration"
},
{
"Name": "depreciated_amount"
},
{
"Name": "substatus"
},
{
"Name": "pre_allocated"
},
{
"Name": "owned_by"
},
{
"Name": "checked_out"
},
{
"Name": "display_name"
},
{
"Name": "sys_domain_path"
},
{
"Name": "delivery_date"
},
{
"Name": "retirement_date"
},
{
"Name": "beneficiary"
},
{
"Name": "install_status"
},
{
"Name": "cost_center"
},
{
"Name": "supported_by"
},
{
"Name": "assigned"
},
{
"Name": "purchase_date"
},
{
"Name": "work_notes"
},
{
"Name": "managed_by"
},
{
"Name": "sys_class_name"
},
{
"Name": "sys_id"
},
{
"Name": "po_number"
},
{
"Name": "stockroom"
},
{
"Name": "checked_in"
},
{
"Name": "resale_price"
},
{
"Name": "vendor"
},
{
"Name": "company"
},
{
"Name": "retired"
},
{
"Name": "justification"
},
{
"Name": "department"
},
{
"Name": "expenditure_type"
},
{
"Name": "depreciation"
},
{
"Name": "assigned_to"
},
{
"Name": "depreciation_date"
},
{
"Name": "old_status"
},
{
"Name": "comments"
},
{
"Name": "cost"
},
{
"Name": "quantity"
},
{
"Name": "acquisition_method"
},
{
"Name": "ci"
},
{
"Name": "sys_mod_count"
},
{
"Name": "old_substatus"
},
{
"Name": "sys_tags"
},
{
"Name": "order_date"
},
{
"Name": "support_group"
},
{
"Name": "reserved_for"
},
{
"Name": "due"
},
{
"Name": "location"
},
{
"Name": "lease_id"
},
{
"Name": "salvage_value"
}
]
}
}

Human Readable Output#

ServiceNow Table fields - alm_asset#

Name
parent
skip_sync
residual_date
residual
sys_updated_on
request_line
sys_updated_by
due_in
model_category
sys_created_on
sys_domain
disposal_reason
model
install_date
gl_account
invoice_number
sys_created_by
warranty_expiration
depreciated_amount
substatus
pre_allocated
owned_by
checked_out
display_name
sys_domain_path
delivery_date
retirement_date
beneficiary
install_status
cost_center
supported_by
assigned
purchase_date
work_notes
managed_by
sys_class_name
sys_id
po_number
stockroom
checked_in
resale_price
vendor
company
retired
justification
department
expenditure_type
depreciation
assigned_to
depreciation_date
old_status
comments
cost
quantity
acquisition_method
ci
sys_mod_count
old_substatus
sys_tags
order_date
support_group
reserved_for
due
location
lease_id
salvage_value

servicenow-query-computers#


Queries the cmdb_ci_computer table in ServiceNow.

Base Command#

servicenow-query-computers

Input#

Argument NameDescriptionRequired
computer_idQuery by computer sys_id.Optional
computer_nameQuery by computer name.Optional
queryQuery by specified query, for more information about querying in ServiceNow, see https://docs.servicenow.com/bundle/istanbul-servicenow-platform/page/use/common-ui-elements/reference/r_OpAvailableFiltersQueries.htmlOptional
asset_tagQuery by asset tag.Optional
limitMaximum number of query results. Default is 10.Optional
offsetStarting record index to begin retrieving records from.Optional

Context Output#

PathTypeDescription
ServiceNow.Computer.IDstringComputer system ID.
ServiceNow.Computer.AssetTagstringComputer Asset tag.
ServiceNow.Computer.NamestringComputer name.
ServiceNow.Computer.DisplayNamestringComputer display name.
ServiceNow.Computer.SupportGroupstringComputer support group.
ServiceNow.Computer.OperatingSystemstringComputer operating system.
ServiceNow.Computer.CompanystringComputer company system ID.
ServiceNow.Computer.AssignedTostringComputer assigned to user system ID.
ServiceNow.Computer.StatestringComputer state.
ServiceNow.Computer.CoststringComputer cost.
ServiceNow.Computer.CommentsstringComputer comments.

Command Example#

!servicenow-query-computers asset_tag=P1000412

Context Example#

{
"ServiceNow": {
"Computer": {
"AssetTag": "P1000412",
"AssignedTo": "admin",
"Company": "admin",
"Cost": "2499.99 USD",
"DisplayName": "P1000412 - MacBook Pro 17\"",
"ID": "id",
"Name": "MacBook Pro 17\"",
"OperatingSystem": "Mac OS 10 (OS/X)",
"State": "In use"
}
}
}

Human Readable Output#

ServiceNow Computers#

IDAsset TagNameDisplay NameOperating SystemCompanyAssigned ToStateCost
idP1000412MacBook Pro 17"P1000412 - MacBook Pro 17"Mac OS 10 (OS/X)adminadminIn use2499.99 USD

servicenow-query-groups#


Queries the sys_user_group table in ServiceNow.

Base Command#

servicenow-query-groups

Input#

Argument NameDescriptionRequired
group_idQuery by group system ID.Optional
group_nameQuery by group name.Optional
queryQuery by specified query, for more information about querying in ServiceNow, see https://docs.servicenow.com/bundle/istanbul-servicenow-platform/page/use/common-ui-elements/reference/r_OpAvailableFiltersQueries.htmlOptional
limitMaximum number of query results. Default is 10.Optional
offsetStarting record index to begin retrieving records from.Optional

Context Output#

PathTypeDescription
ServiceNow.Group.IDstringGroup system ID.
ServiceNow.Group.DescriptionstringGroup description.
ServiceNow.Group.NamestringGroup name.
ServiceNow.Group.ManagerstringGroup manager system ID.
ServiceNow.Group.UpdateddateDate/time the group was last updated.

Command Example#

!servicenow-query-groups group_name=test1

Context Example#

{}

Human Readable Output#

No groups found.

servicenow-query-users#


Queries the sys_user table in ServiceNow.

Base Command#

servicenow-query-users

Input#

Argument NameDescriptionRequired
user_idQuery by user system ID.Optional
user_nameQuery by username.Optional
queryQuery by specified query, for more information about querying in ServiceNow, see https://docs.servicenow.com/bundle/istanbul-servicenow-platform/page/use/common-ui-elements/reference/r_OpAvailableFiltersQueries.htmlOptional
limitMaximum number of query results. Default is 10.Optional
offsetStarting record index to begin retrieving records from.Optional

Context Output#

PathTypeDescription
ServiceNow.User.IDstringUser system ID.
ServiceNow.User.NamestringUser name (first and last).
ServiceNow.User.UserNamestringUser username.
ServiceNow.User.EmailstringUser email address.
ServiceNow.User.CreateddateDate/time the user was created.
ServiceNow.User.UpdateddateDate/time the user was last updated.

Command Example#

!servicenow-query-users user_name=sean.bonnet

Context Example#

{
"ServiceNow": {
"User": {
"Created": "2012-02-18 03:04:50",
"Email": "sean.bonnet@example.com",
"ID": "id",
"Name": "Sean Bonnet",
"Updated": "2020-04-25 19:01:46",
"UserName": "sean.bonnet"
}
}
}

Human Readable Output#

ServiceNow Users#

IDNameUser NameEmailCreatedUpdated
idSean Bonnetsean.bonnetsean.bonnet@example.com2012-02-18 03:04:502020-04-25 19:01:46

servicenow-get-table-name#


Gets table names by a label to use in commands.

Base Command#

servicenow-get-table-name

Input#

Argument NameDescriptionRequired
labelThe table label, for example: Asset, Incident, IP address, and so on.Required
limitMaximum number of query results. Default is 10.Optional
offsetStarting record index to begin retrieving records from.Optional

Context Output#

PathTypeDescription
ServiceNow.Table.IDstringTable system ID.
ServiceNow.Table.NamestringTable name to use in commands, for example: alm_asset.
ServiceNow.Table.SystemNamestringTable system name, for example: Asset.

Command Example#

!servicenow-get-table-name label=ACE

Context Example#

{
"ServiceNow": {
"Table": {
"ID": "id",
"Name": "cmdb_ci_lb_ace",
"SystemName": "CMDB CI Lb Ace"
}
}
}

Human Readable Output#

ServiceNow Tables for label - ACE#

IDNameSystem Name
idcmdb_ci_lb_aceCMDB CI Lb Ace

servicenow-get-ticket-notes#


Gets notes from the specified ServiceNow ticket. "Read permissions" are required for the sys_journal_field table.

Base Command#

servicenow-get-ticket-notes

Input#

Argument NameDescriptionRequired
idTicket System ID.Required
limitMaximum number of ticket notes. Default is 10.Optional
offsetOffset of the ticket notes.Optional

Context Output#

PathTypeDescription
ServiceNow.Ticket.IDstringTicket ID.
ServiceNow.Ticket.Note.ValueunknownTicket note value.
ServiceNow.Ticket.Note.CreatedOndateDate/time the ticket note was created.
ServiceNow.Ticket.Note.CreatedBystringUser that created the ticket note.
ServiceNow.Ticket.Note.TypestringTicket note type.

Command Example#

!servicenow-get-ticket-notes id=id

Context Example#

{
"ServiceNow": {
"Ticket": {
"ID": "id",
"Note": [
{
"CreatedBy": "admin",
"CreatedOn": "2020-01-26 00:43:54",
"Type": "Comment",
"Value": "JavaScript error (line 202) on the home page. Not sure what is\n\t\t\tgoing on, does not happen on my Windows machine!\n\t\t"
},
{
"CreatedBy": "admin",
"CreatedOn": "2020-04-17 23:12:43",
"Type": "Comment",
"Value": "Added an attachment"
},
{
"CreatedBy": "admin",
"CreatedOn": "2020-05-10 09:04:15",
"Type": "Work Note",
"Value": "[code]<a class=\"web\" target=\"_blank\" href=\"http://www.demisto.com\" >demsito_link</a>[/code]"
},
{
"CreatedBy": "admin",
"CreatedOn": "2020-05-10 09:04:18",
"Type": "Work Note",
"Value": "Nice work!"
}
]
}
}
}

Human Readable Output#

ServiceNow notes for ticket 471d4732a9fe198100affbf655e59172#

ValueCreated OnCreated ByType
JavaScript error (line 202) on the home page. Not sure what is
going on, does not happen on my Windows machine!
2020-01-26 00:43:54adminComment
Added an attachment2020-04-17 23:12:43adminComment
[code]demsito_link[/code]2020-05-10 09:04:15adminWork Note
Nice work!2020-05-10 09:04:18adminWork Note

servicenow-add-tag#


Adds a tag to a ticket. The tag will be visible in the label_entry table and can be retrieved using the "!servicenow-query-table table_name=label_entry fields=title,table,sys_id,id_display,id_type" command.

Base Command#

servicenow-add-tag

Input#

Argument NameDescriptionRequired
idTicket System ID.Required
tag_idTag system ID. Can be retrieved using the "!servicenow-query-table table_name=label fields=name,active,sys_id" command.Required
titleTag title. For example: "Incident - INC000001".Required
ticket_typeTicket type. Can be "incident", "problem", "change_request", "sc_request", "sc_task", or "sc_req_item". Default is "incident".Optional

Context Output#

PathTypeDescription
ServiceNow.Ticket.IDStringThe unique ticket identifier.
ServiceNow.Ticket.TagTitleStringTicket tag title.
ServiceNow.Ticket.TagIDStringTicket tag ID.

servicenow-query-items#


Queries the sc_cat_item table in ServiceNow.

Base Command#

servicenow-query-items

Input#

Argument NameDescriptionRequired
nameQuery by name. Does not require an exact match.Optional
offsetStarting record index to begin retrieving records from.Optional
limitMaximum number of query results. Default is 10.Optional

Context Output#

PathTypeDescription
ServiceNow.CatalogItem.IDStringCatalog item system ID.
ServiceNow.CatalogItem.NameStringCatalog item name.
ServiceNow.CatalogItem.DescriptionStringCatalog item description.
ServiceNow.CatalogItem.PriceNumberCatalog item price.

Command Example#

!servicenow-query-items name=laptop limit=2

Context Example#

{
"ServiceNow": {
"CatalogItem": [
{
"Description": "Lenovo - Carbon x1",
"ID": "id",
"Name": "Standard Laptop",
"Price": "1100"
},
{
"Description": "Dell XPS 13",
"ID": "id",
"Name": "Development Laptop (PC)",
"Price": "1100"
}
]
}
}

Human Readable Output#

ServiceNow Catalog Items#

IDNamePriceDescription
idStandard Laptop1100Lenovo - Carbon x1
idDevelopment Laptop (PC)1100Dell XPS 13

servicenow-get-item-details#


Retrieves item details by system ID.

Base Command#

servicenow-get-item-details

Input#

Argument NameDescriptionRequired
idCatalog item system ID.Required

Context Output#

PathTypeDescription
ServiceNow.CatalogItem.IDStringCatalog item system ID.
ServiceNow.CatalogItem.NameStringCatalog item name.
ServiceNow.CatalogItem.DescriptionStringCatalog item description.
ServiceNow.CatalogItem.PriceNumberCatalog item price.
ServiceNow.CatalogItem.Variables.MandatoryBooleanIs the variable mandatory as part of the ordering process.
ServiceNow.CatalogItem.Variables.NameStringA name to identify the question.
ServiceNow.CatalogItem.Variables.QuestionStringQuestion to ask users ordering the catalog item.
ServiceNow.CatalogItem.Variables.TypeStringThe variable type.

Command Example#

!servicenow-get-item-details id=id

Context Example#

{
"ServiceNow": {
"CatalogItem": {
"Description": "Dell XPS 13",
"ID": "id",
"Name": "Development Laptop (PC)",
"Price": "$1,000.00",
"Variables": [
{
"Mandatory": false,
"Name": "hard_drive",
"Question": "What size solid state drive do you want?",
"Type": "Multiple Choice"
},
{
"Mandatory": false,
"Name": "requested_os",
"Question": "Please specify an operating system",
"Type": "Multiple Choice"
}
]
}
}
}

Human Readable Output#

ServiceNow Catalog Item#

IDNameDescription
idDevelopment Laptop (PC)Dell XPS 13

Item Variables#

QuestionTypeNameMandatory
What size solid state drive do you want?Multiple Choicehard_drivefalse
Please specify an operating systemMultiple Choicerequested_osfalse

servicenow-create-item-order#


Orders the specified catalog item.

Base Command#

servicenow-create-item-order

Input#

Argument NameDescriptionRequired
idCatalog item system ID.Required
quantityQuantity of the item to order.Required
variablesIf there are mandatory variables defined for the item, they must be passed to the endpoint. Can be retrieved using the servicenow-get-item-details command. For example, var1=value1;var2=value2.Optional

Context Output#

PathTypeDescription
ServiceNow.OrderRequest.IDStringGenerated request system ID.
ServiceNow.OrderRequest.RequestNumberStringNumber of the generated request.

Command Example#

!servicenow-create-item-order id=id quantity=1 variables="hard_drive=16GB;requested_os=linux"

Context Example#

{
"ServiceNow": {
"OrderRequest": {
"ID": "id",
"RequestNumber": "REQ0010004"
}
}
}

Human Readable Output#

ServiceNow Order Request#

IDRequest Number
idREQ0010004

servicenow-document-route-to-queue#


Documents a route to a queue. Requires an installation of the Advanced Work Assignments plugin. An active queue and service channel to the designated table.

Base Command#

servicenow-document-route-to-queue

Input#

Argument NameDescriptionRequired
queue_idQueue ID. Can be retrieved using the "!servicenow-query-table table_name=awa_queue fields=name,number,order" command.Required
document_tableDocument table.Optional
document_idDocument ID.Required

Context Output#

PathTypeDescription
ServiceNow.WorkItem.WorkItemIDStringUnique ID of the work item assigned to the queue.
ServiceNow.WorkItem.DocumentTableStringName of the table associated with the document
ServiceNow.WorkItem.DocumentIDStringUnique ID of the document to be routed to the queue.
ServiceNow.WorkItem.QueueIDStringUnique ID of the queue on which to route a document.
ServiceNow.WorkItem.DisplayNameStringName of the document to be routed by this work item, for example: case record.

get-mapping-fields#


Returns the list of fields for an incident type. This command is for debugging purposes.

Base Command#

get-mapping-fields

Input#

There are no input arguments for this command.

Context Output#

There is no context output for this command.

get-remote-data#


Get remote data from a remote incident. This method does not update the current incident, and should be used for debugging purposes.

Base Command#

get-remote-data

Input#

Argument NameDescriptionRequired
idThe ticket ID.Required
lastUpdateRetrieve entries that were created after lastUpdate.Required

Context Output#

There is no context output for this command.

Troubleshooting#

  • Ensure that the date and time in SNOW are the same as the date and time in XSOAR to prevent mirroring issues.
  • If the date displayed in the layout is incorrect, please follow these steps to resolve the issue:
  1. Navigate to the incoming-mapper which you are using.
  2. In every field which uses the DateStringToISOFormat script, change the argument dayfirst to be true.