Details
Content
Dependencies
Version History

Use The ServiceNow IT Service Management (ITSM) solution to modernize the way you manage and deliver services to your users.

Cortex XSOAR interfaces with ServiceNow to help streamline security-related service management and IT operations.

The data in ServiceNow tickets can be mirrored to Cortex XSOAR so that you can track the status and information in the task.
You can also provide comments or attachments in Cortex XSOAR which will appear in ServiceNow.

What does this pack do?

View, create, update, or delete a ServiceNow ticket directly from Cortex XSOAR and enrich it with Cortex XSOAR data.
View, create, update, and delete records from any ServiceNow table.
Query ServiceNow data with the ServiceNow query syntax.
Enables users to fetch Events from ServiceNow platform into Cortex XSIAM.
Log Normalization - XDM mapping for key event types

As part of this pack, you will also get two out-of-the-box layouts so that you can visualize ServiceNow ticket information in Cortex XSOAR.

The Create ServiceNow Ticket playbook provides an example for how to use the Mirror ServiceNow Ticket playbook to mirror data and the ServiceNow Ticket State Polling sub-playbook to track when the ticket closes.

Pack Contributors:

Torbjørn Lium

Contributions are welcome and appreciated. For more info, visit our Contribution Guide.

Cortex interfaces with ServiceNow to help streamline security-related service management and IT operations.

What does this pack do?

View, create, update, or delete a ServiceNow ticket directly from Cortex and enrich it with Cortex data.
View, create, update, and delete records from any ServiceNow table.
Query ServiceNow data with the ServiceNow query syntax.
Enables users to fetch Events from ServiceNow platform into Cortex XSIAM.
Log Normalization - XDM mapping for key event types

Supported Event Types

Audit
Syslog Transactions
Case

Configure ServiceNow Event Collector on XSIAM Tenant

Go to Settings > Configurations > Automation & Feed Integrations.
Search for ServiceNow Event Collector
Click Add instance.
Insert the ServiceNow URL.
Insert your credentials (user name and password).
Scroll down to the Collect section.
Mark Fetch Events and select the desire event types to fetch (Audit and Syslog Transactions)

Important

To use ServiceNow on Cortex XSIAM, ensure your user account has the rest_api_explorer and web_service_admin roles.
These roles are required to make API calls. To use the Case API endpoint, users must have one of the following roles:

csm_ws_integration
sn_customerservice.customer
sn_customerservice.consumer

For more information on ServiceNow platform

Pack Contributors:

Torbjørn Lium

Contributions are welcome and appreciated. For more info, visit our Contribution Guide.

Automations

Name	Description
ServiceNowIncidentStatus	populates the value of the ServiceNow Ticket State field and display it in a layout widget.
ServiceNowQueryIncident	This script is used to wrap the generic query-table command in ServiceNow. You can add fields that you want to use as inputs and outputs from the record as script arguments or in the code and work with the records easily.
ServiceNowAddComment	Use this script to add a comment or work note to a ServiceNow ticket. To be run within the incident.
ServiceNowTroubleshoot	Troubleshot ServiceNow v2 integration by displaying health information of enabled instances and old and active incidents of disabled instances.
ServiceNowUpdateIncident	This script is used to wrap the generic update-record command in ServiceNow. You can add fields that you want to update the record with as script arguments or in the code and work with the records easily.
ServiceNowCreateIncident	This script is used to wrap the generic create-record command in ServiceNow. You can add fields that you want to create the record with as script arguments or in the code and work with the records easily.

Classifiers

Name	Description
ServiceNow Classifier	Classifies ServiceNow tickets.
User Profile - ServiceNow (Outgoing)	Maps a User Profile data to a ServiceNow user data.
ServiceNow Create Ticket - Incoming Mapper	Maps incoming ServiceNow incidents fields for ServiceNow create ticket and mirror playbook
ServiceNow - Incoming Mapper	Maps incoming ServiceNow incidents fields.
ServiceNow - Outgoing Mapper	Maps outgoing ServiceNow incident Fields.
User Profile - ServiceNow (Incoming)	Maps a ServiceNow user data to a User Profile data.
ServiceNow Create Ticket - Outgoing Mapper	Maps outgoing ServiceNow incidents fields for ServiceNow create ticket and mirror playbook

Incident Fields

Name	Description
ServiceNow Resolved Time	The ticket resolved time
ServiceNow SIR Category	ServiceNow SIR Category
ServiceNow Business Impact	ServiceNow ticket Business Impact
ServiceNow Resolution Notes	ServiceNow Resolution Notes
ServiceNow Severity	ServiceNow Severity
ServiceNow Caller	ServiceNow Caller who opened the ticket.
ServiceNow Closed Date	The ticket closed date
ServiceNow Assigned To	Ticket assignee
ServiceNow Ticket Number	ServiceNow Ticket Number
ServiceNow Escalation	ServiceNow Escalation
ServiceNow Attack Vector
ServiceNow SIR State	The SIR ticket state
ServiceNow Opened Date	The ticket opened date
ServiceNow Category	ServiceNow Category
ServiceNow Impact	ServiceNow ticket Impact
ServiceNow State	The ticket state
ServiceNow Ticket ID
ServiceNow Description	Ticket description
ServiceNow Due Date	ServiceNow Due Date
ServiceNow Resolution Code	Resolution Code Of ServiceNow Ticket
ServiceNow Notify
ServiceNow Caller ID	ServiceNow Caller who opened the ticket.
ServiceNow Assignment Group	ServiceNow Assignment Group
ServiceNow Priority	ServiceNow Ticket Priority
ServiceNow Urgency	ServiceNow ticket urgency.
ServiceNow Closed By	User who closed ServiceNow Incident

Incident Types

Name	Description
ServiceNow Ticket
ServiceNow Create Ticket and Mirror
ServiceNow SIR Incident

Integrations

Name	Description
ServiceNow IAM	Integrate with ServiceNow's services to execute CRUD operations for employee lifecycle processes.
ServiceNow CMDB	ServiceNow CMDB is a service‑centric foundation that proactively analyzes service‑impacting changes, identifies issues, and eliminates outages.
ServiceNow v2	Use The ServiceNow IT Service Management (ITSM) solution to modernize the way you manage and deliver services to your users.
ServiceNow (Deprecated)	Deprecated. Use the ServiceNow v2 integration instead.

Layouts

Name	Description
ServiceNow Create Ticket and Mirror
ServiceNow Ticket
ServiceNow SIR Incident

Playbooks

Name	Description
Create ServiceNow Ticket	Create ServiceNow Ticket allows you to open new tickets as a task from a parent playbook. When creating the ticket, you can decide to update based on on the ticket's state, which will wait for the ticket to resolve or close with StatePolling. Alternatively, you can select to mirror the ServiceNow ticket and incident fields. To apply either of these options, set the SyncTicket value in the playbook inputs to one of the following options: StatePolling Mirror Leave Blank to use none.
ServiceNow Ticket State Polling	Use ServiceNow Incident State Polling as a sub-playbook when required to pause the execution of a master playbook until the ServiceNow ticket state is either resolved or closed. This playbook implements polling by continuously running the servicenow-get-ticket command until the state is either resolved or closed.
ServiceNow CMDB Search	Subplaybook for finding CI records in ServiceNow CMDB.
ServiceNow - Ticket Management	`ServiceNow - Ticket Management` allows you to open a new ticket or comment on an existing ticket.
Mirror ServiceNow Ticket	Mirror ServiceNow Ticket is designed to serve as a sub-playbook, which enables ticket mirroring with ServiceNow. It enables you to manage ServiceNow tickets in Cortex xSOAR while data is continuously synced between ServiceNow and Cortex xSOAR, including ServiceNow schema, fields, comments, work notes, and attachments. To enable OOTB mirroring, use the ServiceNow Create ticket - common mappers for incoming and outgoing mirroring. FieldPolling - You can the FieldPolling value to true if you only want to be informed when the ticket is resolved or closed. If FieldPolling is set to true, the FieldPolling Playbook will poll for the state(ServiceNow State field) of the ServiceNow ticket until it marks as either resolved or closed. In Addition to the playbook, we recommend that you use the included layout for ServiceNow Ticket, which helps visualize ServiceNow ticket information in Cortex xSOAR. You can add the new layout as a tab to existing layouts using the Edit Layout page.

Automations

Name	Description
ServiceNowCreateIncident	This script is used to wrap the generic create-record command in ServiceNow. You can add fields that you want to create the record with as script arguments or in the code and work with the records easily.
ServiceNowQueryIncident	This script is used to wrap the generic query-table command in ServiceNow. You can add fields that you want to use as inputs and outputs from the record as script arguments or in the code and work with the records easily.
ServiceNowAddComment	Use this script to add a comment or work note to a ServiceNow ticket. To be run within the incident.
ServiceNowTroubleshoot	Troubleshot ServiceNow v2 integration by displaying health information of enabled instances and old and active incidents of disabled instances.
ServiceNowUpdateIncident	This script is used to wrap the generic update-record command in ServiceNow. You can add fields that you want to update the record with as script arguments or in the code and work with the records easily.
ServiceNowIncidentStatus	populates the value of the ServiceNow Ticket State field and display it in a layout widget.

Classifiers

Name	Description
ServiceNow Classifier	Classifies ServiceNow tickets.
User Profile - ServiceNow (Incoming)	Maps a ServiceNow user data to a User Profile data.
User Profile - ServiceNow (Outgoing)	Maps a User Profile data to a ServiceNow user data.
ServiceNow - Outgoing Mapper	Maps outgoing ServiceNow incident Fields.
ServiceNow - Incoming Mapper	Maps incoming ServiceNow incidents fields.
ServiceNow Create Ticket - Incoming Mapper	Maps incoming ServiceNow incidents fields for ServiceNow create ticket and mirror playbook
ServiceNow Create Ticket - Outgoing Mapper	Maps outgoing ServiceNow incidents fields for ServiceNow create ticket and mirror playbook

Incident Fields

Name	Description
ServiceNow Resolved Time	The ticket resolved time
ServiceNow Due Date	ServiceNow Due Date
ServiceNow SIR State	The SIR ticket state
ServiceNow Ticket Number	ServiceNow Ticket Number
ServiceNow Description	Ticket description
ServiceNow Notify
ServiceNow Assignment Group	ServiceNow Assignment Group
ServiceNow State	The ticket state
ServiceNow Priority	ServiceNow Ticket Priority
ServiceNow Assigned To	Ticket assignee
ServiceNow Escalation	ServiceNow Escalation
ServiceNow Resolution Code	Resolution Code Of ServiceNow Ticket
ServiceNow Closed Date	The ticket closed date
ServiceNow SIR Category	ServiceNow SIR Category
ServiceNow Closed By	User who closed ServiceNow Incident
ServiceNow Severity	ServiceNow Severity
ServiceNow Attack Vector
ServiceNow Ticket ID
ServiceNow Business Impact	ServiceNow ticket Business Impact
ServiceNow Resolution Notes	ServiceNow Resolution Notes
ServiceNow Caller ID	ServiceNow Caller who opened the ticket.
ServiceNow Urgency	ServiceNow ticket urgency.
ServiceNow Impact	ServiceNow ticket Impact
ServiceNow Caller	ServiceNow Caller who opened the ticket.

Incident Types

Name	Description
ServiceNow Ticket
ServiceNow SIR Incident
ServiceNow Create Ticket and Mirror

Integrations

Name	Description
ServiceNow v2	Use The ServiceNow IT Service Management (ITSM) solution to modernize the way you manage and deliver services to your users.
ServiceNow (Deprecated)	Deprecated. Use the ServiceNow v2 integration instead.
ServiceNow CMDB	ServiceNow CMDB is a service‑centric foundation that proactively analyzes service‑impacting changes, identifies issues, and eliminates outages.
ServiceNow IAM	Integrate with ServiceNow's services to execute CRUD operations for employee lifecycle processes.
ServiceNow Event Collector	Use this integration to fetch audits, syslog transactions, cases, and outbound HTTP logs from ServiceNow as Cortex XSIAM events.

Modeling Rules

Name	Description
ServiceNow ServiceNow Modeling Rule

Playbooks

Name	Description
Mirror ServiceNow Ticket	Mirror ServiceNow Ticket is designed to serve as a sub-playbook, which enables ticket mirroring with ServiceNow. It enables you to manage ServiceNow tickets in Cortex xSOAR while data is continuously synced between ServiceNow and Cortex xSOAR, including ServiceNow schema, fields, comments, work notes, and attachments. To enable OOTB mirroring, use the ServiceNow Create ticket - common mappers for incoming and outgoing mirroring. FieldPolling - You can the FieldPolling value to true if you only want to be informed when the ticket is resolved or closed. If FieldPolling is set to true, the FieldPolling Playbook will poll for the state(ServiceNow State field) of the ServiceNow ticket until it marks as either resolved or closed. In Addition to the playbook, we recommend that you use the included layout for ServiceNow Ticket, which helps visualize ServiceNow ticket information in Cortex xSOAR. You can add the new layout as a tab to existing layouts using the Edit Layout page.
ServiceNow Ticket State Polling	Use ServiceNow Alert State Polling as a sub-playbook when required to pause the execution of a master playbook until the ServiceNow ticket state is either resolved or closed. This playbook implements polling by continuously running the servicenow-get-ticket command until the state is either resolved or closed.
ServiceNow CMDB Search	Subplaybook for finding CI records in ServiceNow CMDB.
Create ServiceNow Ticket	Create ServiceNow Ticket allows you to open new tickets as a task from a parent playbook. When creating the ticket, you can decide to update based on on the ticket's state, which will wait for the ticket to resolve or close with StatePolling. Alternatively, you can select to mirror the ServiceNow ticket and alert fields. To apply either of these options, set the SyncTicket value in the playbook inputs to one of the following options: StatePolling Mirror Leave Blank to use none.
ServiceNow - Ticket Management	`ServiceNow - Ticket Management` allows you to open a new ticket or comment on an existing ticket.

Required Content Packs (4)

Pack Name	Pack By
Base	By: Cortex XSOAR
Common Playbooks	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
Filters And Transformers	By: Cortex XSOAR

Optional Content Packs (1)

Pack Name	Pack By
Common Types	By: Cortex XSOAR

All level dependencies (7)

Pack Name	Pack By
Filters And Transformers	By: Cortex XSOAR
Common Playbooks	By: Cortex XSOAR
Cortex REST API	By: Cortex XSOAR
Aggregated Scripts	By: Cortex XSOAR
Base	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
Rasterize	By: Cortex XSOAR

2.9.11 - 9264184 (May 25, 2026)

Integrations

ServiceNow IAM

Documentation and metadata improvements.

Related pull requests:
- 44363
- 44358
- 42667
- 43952
- 43732
- 44181
- 44008
- 44052
- 44349
- 44357
- 44339
- 44344
- 43700

Download

2.9.10 - 8608558 (April 30, 2026)

Integrations

ServiceNow v2

Added support for the following date formats in the Instance Date Format parameter:

MM/dd/yy - e.g., 08/19/26 15:38:52.
dd/MM/yy - e.g., 19/08/26 15:38:52.
yyyy/MM/dd - e.g., 2026/08/19 15:38:52.
yyyy.MM.dd - e.g., 2026.08.19 15:38:52.

Related pull requests:
- 44084

Download

2.9.9 - 8592679 (April 29, 2026)

Integrations

ServiceNow v2

Fixed an issue with filename handling during file upload operations.

Related pull requests:
- 43966

Download

2.9.8 - 8515806 (April 27, 2026)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 43940

Download

2.9.7 - 8382811 (April 20, 2026)

ServiceNow

Locked dependencies of the pack to ensure stability for versioned core packs. No changes in this release.

Related pull requests:
- 43976

Download

2.9.6 - 8288718 (April 15, 2026)

Integrations

ServiceNow v2

Fixed an issue where work notes and comments failed to mirror to Cortex due to synchronization lags and creation date mismatches during long processing cycles.

Related pull requests:
- 43433

Download

2.9.5 - 8210013 (April 13, 2026)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 43748

Download

2.9.4 - 8201591 (April 12, 2026)

Integrations

ServiceNow v2

Fixed an issue where the get-modified-remote-data command could fail on its first run due to an unparseable lastUpdate argument value, preventing incoming mirroring from ever succeeding.

Related pull requests:
- 43820

Download

2.9.3 - 8009783 (March 30, 2026)

Integrations

ServiceNow v2

Fixed an issue where the servicenow-create-item-order command failed when the integration was configured with API version v2.
Added the optional no_validation argument to the servicenow-create-item-order command. When set to true, catalog item orders bypass ServiceNow form validation.
Updated the Docker image to: demisto/auth-utils:1.0.0.7837600.

Related pull requests:
- 43601

Download

2.9.2 - 7843807 (March 22, 2026)

Documentation and metadata improvements.

Related pull requests:
- 43568

Download

2.9.1 - R7448282 (March 5, 2026)

Scripts

ServiceNowCMDBEnrichAsset

Added mandatory dependency declarations for servicenow-cmdb-records-list and servicenow-cmdb-record-get-by-id commands.
Updated the Docker image to: demisto/python3:3.12.12.7090913.

Related pull requests:
- 43210

Download

2.9.0 - 7289906 (February 23, 2026)

Integrations

ServiceNow v2

Added dedicated credential fields for Client ID, Client Secret, Username, and Password (replacing the Username/Client ID and Password/Client Secret credential fields). Re-enter your credentials in the new fields when upgrading to ensure full functionality. Existing instances remain functional with the legacy credential fields if the new fields are left empty.
Added support for automatic OAuth 2.0 login and refresh token renewal by providing Username and Password in the instance configuration. If the fields are left empty, you must manually run !servicenow-oauth-login to obtain the initial refresh token each time it expires.
Updated the documentation to reflect the new credential field structure and automated refresh token renewal.
Updated the Docker image to: demisto/auth-utils:1.0.0.6111183.

ServiceNow CMDB

Added dedicated credential fields for Client ID, Client Secret, Username, and Password (replacing the Username/Client ID and Password/Client Secret credential fields). Re-enter your credentials in the new fields when upgrading to ensure full functionality. Existing instances remain functional with the legacy credential fields if the new fields are left empty.
Added support for automatic OAuth 2.0 login and refresh token renewal by providing Username and Password in the instance configuration. If the fields are left empty, you must manually run !servicenow-cmdb-login to obtain the initial refresh token each time it expires.
Updated the documentation to reflect the new credential field structure and automated refresh token renewal.
Updated the Docker image to: demisto/auth-utils:1.0.0.6111183.

Related pull requests:
- 43240

Download

2.8.28 - R7266890 (February 22, 2026)

ServiceNow

Documentation and metadata improvements.

Related pull requests:
- 43123

Download

2.8.27 - 7188558 (February 17, 2026)

ServiceNow

Locked dependencies of the pack to ensure stability for versioned core packs. No changes in this release.

Related pull requests:
- 43146

Download

2.8.26 - 6920594 (January 28, 2026)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 42439

Download

2.8.25 - 6580350 (January 6, 2026)

ServiceNow

Locked dependencies of the pack to ensure stability for versioned core packs. No changes in this release.

Related pull requests:
- 42564

Download

2.8.24 - 6105231 (December 2, 2025)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 41590

Download

2.8.23 - 6037206 (November 27, 2025)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 41969

Download

2.8.22 - R6002136 (November 25, 2025)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 41941
- 41967
- 42035

Download

2.8.21 - 5818832 (November 11, 2025)

Integrations

ServiceNow v2

Internal code improvements.

ServiceNow CMDB

Internal code improvements.

Related pull requests:
- 41941
- 42035

Download

2.8.19 - 5801457 (November 10, 2025)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 41857

Download

2.8.18 - 5717993 (November 3, 2025)

Scripts

ServiceNowTroubleshoot

Updated the Docker image to: demisto/python3:3.12.12.5490952.

Related pull requests:
- 41760

Download

2.8.17 - 5698874 (November 2, 2025)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 41748

Download

2.8.16 - 5636304 (October 29, 2025)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 41629

Download

2.8.15 - 5538136 (October 23, 2025)

ServiceNow

Locked dependencies of the pack to ensure stability for versioned core packs. No changes in this release.

Related pull requests:
- 41627

Download

2.8.14 - 5499225 (October 21, 2025)

Integrations

ServiceNow v2

Updated the ServiceNow v2 integration to support iss (Issuer) parameter that if not set, client id will be used for OAuth JWT authentication payload.
Updated the Docker image to: demisto/auth-utils:1.0.0.5427065.

ServiceNow CMDB

Updated the ServiceNow CMDB integration to support OAuth JWT authentication with a customizable "iss" (issuer) claim in the JWT payload.
Updated the Docker image to: demisto/auth-utils:1.0.0.5427065.

Related pull requests:
- 40932

Download

2.8.13 - R5469292 (October 20, 2025)

ServiceNow

Documentation and metadata improvements.

Related pull requests:
- 41444

Download

2.8.12 - 5092121 (September 25, 2025)

Integrations

ServiceNow v2

Updated the servicenow-delete-ticket command to return a human readable message indicating the operation status.
Added the following output context paths to the servicenow-delete-ticket command:
- ServiceNow.Ticket.DeleteMessage - Contains A Message indicating the result of the ticket deletion operation.
- ServiceNow.Ticket.id - Contains the ID of the ticket that was attempted to be deleted.

Related pull requests:
- 41261

Download

2.8.11 - 4931595 (September 18, 2025)

Integrations

ServiceNow v2

Updated the ServiceNow v2 integration to fix a bug related to unintentional closure of incidents when mirroring out.

Related pull requests:
- 41300

Download

2.8.10 - 4832662 (September 10, 2025)

Integrations

ServiceNow v2

Updated the ServiceNow v2 integration to fix a bug related to unintentional closure of incidents when mirroring out.
Updated the Docker image to: demisto/auth-utils:1.0.0.4578605.

Related pull requests:
- 41100

Download

2.8.9 - R4512458 (August 13, 2025)

Integrations

ServiceNow v2

Updated the ServiceNow v2 integration to fix a bug in update_remote_system where close_code and close_notes were overridden with the default value.

Related pull requests:
- 40881

Download

2.8.8 - 4486728 (August 11, 2025)

Documentation and metadata improvements.

Related pull requests:
- 40883

Download

2.8.7 - 4456127 (August 7, 2025)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 40776

Download

2.8.6 - 4443508 (August 6, 2025)

ServiceNow

Documentation and Metadata improvements.

Related pull requests:
- 40837

Download

2.8.5 - 4239826 (July 21, 2025)

Playbooks

ServiceNow CMDB Search

Added Exposure Management and ASM as supported modules.

Related pull requests:
- 40649
- 40555

Download

2.8.4 - 4158979 (July 14, 2025)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 40378

Download

2.8.3 - 4130170 (July 10, 2025)

ServiceNow

Documentation and Metadata improvements.

Related pull requests:
- 40577

Download

2.8.2 - 4126849 (July 10, 2025)

ServiceNow

Documentation and metadata improvements.

Related pull requests:
- 39712
- 40179

Download

2.8.1 - 4121830 (July 10, 2025)

Classifiers

ServiceNow Classifier

Documentation and metadata improvements.

Incident Fields

ServiceNow Assigned To
Documentation and metadata improvements.
ServiceNow Closed Date
Documentation and metadata improvements.
ServiceNow Caller ID
Documentation and metadata improvements.
ServiceNow Resolution Code
Documentation and metadata improvements.
ServiceNow Resolution Notes
Documentation and metadata improvements.
ServiceNow Assignment Group
Documentation and metadata improvements.
ServiceNow Attack Vector
Documentation and metadata improvements.
ServiceNow Description
Documentation and metadata improvements.
ServiceNow Urgency
Documentation and metadata improvements.
ServiceNow Notify
Documentation and metadata improvements.
ServiceNow SIR State
Documentation and metadata improvements.
ServiceNow Priority
Documentation and metadata improvements.
ServiceNow Business Impact
Documentation and metadata improvements.
ServiceNow Impact
Documentation and metadata improvements.
ServiceNow Caller
Documentation and metadata improvements.
ServiceNow Closed By
Documentation and metadata improvements.
ServiceNow Severity
Documentation and metadata improvements.
ServiceNow Due Date
Documentation and metadata improvements.
ServiceNow Resolved Time
Documentation and metadata improvements.
ServiceNow Escalation
Documentation and metadata improvements.
ServiceNow State
Documentation and metadata improvements.
ServiceNow Ticket ID
Documentation and metadata improvements.
ServiceNow Ticket Number
Documentation and metadata improvements.
ServiceNow SIR Category
Documentation and metadata improvements.

Incident Types

ServiceNow SIR Incident
Documentation and metadata improvements.
ServiceNow Create Ticket and Mirror
Documentation and metadata improvements.
ServiceNow Ticket
Documentation and metadata improvements.

Integrations

ServiceNow v2

Updated the ServiceNow v2 integration to support the MirrorObject fields in the servicenow-create-ticket command.
Added support for get-remote-data-preview command that gets remote data preview from a remote incident. This method does not update the current incident, and is used to preview the ticket which would be updated.

ServiceNow (Deprecated)

Documentation and metadata improvements.

Mappers

ServiceNow Create Ticket - Incoming Mapper

Documentation and metadata improvements.

ServiceNow Create Ticket - Outgoing Mapper

Documentation and metadata improvements.

User Profile - ServiceNow (Outgoing)

Documentation and metadata improvements.

ServiceNow - Incoming Mapper

Documentation and metadata improvements.

User Profile - ServiceNow (Incoming)

Documentation and metadata improvements.

ServiceNow - Outgoing Mapper

Documentation and metadata improvements.

Playbooks

ServiceNow Ticket State Polling

Documentation and metadata improvements.

ServiceNow CMDB Search

Documentation and metadata improvements.

ServiceNow - Ticket Management

Documentation and metadata improvements.

Create ServiceNow Ticket

Documentation and metadata improvements.

Mirror ServiceNow Ticket

Documentation and metadata improvements.

Scripts

ServiceNowAddComment

Documentation and metadata improvements.

ServiceNowUpdateIncident

Documentation and metadata improvements.

ServiceNowQueryIncident

Documentation and metadata improvements.

ServiceNowTroubleshoot

Documentation and metadata improvements.

ServiceNowIncidentStatus

Documentation and metadata improvements.

ServiceNowCreateIncident

Documentation and metadata improvements.

Related pull requests:
- 40523

Download

2.7.22 - 4049458 (July 3, 2025)

ServiceNow

Documentation and metadata improvements.

Related pull requests:
- 40478

Download

2.7.21 - R3980324 (June 26, 2025)

Integrations

ServiceNow CMDB

Updated the Docker image to: demisto/python3:3.12.8.3296088.

Scripts

ServiceNowIncidentStatus

Updated the Docker image to: demisto/python3:3.12.8.3296088.

Related pull requests:
- 40221

Download

2.7.20 - R3838742 (June 17, 2025)

Integrations

ServiceNow IAM

Added support for the 'Preference Center' feature for selected commands.
Updated the Docker image to: demisto/python3:3.12.8.3296088.

Related pull requests:
- 40192

Download

2.7.19 - 3769759 (June 12, 2025)

Integrations

ServiceNow v2

Documentation and metadata improvements.

Related pull requests:
- 40195

Download

2.7.18 - 3711808 (June 9, 2025)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 39859

Download

2.7.17 - 3617165 (June 3, 2025)

Integrations

ServiceNow v2

Updated the Docker image to: demisto/auth-utils:1.0.0.3562326.

Related pull requests:
- 40133

Download

2.7.16 - R3526238 (May 25, 2025)

Integrations

ServiceNow (Deprecated)

Metadata and documentation improvements.

Related pull requests:
- 40034

Download

2.9.11 - 9264184 (May 25, 2026)

Integrations

ServiceNow IAM

Documentation and metadata improvements.

Related pull requests:
- 44363
- 44358
- 42667
- 43952
- 43732
- 44181
- 44008
- 44052
- 44349
- 44357
- 44339
- 44344
- 43700

Download

2.9.10 - 8608558 (April 30, 2026)

Integrations

ServiceNow v2

Added support for the following date formats in the Instance Date Format parameter:

MM/dd/yy - e.g., 08/19/26 15:38:52.
dd/MM/yy - e.g., 19/08/26 15:38:52.
yyyy/MM/dd - e.g., 2026/08/19 15:38:52.
yyyy.MM.dd - e.g., 2026.08.19 15:38:52.

Related pull requests:
- 44084

Download

2.9.9 - 8592679 (April 29, 2026)

Integrations

ServiceNow v2

Fixed an issue with filename handling during file upload operations.

Related pull requests:
- 43966

Download

2.9.8 - 8542515 (April 28, 2026)

Modeling Rules

ServiceNow ServiceNow Modeling Rule

Documentation and metadata improvements.

Related pull requests:
- 43940

Download

2.9.7 - 8382811 (April 20, 2026)

ServiceNow

Locked dependencies of the pack to ensure stability for versioned core packs. No changes in this release.

Related pull requests:
- 43976

Download

2.9.6 - 8288718 (April 15, 2026)

Integrations

ServiceNow v2

Fixed an issue where work notes and comments failed to mirror to Cortex due to synchronization lags and creation date mismatches during long processing cycles.

Related pull requests:
- 43433

Download

2.9.5 - 8210013 (April 13, 2026)

Integrations

ServiceNow Event Collector

Documentation and metadata improvements.

Related pull requests:
- 43748

Download

2.9.4 - 8201591 (April 12, 2026)

Integrations

ServiceNow v2

Fixed an issue where the get-modified-remote-data command could fail on its first run due to an unparseable lastUpdate argument value, preventing incoming mirroring from ever succeeding.

Related pull requests:
- 43820

Download

2.9.3 - 8009783 (March 30, 2026)

Integrations

ServiceNow v2

Fixed an issue where the servicenow-create-item-order command failed when the integration was configured with API version v2.
Added the optional no_validation argument to the servicenow-create-item-order command. When set to true, catalog item orders bypass ServiceNow form validation.
Updated the Docker image to: demisto/auth-utils:1.0.0.7837600.

Related pull requests:
- 43601

Download

2.9.2 - 7850318 (March 23, 2026)

Documentation and metadata improvements.

Related pull requests:
- 43568

Download

2.9.1 - R7448282 (March 5, 2026)

Scripts

ServiceNowCMDBEnrichAsset

Added mandatory dependency declarations for servicenow-cmdb-records-list and servicenow-cmdb-record-get-by-id commands.
Updated the Docker image to: demisto/python3:3.12.12.7090913.

Related pull requests:
- 43210

Download

2.9.0 - 7289906 (February 23, 2026)

Integrations

ServiceNow v2

Added dedicated credential fields for Client ID, Client Secret, Username, and Password (replacing the Username/Client ID and Password/Client Secret credential fields). Re-enter your credentials in the new fields when upgrading to ensure full functionality. Existing instances remain functional with the legacy credential fields if the new fields are left empty.
Added support for automatic OAuth 2.0 login and refresh token renewal by providing Username and Password in the instance configuration. If the fields are left empty, you must manually run !servicenow-oauth-login to obtain the initial refresh token each time it expires.
Updated the documentation to reflect the new credential field structure and automated refresh token renewal.
Updated the Docker image to: demisto/auth-utils:1.0.0.6111183.

ServiceNow CMDB

Added dedicated credential fields for Client ID, Client Secret, Username, and Password (replacing the Username/Client ID and Password/Client Secret credential fields). Re-enter your credentials in the new fields when upgrading to ensure full functionality. Existing instances remain functional with the legacy credential fields if the new fields are left empty.
Added support for automatic OAuth 2.0 login and refresh token renewal by providing Username and Password in the instance configuration. If the fields are left empty, you must manually run !servicenow-cmdb-login to obtain the initial refresh token each time it expires.
Updated the documentation to reflect the new credential field structure and automated refresh token renewal.
Updated the Docker image to: demisto/auth-utils:1.0.0.6111183.

ServiceNow Event Collector

Updated the Docker image to: demisto/auth-utils:1.0.0.6111183.

Related pull requests:
- 43240

Download

2.8.28 - R7266890 (February 22, 2026)

ServiceNow

Documentation and metadata improvements.

Related pull requests:
- 43123

Download

2.8.27 - 7188558 (February 17, 2026)

ServiceNow

Locked dependencies of the pack to ensure stability for versioned core packs. No changes in this release.

Related pull requests:
- 43146

Download

2.8.26 - 6920581 (January 28, 2026)

Changes are not relevant for XSIAM marketplace.

Related pull requests:
- 42439

Download

2.8.25 - 6580350 (January 6, 2026)

ServiceNow

Locked dependencies of the pack to ensure stability for versioned core packs. No changes in this release.

Related pull requests:
- 42564

Download

2.8.24 - 6095247 (December 2, 2025)

Changes are not relevant for XSIAM marketplace.

Related pull requests:
- 41590

Download

2.8.23 - 6037206 (November 27, 2025)

Integrations

ServiceNow Event Collector

Added support for collecting Outbound HTTP Log events from the sys_outbound_http_log table.

Related pull requests:
- 41969

Download

2.8.22 - R6002136 (November 25, 2025)

Changes are not relevant for XSIAM marketplace.

Related pull requests:
- 42035
- 41967
- 41941

Download

2.8.21 - 5818832 (November 11, 2025)

Integrations

ServiceNow Event Collector

Improved integration stability by adding a mechanism to automatically regenerate the expired refresh token when a potential expiration occurs.

ServiceNow v2

Internal code improvements.

ServiceNow CMDB

Internal code improvements.

Related pull requests:
- 42035
- 41941

Download

2.8.19 - 5801457 (November 10, 2025)

Changes are not relevant for XSIAM marketplace.

Related pull requests:
- 41857

Download

2.8.18 - 5717993 (November 3, 2025)

Scripts

ServiceNowTroubleshoot

Updated the Docker image to: demisto/python3:3.12.12.5490952.

Related pull requests:
- 41760

Download

2.8.17 - 5698874 (November 2, 2025)

Changes are not relevant for XSIAM marketplace.

Related pull requests:
- 41748

Download

2.8.16 - 5636304 (October 29, 2025)

Changes are not relevant for XSIAM marketplace.

Related pull requests:
- 41629

Download

2.8.15 - 5538136 (October 23, 2025)

ServiceNow

Locked dependencies of the pack to ensure stability for versioned core packs. No changes in this release.

Related pull requests:
- 41627

Download

2.8.14 - 5499225 (October 21, 2025)

Integrations

ServiceNow Event Collector

Updated the Docker image to: demisto/auth-utils:1.0.0.5427065.

ServiceNow v2

Updated the ServiceNow v2 integration to support iss (Issuer) parameter that if not set, client id will be used for OAuth JWT authentication payload.
Updated the Docker image to: demisto/auth-utils:1.0.0.5427065.

ServiceNow CMDB

Updated the ServiceNow CMDB integration to support OAuth JWT authentication with a customizable "iss" (issuer) claim in the JWT payload.
Updated the Docker image to: demisto/auth-utils:1.0.0.5427065.

Related pull requests:
- 40932

Download

2.8.13 - R5469292 (October 20, 2025)

ServiceNow

Documentation and metadata improvements.

Related pull requests:
- 41444

Download

2.8.12 - 5092121 (September 25, 2025)

Integrations

ServiceNow v2

Updated the servicenow-delete-ticket command to return a human readable message indicating the operation status.
Added the following output context paths to the servicenow-delete-ticket command:
- ServiceNow.Ticket.DeleteMessage - Contains A Message indicating the result of the ticket deletion operation.
- ServiceNow.Ticket.id - Contains the ID of the ticket that was attempted to be deleted.

Related pull requests:
- 41261

Download

2.8.11 - 4931595 (September 18, 2025)

Integrations

ServiceNow v2

Updated the ServiceNow v2 integration to fix a bug related to unintentional closure of incidents when mirroring out.

Related pull requests:
- 41300

Download

2.8.10 - 4832662 (September 10, 2025)

Integrations

ServiceNow v2

Updated the ServiceNow v2 integration to fix a bug related to unintentional closure of incidents when mirroring out.
Updated the Docker image to: demisto/auth-utils:1.0.0.4578605.

Related pull requests:
- 41100

Download

2.8.9 - R4524270 (August 14, 2025)

Integrations

ServiceNow v2

Updated the ServiceNow v2 integration to fix a bug in update_remote_system where close_code and close_notes were overridden with the default value.

Related pull requests:
- 40881

Download

2.8.8 - 4486728 (August 11, 2025)

Documentation and metadata improvements.

Related pull requests:
- 40883

Download

2.8.7 - 4456127 (August 7, 2025)

Modeling Rules

ServiceNow ServiceNow Modeling Rule

Updated the ServiceNow Modeling Rule to include XDM mapping also for Customer Service Management (CSM) Case logs.

Related pull requests:
- 40776

Download

2.8.6 - 4443508 (August 6, 2025)

ServiceNow

Documentation and Metadata improvements.

Related pull requests:
- 40837

Download

2.8.5 - 4239826 (July 21, 2025)

Playbooks

ServiceNow CMDB Search

Added Exposure Management and ASM as supported modules.

Related pull requests:
- 40649
- 40555

Download

2.8.4 - 4158979 (July 14, 2025)

Integrations

ServiceNow Event Collector

Added support for fetch of case logs from service now. To enable, choose the case type in the Event Types To Fetch parameter under the integration instance configuration.
Added support for Maximum case events to fetch parameter that maximum number of case events per fetch.

Related pull requests:
- 40378

Download

2.8.3 - 4130170 (July 10, 2025)

ServiceNow

Documentation and Metadata improvements.

Related pull requests:
- 40577

Download

2.8.2 - 4126849 (July 10, 2025)

ServiceNow

Documentation and metadata improvements.

Related pull requests:
- 39712
- 40179

Download

2.8.1 - 4118212 (July 9, 2025)

Classifiers

ServiceNow Classifier

Documentation and metadata improvements.

Incident Fields

ServiceNow Assigned To
Documentation and metadata improvements.
ServiceNow Closed Date
Documentation and metadata improvements.
ServiceNow Caller ID
Documentation and metadata improvements.
ServiceNow Resolution Code
Documentation and metadata improvements.
ServiceNow Resolution Notes
Documentation and metadata improvements.
ServiceNow Assignment Group
Documentation and metadata improvements.
ServiceNow Attack Vector
Documentation and metadata improvements.
ServiceNow Description
Documentation and metadata improvements.
ServiceNow Urgency
Documentation and metadata improvements.
ServiceNow Notify
Documentation and metadata improvements.
ServiceNow SIR State
Documentation and metadata improvements.
ServiceNow Priority
Documentation and metadata improvements.
ServiceNow Business Impact
Documentation and metadata improvements.
ServiceNow Impact
Documentation and metadata improvements.
ServiceNow Caller
Documentation and metadata improvements.
ServiceNow Closed By
Documentation and metadata improvements.
ServiceNow Severity
Documentation and metadata improvements.
ServiceNow Due Date
Documentation and metadata improvements.
ServiceNow Resolved Time
Documentation and metadata improvements.
ServiceNow Escalation
Documentation and metadata improvements.
ServiceNow State
Documentation and metadata improvements.
ServiceNow Ticket ID
Documentation and metadata improvements.
ServiceNow Ticket Number
Documentation and metadata improvements.
ServiceNow SIR Category
Documentation and metadata improvements.

Incident Types

ServiceNow SIR Incident
Documentation and metadata improvements.
ServiceNow Create Ticket and Mirror
Documentation and metadata improvements.
ServiceNow Ticket
Documentation and metadata improvements.

Integrations

ServiceNow v2

Updated the ServiceNow v2 integration to support the MirrorObject fields in the servicenow-create-ticket command.
Added support for get-remote-data-preview command that gets remote data preview from a remote incident. This method does not update the current incident, and is used to preview the ticket which would be updated.

ServiceNow Event Collector

Documentation and metadata improvements.

ServiceNow (Deprecated)

Documentation and metadata improvements.

Mappers

ServiceNow Create Ticket - Incoming Mapper

Documentation and metadata improvements.

ServiceNow Create Ticket - Outgoing Mapper

Documentation and metadata improvements.

User Profile - ServiceNow (Outgoing)

Documentation and metadata improvements.

ServiceNow - Incoming Mapper

Documentation and metadata improvements.

User Profile - ServiceNow (Incoming)

Documentation and metadata improvements.

ServiceNow - Outgoing Mapper

Documentation and metadata improvements.

Modeling Rules

ServiceNow ServiceNow Modeling Rule

Documentation and metadata improvements.

Playbooks

ServiceNow Ticket State Polling

Documentation and metadata improvements.

ServiceNow CMDB Search

Documentation and metadata improvements.

ServiceNow - Ticket Management

Documentation and metadata improvements.

Create ServiceNow Ticket

Documentation and metadata improvements.

Mirror ServiceNow Ticket

Documentation and metadata improvements.

Scripts

ServiceNowAddComment

Documentation and metadata improvements.

ServiceNowUpdateIncident

Documentation and metadata improvements.

ServiceNowQueryIncident

Documentation and metadata improvements.

ServiceNowTroubleshoot

Documentation and metadata improvements.

ServiceNowIncidentStatus

Documentation and metadata improvements.

ServiceNowCreateIncident

Documentation and metadata improvements.

Related pull requests:
- 40523

Download

2.7.22 - 4049458 (July 3, 2025)

ServiceNow

Documentation and metadata improvements.

Related pull requests:
- 40478

Download

2.7.21 - R3980324 (June 26, 2025)

Integrations

ServiceNow CMDB

Updated the Docker image to: demisto/python3:3.12.8.3296088.

Scripts

ServiceNowIncidentStatus

Updated the Docker image to: demisto/python3:3.12.8.3296088.

Related pull requests:
- 40221

Download

2.7.20 - R3838742 (June 17, 2025)

Integrations

ServiceNow IAM

Added support for the 'Preference Center' feature for selected commands.
Updated the Docker image to: demisto/python3:3.12.8.3296088.

Related pull requests:
- 40192

Download

2.7.19 - 3769759 (June 12, 2025)

Integrations

ServiceNow v2

Documentation and metadata improvements.

Related pull requests:
- 40195

Download

2.7.18 - 3711808 (June 9, 2025)

Integrations

ServiceNow Event Collector

Added support for the service-now-oauth-login command that generate a refresh token using your existing credentials. Use this command if you encounter access_denied or other errors related to your tokens when using OAuth 2.0.

Related pull requests:
- 39859

Download

2.7.17 - 3617165 (June 3, 2025)

Integrations

ServiceNow v2

Updated the Docker image to: demisto/auth-utils:1.0.0.3562326.

Related pull requests:
- 40133

Download

2.7.16 - R3526238 (May 25, 2025)

Integrations

ServiceNow (Deprecated)

Metadata and documentation improvements.

Related pull requests:
- 40034

Download

PUBLISHER

PLATFORMS

Cortex XSOARCortex XSIAM

INFO

Certification	Certified	Read more
Supported By	Cortex
Created	July 7, 2020
Last Release	May 25, 2026

WORKS WITH THE FOLLOWING INTEGRATIONS:

DISCLAIMER

By downloading or using Marketplace content, you agree to the applicable Terms of Use and End User License Agreement. Third-party content is provided by its publisher, and Palo Alto Networks does not warrant, endorse, support, or assume responsibility for content not expressly identified as owned by Palo Alto Networks.