Skip to main content
Version: 2.14.1

ServiceNow Incident Management Integration with Zero Trust Alerts

Free integration setupWe’ll install and validate this for you.
Book a setup call

Support Statement

DISCLAIMER

This documentation is provided "as is" without support for 3rd party software. The level of support for this integration guide is best effort without any SLA on response time. No 3rd party product support can be provided by Superna directly. 3rd party components require support contracts. See EULA for more details.

Ransomware Defender and Easy Auditor ServiceNow Webhook Alarm to Incident Integration

This integration shows how to configure Ransomware Defender and Easy Auditor webhook alarms to create incidents in ServiceNow and include the alert details in the description.

note

This is a basic example only and requires customization to map fields in the webhook payload to specific ServiceNow fields.

How to Configure

  1. Using the ServiceNow community guide on webhook integration, create a ServiceNow Scripted REST Resource Webhook.
  2. Use the sample Scripted REST configuration described below.

Sample Scripted REST API Webhook

Features:

  • Creates new incidents for each incoming alert
  • Updates existing incidents when event IDs match — documents state changes in working notes showing the history of the event
  • Monitor mode — creates incidents in a closed state, preserving work note history without generating open tickets for testing

Download the integration code here. Open the file and copy and paste the script text into the endpoint script editor.

Steps to Use the Endpoint with Defender Webhooks

  1. Paste the script into the resource script editor and save.

  2. Disable security on the endpoint for the testing phase.

  3. Get the endpoint URL for the webhook — the resource path format is:

    https://yourInstance.service-now.com/<resource_Path>

    The resource path is displayed in the script editor after saving.

  4. Configure the webhook in the Ransomware Defender Zero Trust UI:

    • Non-authenticated endpoint: Add the HTTP header Content-Type: application/json
    • Authenticated endpoint: Add an Authorization: Basic <api_key> header using the API key provided by ServiceNow

  5. Click Save, then click the Test button.

  6. A successfully configured endpoint returns an incident number in the response.

Production Integration Steps

The code sample extracts variables from the Zero Trust Ransomware Defender payload and maps Severity fields to ServiceNow Impact and Urgency incident classifications. Modify the mapping as required.

The short description summarizes key security event data. You can extend this with additional customization to include other payload fields.

Example Incident Created with Zero Trust Webhook

Once configured, incidents are created in ServiceNow with the Zero Trust event details in the description and working notes. Example screenshots are available in the legacy portal.

Convert an Incident to a Security Incident and Update Affected CIs

Customers using the ServiceNow Security Incident Response module can convert Zero Trust-generated incidents into security incidents and assign CIs for the affected SMB or NFS exports. This allows full use of the Superna Zero Trust incident integration alongside the ServiceNow CMDB integration.

Requirements

  • Configured Zero Trust webhook integration (see steps above)
  • ServiceNow Security Incident and Response module installed

Convert an Incident to a Security Incident

  1. Open the incident created by the Zero Trust webhook script integration.
  2. Click the convert button on the right to convert the incident to a security incident. Business rules execute automatically, assigning a Security Incident Request (SIR) ID.
  3. Click the SIR number to view the new Security Incident.

Update Affected CIs to Indicate the Scope of the Security Incident

  1. Open the Security Incident Dashboard or the SIR record.

  2. Populate Security Incident fields using information from the incident description.

  3. Copy the affected user to the Affected User SIR field. If Active Directory users are synced to ServiceNow, you can search for the user to select from the list.

  4. Copy the affected SMB share name from the short description to look up the affected SMB Share CI in the CMDB.

    note

    The CMDB integration must be configured before you can search for SMB Share CIs.

  5. Click Add, search for the SMB share name listed in the short description of the Security Incident, and select the matching CI.