Details
Content
Dependencies
Version History

Use The ServiceNow IT Service Management (ITSM) solution to modernize the way you manage and deliver services to your users.

Cortex XSOAR interfaces with ServiceNow to help streamline security-related service management and IT operations.

The data in ServiceNow tickets can be mirrored to Cortex XSOAR so that you can track the status and information in the task.
You can also provide comments or attachments in Cortex XSOAR which will appear in ServiceNow.

What does this pack do?

View, create, update, or delete a ServiceNow ticket directly from Cortex XSOAR and enrich it with Cortex XSOAR data.
View, create, update, and delete records from any ServiceNow table.
Query ServiceNow data with the ServiceNow query syntax.
Enables users to fetch Events from ServiceNow platform into Cortex XSIAM.
Log Normalization - XDM mapping for key event types

As part of this pack, you will also get two out-of-the-box layouts so that you can visualize ServiceNow ticket information in Cortex XSOAR.

The Create ServiceNow Ticket playbook provides an example for how to use the Mirror ServiceNow Ticket playbook to mirror data and the ServiceNow Ticket State Polling sub-playbook to track when the ticket closes.

Pack Contributors:

Torbjørn Lium

Contributions are welcome and appreciated. For more info, visit our Contribution Guide.

Cortex interfaces with ServiceNow to help streamline security-related service management and IT operations.

The data in ServiceNow tickets can be mirrored to Cortex so that you can track the status and information in the task.
You can also provide comments or attachments in Cortex which will appear in ServiceNow.

What does this pack do?

View, create, update, or delete a ServiceNow ticket directly from Cortex and enrich it with Cortex data.
View, create, update, and delete records from any ServiceNow table.
Query ServiceNow data with the ServiceNow query syntax.
Enables users to fetch Events from ServiceNow platform into Cortex XSIAM.
Log Normalization - XDM mapping for key event types

Supported Event Types:

Audit
Syslog Transactions

Configure ServiceNow Event Collector on XSIAM Tenant

Go to Settings > Configurations > Automation & Feed Integrations.
Search for ServiceNow Event Collector
Click Add instance.
Insert the ServiceNow URL.
Insert your credentials (user name and password).
Scroll down to the Collect section.
Mark Fetch Events and select the desire event types to fetch (Audit and Syslog Transactions)

For more information on ServiceNow platform

Pack Contributors:

Torbjørn Lium

Contributions are welcome and appreciated. For more info, visit our Contribution Guide.

Automations

Name	Description
ServiceNowAddComment	Use this script to add a comment or work note to a ServiceNow ticket. To be run within the incident.
ServiceNowQueryIncident	This script is used to wrap the generic query-table command in ServiceNow. You can add fields that you want to use as inputs and outputs from the record as script arguments or in the code and work with the records easily.
ServiceNowCreateIncident	This script is used to wrap the generic create-record command in ServiceNow. You can add fields that you want to create the record with as script arguments or in the code and work with the records easily.
ServiceNowUpdateIncident	This script is used to wrap the generic update-record command in ServiceNow. You can add fields that you want to update the record with as script arguments or in the code and work with the records easily.
ServiceNowIncidentStatus	populates the value of the ServiceNow Ticket State field and display it in a layout widget.

Classifiers

Name	Description
ServiceNow Classifier	Classifies ServiceNow tickets.
User Profile - ServiceNow (Outgoing)	Maps a User Profile data to a ServiceNow user data.
ServiceNow - Outgoing Mapper	Maps outgoing ServiceNow incident Fields.
ServiceNow Create Ticket - Outgoing Mapper	Maps outgoing ServiceNow incidents fields for ServiceNow create ticket and mirror playbook
ServiceNow Create Ticket - Incoming Mapper	Maps incoming ServiceNow incidents fields for ServiceNow create ticket and mirror playbook
User Profile - ServiceNow (Incoming)	Maps a ServiceNow user data to a User Profile data.
ServiceNow - Incoming Mapper	Maps incoming ServiceNow incidents fields.

Incident Fields

Name	Description
ServiceNow Closed Date	The ticket closed date
ServiceNow Resolution Code	Resolution Code Of ServiceNow Ticket
ServiceNow Escalation	ServiceNow Escalation
ServiceNow Due Date	ServiceNow Due Date
ServiceNow Business Impact	ServiceNow ticket Business Impact
ServiceNow Ticket ID
ServiceNow Assigned To	Ticket assignee
ServiceNow Severity	ServiceNow Severity
ServiceNow Resolved Time	The ticket resolved time
ServiceNow Closed By	User who closed ServiceNow Incident
ServiceNow SIR Category	ServiceNow SIR Category
ServiceNow State	The ticket state
ServiceNow Assignment Group	ServiceNow Assignment Group
ServiceNow Impact	ServiceNow ticket Impact
ServiceNow Category	ServiceNow Category
ServiceNow SIR State	The SIR ticket state
ServiceNow Caller ID	ServiceNow Caller who opened the ticket.
ServiceNow Opened Date	The ticket opened date
ServiceNow Ticket Number	ServiceNow Ticket Number
ServiceNow Caller	ServiceNow Caller who opened the ticket.
ServiceNow Resolution Notes	ServiceNow Resolution Notes
ServiceNow Notify
ServiceNow Description	Ticket description
ServiceNow Attack Vector
ServiceNow Urgency	ServiceNow ticket urgency.
ServiceNow Priority	ServiceNow Ticket Priority

Incident Types

Name	Description
ServiceNow SIR Incident
ServiceNow Ticket
ServiceNow Create Ticket and Mirror

Integrations

Name	Description
ServiceNow (Deprecated)	Deprecated. Use the ServiceNow v2 integration instead.
ServiceNow CMDB	ServiceNow CMDB is a service‑centric foundation that proactively analyzes service‑impacting changes, identifies issues, and eliminates outages.
ServiceNow IAM	Integrate with ServiceNow's services to execute CRUD operations for employee lifecycle processes.
ServiceNow v2	Use The ServiceNow IT Service Management (ITSM) solution to modernize the way you manage and deliver services to your users.

Layouts

Name	Description
ServiceNow Ticket
ServiceNow SIR Incident
ServiceNow Create Ticket and Mirror

Playbooks

Name	Description
Mirror ServiceNow Ticket	Mirror ServiceNow Ticket is designed to serve as a sub-playbook, which enables ticket mirroring with ServiceNow. It enables you to manage ServiceNow tickets in Cortex xSOAR while data is continuously synced between ServiceNow and Cortex xSOAR, including ServiceNow schema, fields, comments, work notes, and attachments. To enable OOTB mirroring, use the ServiceNow Create ticket - common mappers for incoming and outgoing mirroring. FieldPolling - You can the FieldPolling value to true if you only want to be informed when the ticket is resolved or closed. If FieldPolling is set to true, the FieldPolling Playbook will poll for the state(ServiceNow State field) of the ServiceNow ticket until it marks as either resolved or closed. In Addition to the playbook, we recommend that you use the included layout for ServiceNow Ticket, which helps visualize ServiceNow ticket information in Cortex xSOAR. You can add the new layout as a tab to existing layouts using the Edit Layout page.
Create ServiceNow Ticket	Create ServiceNow Ticket allows you to open new tickets as a task from a parent playbook. When creating the ticket, you can decide to update based on on the ticket's state, which will wait for the ticket to resolve or close with StatePolling. Alternatively, you can select to mirror the ServiceNow ticket and incident fields. To apply either of these options, set the SyncTicket value in the playbook inputs to one of the following options: StatePolling Mirror Leave Blank to use none.
ServiceNow - Ticket Management	`ServiceNow - Ticket Management` allows you to open a new ticket or comment on an existing ticket.
ServiceNow Ticket State Polling	Use ServiceNow Incident State Polling as a sub-playbook when required to pause the execution of a master playbook until the ServiceNow ticket state is either resolved or closed. This playbook implements polling by continuously running the servicenow-get-ticket command until the state is either resolved or closed.
ServiceNow CMDB Search	Subplaybook for finding CI records in ServiceNow CMDB.

Automations

Name	Description
ServiceNowIncidentStatus	populates the value of the ServiceNow Ticket State field and display it in a layout widget.
ServiceNowAddComment	Use this script to add a comment or work note to a ServiceNow ticket. To be run within the incident.
ServiceNowQueryIncident	This script is used to wrap the generic query-table command in ServiceNow. You can add fields that you want to use as inputs and outputs from the record as script arguments or in the code and work with the records easily.
ServiceNowCreateIncident	This script is used to wrap the generic create-record command in ServiceNow. You can add fields that you want to create the record with as script arguments or in the code and work with the records easily.
ServiceNowUpdateIncident	This script is used to wrap the generic update-record command in ServiceNow. You can add fields that you want to update the record with as script arguments or in the code and work with the records easily.

Classifiers

Name	Description
ServiceNow Classifier	Classifies ServiceNow tickets.
ServiceNow - Outgoing Mapper	Maps outgoing ServiceNow incident Fields.
ServiceNow Create Ticket - Incoming Mapper	Maps incoming ServiceNow incidents fields for ServiceNow create ticket and mirror playbook
ServiceNow Create Ticket - Outgoing Mapper	Maps outgoing ServiceNow incidents fields for ServiceNow create ticket and mirror playbook
ServiceNow - Incoming Mapper	Maps incoming ServiceNow incidents fields.
User Profile - ServiceNow (Outgoing)	Maps a User Profile data to a ServiceNow user data.
User Profile - ServiceNow (Incoming)	Maps a ServiceNow user data to a User Profile data.

Incident Fields

Name	Description
ServiceNow SIR State	The SIR ticket state
ServiceNow State	The ticket state
ServiceNow Notify
ServiceNow Assigned To	Ticket assignee
ServiceNow Resolution Code	Resolution Code Of ServiceNow Ticket
ServiceNow SIR Category	ServiceNow SIR Category
ServiceNow Due Date	ServiceNow Due Date
ServiceNow Caller	ServiceNow Caller who opened the ticket.
ServiceNow Assignment Group	ServiceNow Assignment Group
ServiceNow Closed Date	The ticket closed date
ServiceNow Priority	ServiceNow Ticket Priority
ServiceNow Resolution Notes	ServiceNow Resolution Notes
ServiceNow Description	Ticket description
ServiceNow Resolved Time	The ticket resolved time
ServiceNow Caller ID	ServiceNow Caller who opened the ticket.
ServiceNow Impact	ServiceNow ticket Impact
ServiceNow Ticket ID
ServiceNow Ticket Number	ServiceNow Ticket Number
ServiceNow Severity	ServiceNow Severity
ServiceNow Urgency	ServiceNow ticket urgency.
ServiceNow Business Impact	ServiceNow ticket Business Impact
ServiceNow Closed By	User who closed ServiceNow Incident
ServiceNow Attack Vector
ServiceNow Escalation	ServiceNow Escalation

Incident Types

Name	Description
ServiceNow Ticket
ServiceNow Create Ticket and Mirror
ServiceNow SIR Incident

Integrations

Name	Description
ServiceNow v2	Use The ServiceNow IT Service Management (ITSM) solution to modernize the way you manage and deliver services to your users.
ServiceNow Event Collector	Use this integration to fetch audit and syslog transactions logs from ServiceNow as Cortex XSIAM events.
ServiceNow CMDB	ServiceNow CMDB is a service‑centric foundation that proactively analyzes service‑impacting changes, identifies issues, and eliminates outages.
ServiceNow IAM	Integrate with ServiceNow's services to execute CRUD operations for employee lifecycle processes.
ServiceNow (Deprecated)	Deprecated. Use the ServiceNow v2 integration instead.

Modeling Rules

Name	Description
ServiceNow ServiceNow Modeling Rule

Playbooks

Name	Description
Mirror ServiceNow Ticket	Mirror ServiceNow Ticket is designed to serve as a sub-playbook, which enables ticket mirroring with ServiceNow. It enables you to manage ServiceNow tickets in Cortex xSOAR while data is continuously synced between ServiceNow and Cortex xSOAR, including ServiceNow schema, fields, comments, work notes, and attachments. To enable OOTB mirroring, use the ServiceNow Create ticket - common mappers for incoming and outgoing mirroring. FieldPolling - You can the FieldPolling value to true if you only want to be informed when the ticket is resolved or closed. If FieldPolling is set to true, the FieldPolling Playbook will poll for the state(ServiceNow State field) of the ServiceNow ticket until it marks as either resolved or closed. In Addition to the playbook, we recommend that you use the included layout for ServiceNow Ticket, which helps visualize ServiceNow ticket information in Cortex xSOAR. You can add the new layout as a tab to existing layouts using the Edit Layout page.
Create ServiceNow Ticket	Create ServiceNow Ticket allows you to open new tickets as a task from a parent playbook. When creating the ticket, you can decide to update based on on the ticket's state, which will wait for the ticket to resolve or close with StatePolling. Alternatively, you can select to mirror the ServiceNow ticket and incident fields. To apply either of these options, set the SyncTicket value in the playbook inputs to one of the following options: StatePolling Mirror Leave Blank to use none.
ServiceNow Ticket State Polling	Use ServiceNow Incident State Polling as a sub-playbook when required to pause the execution of a master playbook until the ServiceNow ticket state is either resolved or closed. This playbook implements polling by continuously running the servicenow-get-ticket command until the state is either resolved or closed.
ServiceNow - Ticket Management	`ServiceNow - Ticket Management` allows you to open a new ticket or comment on an existing ticket.
ServiceNow CMDB Search	Subplaybook for finding CI records in ServiceNow CMDB.

Required Content Packs (4)

Pack Name	Pack By
Base	By: Cortex XSOAR
Common Playbooks	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
Filters And Transformers	By: Cortex XSOAR

Optional Content Packs (1)

Pack Name	Pack By
Common Types	By: Cortex XSOAR

All level dependencies (6)

Pack Name	Pack By
Cortex REST API	By: Cortex XSOAR
Filters And Transformers	By: Cortex XSOAR
Base	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
Common Playbooks	By: Cortex XSOAR
Rasterize	By: Cortex XSOAR

2.7.2 - 1834150 (December 18, 2024)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 37672

Download

2.7.1 - 1769513 (December 8, 2024)

Integrations

ServiceNow v2

Mirror related fields removed in XSIAM context.

Related pull requests:
- 37586

Download

2.7.0 - R1709192 (November 26, 2024)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 36880

Download

2.6.14 - 1647729 (November 14, 2024)

Integrations

ServiceNow v2

Updated the Docker image to: demisto/python3:3.11.10.115186.

Scripts

ServiceNowAddComment

Updated the Docker image to: demisto/python3:3.11.10.115186.

ServiceNowUpdateIncident

Updated the Docker image to: demisto/python3:3.11.10.115186.

ServiceNowCreateIncident

Updated the Docker image to: demisto/python3:3.11.10.115186.

ServiceNowQueryIncident

Updated the Docker image to: demisto/python3:3.11.10.115186.

Related pull requests:
- 37147
- 37137
- 37136
- 37140
- 37138
- 37139

Download

2.6.13 - R1631266 (November 12, 2024)

Integrations

ServiceNow IAM

Updated the Docker image to: demisto/python3:3.11.10.113941.

ServiceNow CMDB

Updated the Docker image to: demisto/python3:3.11.10.113941.

Scripts

ServiceNowIncidentStatus

Updated the Docker image to: demisto/python3:3.11.10.113941.

ServiceNowQueryIncident

Updated the Docker image to: demisto/python3:3.11.10.113941.

ServiceNowUpdateIncident

Updated the Docker image to: demisto/python3:3.11.10.113941.

ServiceNowCreateIncident

Updated the Docker image to: demisto/python3:3.11.10.113941.

Related pull requests:
- 37006
- 36995
- 36994
- 36998
- 36993
- 36992
- 36997

Download

2.6.12 - 1584792 (November 3, 2024)

Integrations

ServiceNow v2

Updated the docker image to: demisto/python3:3.11.10.113941.
Added the servicenow-get-attachments command, which retrieves attachments from tickets.
Fixed an issue where in some cases the access token could not be retrieved.

Related pull requests:
- 37025

Download

2.6.10 - 1559973 (October 29, 2024)

Scripts

ServiceNowAddComment

Updated the Docker image to: demisto/python3:3.11.10.113941.

Related pull requests:
- 36826

Download

2.6.9 - 1414617 (September 22, 2024)

Integrations

ServiceNow v2

Documentation and metadata improvements.

Related pull requests:
- 36275

Download

2.6.8 - 1373264 (September 11, 2024)

Integrations

ServiceNow v2

Documentation and metadata improvements.

ServiceNow CMDB

Documentation and metadata improvements.

2.6.2 - R1051712 (May 28, 2024)

ServiceNow

Locked dependencies of the pack to ensure stability for versioned core packs. No changes in this release.

Related pull requests:
- 34212

Download

2.6.1 - R958204 (April 15, 2024)

Integrations

ServiceNow v2

Fixed an issue in servicenow-update-ticket, where ticket_type had an interfering default value.

Related pull requests:
- 33840

Download

2.6.0 - 951066 (April 11, 2024)

Fixed an issue where the default ticket_type was not taken from the instance configuration.
Updated the Docker image to: demisto/python3:3.10.14.90585.

Scripts

ServiceNowAddComment

Fixed an issue where the default ticket_type was not taken from the instance configuration.
Updated the Docker image to: demisto/python3:3.10.14.90585.

Related pull requests:
- 33524

Download

2.5.62 - 913451 (March 25, 2024)

Integrations

ServiceNow CMDB

Maintenance and stability enhancements.
Updated the Docker image to: demisto/python3:3.10.13.89873.

ServiceNow IAM

Maintenance and stability enhancements.
Updated the Docker image to: demisto/python3:3.10.13.89873.

Related pull requests:
- 31905

Download

2.5.61 - 909962 (March 24, 2024)

Integrations

ServiceNow v2

Added a new command servicenow-delete-file to delete attachment file from a ticket.

Related pull requests:
- 33365

Download

2.5.60 - 897231 (March 18, 2024)

Integrations

ServiceNow v2

Fixed an issue where the get-remote-data (mirroring) command was not returning the display values for all fields when the Use display values option was enabled.
Updated the Docker image to: demisto/python3:3.10.13.89009.

Mappers

ServiceNow - Incoming Mapper

Fixed an issue in the ServiceNow incoming mapper where the severity field was not being mapped correctly from ServiceNow.

Related pull requests:
- 33341

Download

2.5.59 - 891799 (March 14, 2024)

Integrations

ServiceNow v2

Fixed an issue where the default value of table_name was not taken from the instance configuration.

Scripts

ServiceNowAddComment

Fixed an issue where the default value of table_name was not taken from the instance configuration.
Updated the Docker image to: demisto/python3:3.10.13.89009.

Related pull requests:
- 33228

Download

2.5.58 - 890229 (March 14, 2024)

Integrations

ServiceNow v2

Added the add_as_entry argument to the servicenow-get-ticket-notes command to optionally add ticket notes and work notes as notes in the War Room.
Updated the Docker image to: demisto/python3:3.10.13.89009.

Related pull requests:
- 33319

Download

2.5.57 - 867923 (March 4, 2024)

Integrations

ServiceNow v2

Added support for a new time format: mmm-dd-yyyy i.e., Dec-07-2022 00:38:52.

Related pull requests:
- 33124

Download

2.5.56 - 865942 (March 4, 2024)

Integrations

ServiceNow v2

Fixed an issue where the Instance Date Format was not properly set for the fetch incidents.
Updated the Docker image to: demisto/python3:3.10.13.88772.

Related pull requests:
- 33058

Download

2.5.55 - 846375 (February 22, 2024)

Integrations

ServiceNow v2

Fixed an issue where mirroring did not update fields that were updated before adding the mirroring fields to the incident.

Related pull requests:
- 33065

Download

2.5.54 - 841209 (February 20, 2024)

Integrations

ServiceNow v2

Fixed an issue where the servicenow-upload-file command failed in case the file name contained invalid characters.
Updated the Docker image to: demisto/python3:3.10.13.87159.

Related pull requests:
- 32990

Download

2.5.53 - 836299 (February 18, 2024)

Scripts

ServiceNowIncidentStatus

Updated the Docker image to: demisto/python3:3.10.13.86272.

Related pull requests:
- 32446

Download

2.5.52 - R828628 (February 14, 2024)

Integrations

ServiceNow v2

Added the argument force_default_url to the command servicenow-create-co-from-template, which will ignore the api version configured in the instance configuration when set to true.
Updated the Docker image to: demisto/python3:3.10.13.86272.

Related pull requests:
- 32505

Download

2.5.51 - 784509 (January 25, 2024)

Integrations

ServiceNow v2

Fixed an issue where the Use Display Value parameter would not be used while fetching incidents.
Updated the Docker image to: demisto/python3:3.10.13.85667.

Related pull requests:
- 32372

Download

2.5.50 - 778227 (January 22, 2024)

ServiceNow

Locked dependencies of the pack to ensure stability for versioned core packs. No changes in this release.

Related pull requests:
- 32331

Download

2.5.49 - 741559 (January 4, 2024)

Integrations

ServiceNow v2

Fixed an issue where in some cases the incoming mirroring delete the assigned user when the update times weren't synced.

Related pull requests:
- 31351

Download

PUBLISHER

PLATFORMS

Cortex XSOARCortex XSIAM

INFO

Certification	Certified	Read more
Supported By	Cortex
Created	July 7, 2020
Last Release	December 18, 2024

WORKS WITH THE FOLLOWING INTEGRATIONS:

DISCLAIMER

Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise. For more information, see the Marketplace documentation.