ServiceNow Incident Connector Guide

How to set up and use the ServiceNow Incident connector in RiskSense.

Updated February 16, 2022.

Overview

The RiskSense platform provides a connector that integrates with ServiceNow Incident for ticket creation from the RiskSense platform. RiskSense users can create tickets to a specific project when configuring the connector. The ServiceNow user credentials used in the connector configuration should have create, read, and write permissions to the specific project to create tickets and subsequently query ticket status from the ServiceNow ticket. When creating a ticket, the connector allows a user to create a ticket on a single vulnerability, multiple vulnerabilities for applications, hosts, application findings, or host findings.

User Prerequisites/ServiceNow Incident Setup

Refer to the following KB link for the user permissions required for configuring the ServiceNow Incident Connector.

Configuring the ServiceNow Incident Connector in RiskSense

Navigate to the Automate > Integrations page.

Navigation - Automation - Integrations-2

Using the search bar in the upper-right corner of the Integrations page, type ServiceNow to find the connector.

ServiceNow Incident - Search for Connector

Locate the ServiceNow Incident card on the page and click Configuration.

Complete the required fields in the new window under Connection, as described below.

  • Connector Name: The name of the connector instance.
  • Username: The user's username that has access to the ServiceNow instance.
  • Password: Password of the user that has access to the ServiceNow instance.
  • Location (URL): The URL of the ServiceNow instance.

ServiceNow Incident - Connection Window

Click the Test Credentials button to ensure the credentials are correct and have the necessary access to make ServiceNow Incident API calls.

Under Connector Specific Options, RiskSense makes dynamic calls to pull information from ServiceNow Incident.

Templates: This dropdown lists all available templates from ServiceNow Incident. Users can choose to add more than one template as well.

ServiceNow Incident - Connector Specific Options - Templates

Default Template: Users can select the default template available from the selected templates. On selecting the default template, the user can use this pre-defined template during ticket creation to complete the incident form.

Current Templates: All pre-defined values part of each template are provided here. Users can choose between which template to be better used and can also Lock Template Fields. By locking these fields, other users will not be able to edit any of the template fields during ticket creation.

ServiceNow Incident - Default and Current Templates

Connector Fields: RiskSense will fetch all the available fields from the Incident connector. By default, it shows some mandatory fields; on typing in the search box, RiskSense will fetch all the available supported optional fields.

ServiceNow Incident - Connector Fields

Suppose the user selects the Use Plugin Information checkbox near the Short Description and Description fields. In that case, RiskSense will send plugin-related information as part of the corresponding fields in ServiceNow Incident. The plugin information includes the scanner, plugin ID, title, description, VRR, and vulnerabilities associated with the plugin. If the ticket is associated with a single finding, the ticket also includes asset information. Users can provide a custom Short Description and Description for the ticket or populate these fields with plugin information automatically.

ServiceNow Incident - Use Plugin Information

Tag Name Sync Field: Choosing a field from this dropdown will replace that field with the RiskSense Tag name when a ticket is created.

RiskSense Defaults: Users can select default values for RiskSense fields.

  • Tag Type: The user can choose the default tag type. While creating a ticket in the Create Ticket popup, the tag type field will be pre-populated with the chosen value. If the user wishes to override them, it is also possible in the connector form or the Create Ticket popup.
  • SLA Date: This dropdown provides a list of ServiceNow Incident fields that the user would like to map the SLA date from RiskSense. If the ticket is associated with more than one finding, the earliest due date applied among those findings would be listed as the SLA Date on the ticket.

Fields for Ticket Description: Select the fields that will appear in the ticket description. These are the fields that appear on the Tags page.

ServiceNow Incident - Fields for Ticket Description

Unsupported Fields: These fields are not currently supported for this connector integration.

ServiceNow Incident - Unsupported Fields

Ticket Attachments: In this section, the ability to attach asset details and findings as Ticket Attachments and allow the deletion of tags associated with the connector option is available.

ServiceNow Incident - Ticket Attachments

Ticket Status Settings:

  • Ticket Sync Status: This dropdown has a list of statuses from ServiceNow Incident. RiskSense will send updates (comments/attachments) only for the selected statuses.
  • Close Status: If the user wishes to move a ServiceNow Incident ticket to a selected status when all the associated findings for a ticket are in a Closed state in RiskSense, then the user needs to select the status and mark the checkbox. RiskSense will not send updates to this status.

Note: The status selected for Ticket Sync Status and Close Status should not be the same.

ServiceNow Incident - Ticket Status Settings

Click Save to enable the connector.

Creating a ServiceNow Incident Ticket

After configuring the ServiceNow Incident connector, you can view information about it from the following list views.

  • Hosts
  • Host Findings
  • Applications
  • Application Findings
  • Tags

To create a ticket, the user must have the ability to create a ticket on any selected application or host vulnerabilities. First, select at least one finding. Next, click the More button and choose the Create Ticket option.

ServiceNow Incident - Create Ticket Menu Location

In the Create Ticket window, choose the ServiceNow Incident connector. After selecting the connector, the Create New Ticket window appears. In the Connector form, if the user has chosen the default value for Tag Type and the SLA date, then the selected values will be prepopulated here. If the user would like to override the chosen tag type, they can select from the dropdown. The SLA date field can also be overridden.

ServiceNow Incident - Create New Ticket Window

Once the ticket is created, it will take some time to reflect in the system. Click on the ticket icon in the findings detailed pane, and the user will see the ticketing system with the ticket number, which is a link to the ticket in ServiceNow Incident along with the current state of the ticket in the ticketing system.

ServiceNow Incident - Host Finding Detail

If Use Plugin information is chosen, the ticket will look like the one below when a finding is associated with a ticket. Users can choose multiple findings, as well.

The following screenshot shows what the Description and Short Description look like in the ServiceNow Incident ticket.

ServiceNow Incident - Description and Short Description

If there is more than one finding, each associated plugin’s information will be added to the ticket until the maximum character limit is reached.

Use the Has Ticket filter in a list view to see all vulnerabilities with a ticket assigned.

ServiceNow Incident - Has Ticket Filter