ServiceNow ITSM connector and actionedit

The ServiceNow ITSM connector uses the Import Set API to create ServiceNow incidents. You can use the connector for rule actions and cases.

Prerequisitesedit

After upgrading from Elastic Stack version 7.15.0 or earlier to version 7.16.0 or later, you must complete the following within your ServiceNow instance before creating a new ServiceNow ITSM connector or updating an existing one:

  • Install Elastic for ITSM from the ServiceNow Store.
  • Create a ServiceNow integration user and assign it the appropriate roles.
  • Create a Cross-Origin Resource Sharing (CORS) rule.

Create a ServiceNow integration user

To ensure authenticated communication between Elastic and ServiceNow, create a ServiceNow integration user and assign it the appropriate roles.

  1. In your ServiceNow instance, go to System Security → Users and Groups → Users.
  2. Click New.
  3. Complete the form, then right-click on the menu bar and click Save.
  4. Go to the Roles tab and click Edit.
  5. Assign the integration user the following roles: 

    • import_set_loader
    • import_transformer
    • personalize_choices
    • x_elas2_inc_int.integration_user
  6. Click Save.

Create a CORS rule

A CORS rule is required for communication between Elastic and ServiceNow. To create a CORS rule:

  1. In your ServiceNow instance, go to System Web Services → REST → CORS Rules.
  2. Click New.
  3. Configure the rule as follows:

    • Name: Name the rule.
    • REST API: Set the rule to use the Elastic ITSM API by choosing Elastic ITSM API [x_elas2_inc_int/elastic_api].
    • Domain: Enter the Kibana URL.
  4. Go to the HTTP methods tab and select GET.
  5. Click Submit to create the rule.

Update a deprecated ServiceNow ITSM connectoredit

ServiceNow ITSM connectors created in Elastic Stack version 7.15.0 or earlier are marked as deprecated after you upgrade to version 7.16.0 or later. Deprecated connectors have a yellow icon after their name and display a warning message when selected.

Shows deprecated ServiceNow connectors

Deprecated connectors will continue to function with the rules they were added to and can be assigned to new rules. However, it is strongly recommended to update deprecated connectors or create new ones to ensure you have access to connector enhancements, such as updating incidents.

To update a deprecated connector:

  1. Open the main menu and go to Stack Management → Rules and connectors → Connectors.
  2. Select the deprecated connector to open the Edit connector flyout.
  3. In the warning message, click Update this connector.
  4. Complete the guided steps in the Edit connector flyout.

    1. Install Elastic for ITSM and complete the required prerequisites.
    2. Enter the URL of your ServiceNow instance.
    3. Enter the username and password of your ServiceNow instance.
  5. Click Update.

Connector configurationedit

ServiceNow ITSM connectors have the following configuration properties.

Name
The name of the connector. The name is used to identify a connector in the Stack Management UI connector listing, and in the connector list when configuring an action.
URL
ServiceNow instance URL.
Username
Username for HTTP Basic authentication.
Password
Password for HTTP Basic authentication.

Connector networking configurationedit

Use the Action configuration settings to customize connector networking configurations, such as proxies, certificates, or TLS settings. You can set configurations that apply to all your connectors or use xpack.actions.customHostSettings to set per-host configurations.

Preconfigured connector typeedit

 my-servicenow:
   name: preconfigured-servicenow-connector-type
   actionTypeId: .servicenow
   config:
     apiUrl: https://example.service-now.com/
     usesTableApi: false
   secrets:
     username: testuser
     password: passwordkeystorevalue

Config defines information for the connector type.

apiUrl
An address that corresponds to URL.
usesTableApi
A boolean that indicates if the connector uses the Table API or the Import Set API.

If usesTableApi is set to false, the Elastic application should be installed in ServiceNow.

Secrets defines sensitive information for the connector type.

username
A string that corresponds to Username.
password
A string that corresponds to Password. Should be stored in the Kibana keystore.

Define connector in Stack Managementedit

Define ServiceNow ITSM connector properties.

ServiceNow connector

Test ServiceNow ITSM action parameters.

ServiceNow params test

Action configurationedit

ServiceNow ITSM actions have the following configuration properties.

Urgency
The extent to which the incident resolution can delay.
Severity
The severity of the incident.
Impact
The effect an incident has on business. Can be measured by the number of affected users or by how critical it is to the business in question.
Category
The category of the incident.
Subcategory
The category of the incident.
Correlation ID
Connectors using the same Correlation ID will be associated with the same ServiceNow incident. This value determines whether a new ServiceNow incident will be created or an existing one is updated. Modifying this value is optional; if not modified, the rule ID and alert ID are combined as {{ruleID}}:{{alert ID}} to form the Correlation ID value in ServiceNow. The maximum character length for this value is 100 characters.

Using the default configuration of {{ruleID}}:{{alert ID}} ensures that ServiceNow will create a separate incident record for every generated alert that uses a unique alert ID. If the rule generates multiple alerts that use the same alert IDs, ServiceNow creates and continually updates a single incident record for the alert.

Correlation Display
A descriptive label of the alert for correlation purposes in ServiceNow.
Short description
A short description for the incident, used for searching the contents of the knowledge base.
Description
The details about the incident.
Additional comments
Additional information for the client, such as how to troubleshoot the issue.

Configure ServiceNowedit

ServiceNow offers free Personal Developer Instances, which you can use to test incidents.