Integrate ServiceNow with Google SecOps

Integration version: 59.0

This document explains how to integrate ServiceNow withGoogle Security Operations (Google SecOps).

Use cases

TheServiceNow integration uses Google SecOps capabilities tosupport the following use cases:

  • Automated incident ticketing: Automatically create ServiceNow incidentsfrom security alerts originating in your SIEM or other security tools.

  • Incident enrichment and response: Streamline incident response workflowsby reducing manual ticketing and enriching incidents with relevant informationfrom the originating alert.

  • Phishing remediation: Automate repetitive phishing investigation stepssuch as gathering email headers, investigating attachments, and searching forsimilar emails, which accelerates response times.

  • Vulnerability remediation orchestration: Orchestrate vulnerabilityremediation workflows by automatically creating ServiceNow change requests forpatching or mitigating actions based on vulnerability scan results.

  • User lifecycle automation: Automate user provisioning and de-provisioningtasks in various systems (access control, email platforms, applications) basedon triggers from ServiceNow workflows.

  • Threat intelligence context: Enrich security alerts with threatintelligence data sourced directly from the ServiceNow platform, providing morecontext for analysts to prioritize response actions.

Before you begin

Before you configure the integration in the Google SecOpsplatform, ensure you have completed the following prerequisites:

  • ServiceNow user account: A user account with permissions to create andupdate records.

  • ServiceNow roles: The required system roles (sn_incident_write,itil)and a customuser access configuration (secops_user)to allow access to specific tables.

  • Network connectivity: A network configuration allowing traffic fromGoogle SecOps IP addresses to your ServiceNow instance.

  • OAuth credentials (Optional): The Client ID and Client Secret if you planto useOAuth 2.0 authentication.

Configure user access in ServiceNow

To allow the integration to synchronize comments and perform actions, you mustperform the following administrative tasks in the ServiceNow platform.

For specific instructions on how to navigate the ServiceNow interface, see theofficialServiceNow product documentation.

  1. Create a custom role: Create a new role (for example,secops_user) tohandle specific integration permissions.

  2. Create a new ACL rule: The integration requires access to thesys_journal_field table, which is restricted to administrators by default.Create a newread operation ACL for thesys_journal_field table and assignit to your custom role (secops_user).

  3. Assign roles to the user: Assign the following roles to the ServiceNowuser account intended for the integration:

Configure OAuth 2.0 authentication (Optional)

We recommend using OAuth 2.0 authentication. This process requires action inboth ServiceNow (to obtain credentials) and in Google SecOps (togenerate a token).

Create an OAuth endpoint (ServiceNow)

In your ServiceNow instance, ensure the OAuth 2.0 plugin is active and create anOAuth API endpoint for external clients.

For instructions on creating an endpoint, seeCreate an endpoint for clients to access the instance.

Once created, record theClient ID andClient Secret.

Generate a Refresh Token (Google SecOps)

To generate the refresh token, you must temporarily configure the integration torun a helper action.

  1. InGoogle SecOps, navigate toResponse> Integrations Setup.

  2. Important: You must disableUse Oauth Authentication for this step.

    Configure a temporary ServiceNow integration instance using theUsername,Password,Client ID, andClient Secret.

  3. Simulate a case or open an existing case.

  4. Run the ServiceNowGet Oauth Token actionmanuallyon the case.

  5. Copy therefresh_token value from the action's JSON result to use in theRefresh Token field when configuring the integration.

Integration parameters

The ServiceNow integration requires the following parameters:

ParameterDescription
Api Root

Required.

The API root of the ServiceNow instance.

The default value ishttps://INSTANCE.service-now.com/api/now/v1/.

Username

Required.

The username of the ServiceNow account.

Password

Required.

The password of the ServiceNow account.

Incident Table

Optional.

The API table name or path to use for incident-related actions and record retrieval.

By default, the integration uses thetable/incident path.

Verify SSL

Optional.

If selected, the integration validates the SSL certificate when connecting tothe ServiceNow server.

Enabled by default.

Client ID

Optional.

The client ID for the ServiceNow integration, required for OAuth 2.0 authentication using client credentials.

You can authenticate using either the refresh token or client credentials. If both the refresh token and client credentials are configured, the integration uses the refresh token for authentication.

Client Secret

Optional.

The client secret for the ServiceNow integration, required for OAuth 2.0 authentication using client credentials.

You can authenticate using either the refresh token or client credentials. If both the refresh token and client credentials are configured, the integration uses the refresh token for authentication.

Refresh Token

Optional.

The refresh token for the ServiceNow integration, required for OAuth 2.0 authentication using a refresh token.

This configured refresh token expires every 90 days.

You can authenticate using either the refresh token or client credentials. If both the refresh token and client credentials are configured, the integration uses the refresh token for authentication.

Use Oauth Authentication

Optional.

If selected, the integration uses OAuth 2.0 to authenticate.

OAuth 2.0 authentication requires setting either the client credentials (Client ID andClient Secret) orRefresh Token.

Disabled by default.

For instructions about how to configure an integration inGoogle SecOps, seeConfigureintegrations.

You can make changes at a later stage, if needed. After you configure anintegration instance, you can use it in playbooks. For more information abouthow to configure and support multiple instances, seeSupportingmultiple instances.

Actions

For more information about actions, seeRespond to pending actions from Your Workdesk andPerform amanual action.

Add Attachment

Use theAdd Attachment action to add attachments to a table record inServiceNow.

This action doesn't run on Google SecOps entities.

Action inputs

TheAdd Attachment action requires the following parameters:

ParameterDescription
Table Name

Required.

The name of the table containing the record where the attachment is added.

Record Sys ID

Required.

The system ID (sys_id) of the record where the attachment is added.

File Path

Required.

A comma-separated list of absolute paths for the files to attach.

Mode

Optional.

The behavior of the action when a file with the same name already exists on record.

The possible values are as follows:

  • Add New Attachment: The action adds the file as a new, separate attachment. Files with the same name are allowed.
  • Overwrite Existing Attachment: The action replaces the existing attachment that shares the same name.

The default value isAdd New Attachment.

Action outputs

TheAdd Attachment action provides the following outputs:

Action output typeAvailability
Case wall attachmentNot available
Case wall linkNot available
Case wall tableNot available
Enrichment tableNot available
JSON resultAvailable
Output messagesAvailable
Script resultAvailable
JSON result

The following example shows the JSON result output received when using theAdd Attachment action:

{"result":{"size_bytes":"742","file_name":"placeholder_document.txt","sys_mod_count":"0","average_image_color":"","image_width":"","sys_updated_on":"2025-01-01 10:00:00","sys_tags":"","table_name":"incident","sys_id":"TEST_SYS_ID_ATTACH_123456789","image_height":"","sys_updated_by":"admin","download_link":"https://placeholder.service-now.com/api/now/attachment/TEST_SYS_ID_ATTACH_123456789/file","content_type":"multipart/form-data","sys_created_on":"2025-01-01 10:00:00","size_compressed":"438","compressed":"true","state":"pending","table_sys_id":"TEST_SYS_ID_RECORD_ABCDEFG","chunk_size_bytes":"700000","hash":"test_hash_0000000000000000000000000000000000000000000000000000000000000000","sys_created_by":"admin"}}
Output messages

TheAdd Attachment action can return the following output messages:

Output messageMessage description

Successfully added the following attachments to the record with a Sys IDRECORD_SYS_ID from a tableTABLE_NAME in ServiceNow:FILE_PATHS

Action wasn't able to add the following attachments to the record with a Sys IDRECORD_SYS_ID from a tableTABLE_NAME in ServiceNow:FILE_PATHS

No attachments were added to the record with a Sys IDRECORD_SYS_ID from a tableTABLE_NAME in ServiceNow:FILE_PATHS

The action succeeded.
Error executing action "Add Attachment". Reason:ERROR_REASON

The action failed.

Check the connection to the server, input parameters, or credentials.

Script result

The following table lists the value for the script result output when usingtheAdd Attachment action:

Script result nameValue
is_successtrue orfalse

Add Comment

Use theAdd Comment action to add a comment to a ServiceNow incident.

This action doesn't run on Google SecOps entities.

Action inputs

TheAdd Comment action requires the following parameters:

ParameterDescription
Incident Number

Required.

The number of the incident to add the comment to, in the formatINCINCIDENT_NUMBER.

Comment

Required.

The comment to add to the incident.

Action outputs

TheAdd Comment action provides the following outputs:

Action output typeAvailability
Case wall attachmentNot available
Case wall linkNot available
Case wall tableNot available
Enrichment tableNot available
JSON resultNot available
Output messagesAvailable
Script resultAvailable
Script result

The following table lists the values for the script result output when usingtheAdd Comment action:

Script result nameValue
is_successtrue orfalse

Add Comment and Wait for Reply

Use theAdd Comment and Wait for Reply action to add a comment to aServiceNow incident, then pause the playbook execution until a new comment orreply is added to that incident. The output of the action is the content of thenew comment.

This action doesn't run on Google SecOps entities.

Action inputs

TheAdd Comment and Wait for Reply action requires the following parameters:

ParameterDescription
Incident Number

Required.

The number of the incident to add the comment to, in the formatINCINCIDENT_NUMBER.

Comment

Required.

The comment to add to the incident.

Action outputs

TheAdd Comment and Wait for Reply action provides the following outputs:

Action output typeAvailability
Case wall attachmentNot available
Case wall linkNot available
Case wall tableNot available
Enrichment tableNot available
JSON resultNot available
Output messagesAvailable
Script resultAvailable
Script result

The following table lists the value for the script result output when usingtheAdd Comment and Wait for Reply action:

Script result nameValue
new_comment

Add Comment To Record

Use theAdd Comment To Record action to add a comment or work note to aspecific table record in ServiceNow.

This action doesn't run on Google SecOps entities.

Note: If you enable theWait For Reply parameter, the action runs inasynchronous mode. When using asynchronous mode, adjust the script timeout valuein the Google SecOps IDE based on the expected wait time for areply.

Action inputs

TheAdd Comment To Record action requires the following parameters:

ParameterDescription
Table Name

Required.

The name of the table to add the comment or note to.

Type

Required.

The type of comment or note to add.

The possible values are as follows:

  • Comment
  • Work Note

The default value isComment.

Record Sys ID

Required.

The system ID (sys_id) to add the comment or work note to.

Text

Required.

The content of the comment or work note.

Wait For Reply

Optional.

If selected, the action runs asynchronously and pauses execution until a new comment or work note is added to the record.

The action tracks comments if you add a comment, and work notes if you add a work note.

Note: If enabled, this action runs in asynchronous mode. Adjust the script timeout value in the Google SecOps IDE based on the expected wait time for a reply.

Disabled by default.

Action outputs

TheAdd Comment To Record action provides the following outputs:

Action output typeAvailability
Case wall attachmentNot available
Case wall linkNot available
Case wall tableNot available
Enrichment tableNot available
JSON resultAvailable
Output messagesAvailable
Script resultAvailable
JSON result

The following example shows the JSON result output received when using theAdd Comment To Record action:

{"sys_id":"4355183607523010ff23f6fd7c1ed0a8","sys_created_on":"2021-09-03 10:29:48","name":"incident","element_id":"552c48888c033300964f4932b03eb092","sys_tags":"","value":"Test comment content.","sys_created_by":"admin","element":"comments"}
Output messages

TheAdd Comment To Record action can return the following output messages:

Output messageMessage description
Successfully added COMMENT_OR_NOTE " CONTENT" toTABLE_NAME with Sys_IDSYS_ID in ServiceNow.The action succeeded.
Error executing action "Add Comment To Record". Reason:ERROR_REASON

The action failed.

Check the connection to the server, input parameters, or credentials.

Script result

The following table lists the value for the script result output when usingtheAdd Comment To Record action:

Script result nameValue
is_successtrue orfalse

Add Parent Incident

Use theAdd Parent Incident action to add a parent incident for incidentsin ServiceNow.

This action doesn't run on Google SecOps entities.

Action inputs

TheAdd Parent Incident action requires the following parameters:

ParameterDescription
Parent Incident Number

Required.

The parent incident number, in the formatINCINCIDENT_NUMBER (for example,INC0000051).

The action adds all incidents inChild Incident Numbers as children for the parent incident.

Child Incident Numbers

Required.

A comma-separated list of incident numbers to set as child incidents for the specified parent incident, in the formatINCINCIDENT_NUMBER (for example,INC0000051).

Action outputs

TheAdd Parent Incident action provides the following outputs:

Action output typeAvailability
Case wall attachmentNot available
Case wall linkNot available
Case wall tableNot available
Enrichment tableNot available
JSON resultAvailable
Output messagesAvailable
Script resultAvailable
JSON result

The following example shows the JSON result output received when using theAdd Parent Incident action:

{"result":[{"parent":"","made_sla":"true","caused_by":"","watch_list":"","upon_reject":"cancel","sys_updated_on":"2020-10-20 07:19:11","child_incidents":"0","hold_reason":"","approval_history":"","skills":"","number":"INC0010009","resolved_by":"","sys_updated_by":"admin","opened_by":{"link":"https://example.service-now.com/api/now/table/sys_user/ID","value":"ID"},"user_input":"","sys_created_on":"2020-10-20 07:19:11","sys_domain":{"link":"https://example.service-now.com/api/now/table/sys_user_group/global","value":"global"},"state":"1","sys_created_by":"admin","knowledge":"false","order":"","calendar_stc":"","closed_at":"","cmdb_ci":"","delivery_plan":"","contract":"","impact":"3","active":"true","work_notes_list":"","business_service":"","priority":"5","sys_domain_path":"/","rfc":"","time_worked":"","expected_start":"","opened_at":"2020-10-20 07:18:56","business_duration":"","group_list":"","work_end":"","caller_id":{"link":"https://example.service-now.com/api/now/table/sys_user/ID","value":"ID"},"reopened_time":"","resolved_at":"","approval_set":"","subcategory":"","work_notes":"","short_description":"Assessment :  Assessor","close_code":"","correlation_display":"","delivery_task":"","work_start":"","assignment_group":"","additional_assignee_list":"","business_stc":"","description":"","calendar_duration":"","close_notes":"","notify":"1","service_offering":"","sys_class_name":"incident","closed_by":"","follow_up":"","parent_incident":{"link":"https://example.service-now.com/api/now/table/incident/ID","value":"ID"},"sys_id":"2a100a1c2fc42010c518532a2799b621","contact_type":"","reopened_by":"","incident_state":"1","urgency":"3","problem_id":"","company":"","reassignment_count":"0","activity_due":"","assigned_to":"","severity":"3","comments":"","approval":"not requested","sla_due":"","comments_and_work_notes":"","due_date":"","sys_mod_count":"0","reopen_count":"0","sys_tags":"","escalation":"0","upon_approval":"proceed","correlation_id":"","location":"","category":"inquiry"}]}
Output messages

TheAdd Parent Incident action can return the following output messages:

Output messageMessage description
Successfully setPARENT_INCIDENT_NUMBER as the "Parent Incident" for the following incidents in ServiceNow:CHILD_INCIDENT_NUMBERS.The action succeeded.
Error executing action "Add Parent Incident". Reason:ERROR_REASON

The action failed.

Check the connection to the server, input parameters, or credentials.

Close Incident

Use theClose Incident action to close a ServiceNow incident.

This action doesn't run on Google SecOps entities.

Important: To run this action, you must assign thesn_incident_write role tothe user in ServiceNow. For more details, go toConfigure user access in ServiceNow.

Action inputs

TheClose Incident action requires the following parameters:

ParameterDescription
Incident Number

Required.

The number of the incident to close, in the formatINCINCIDENT_NUMBER.

Close Reason

Required.

The reason for closing the incident.

Resolution Code

Required.

The resolution code for the incident.

The possible values are as follows:

  • Duplicate
  • Known error
  • No resolution provided
  • Resolved by caller
  • Resolved by change
  • Resolved by problem
  • Resolved by request
  • Solution provided
  • Workaround provided
  • User error

The default value isSolution provided.

Close Notes

Required.

The close notes for the incident.

Action outputs

TheClose Incident action provides the following outputs:

Action output typeAvailability
Case wall attachmentNot available
Case wall linkNot available
Case wall tableNot available
Enrichment tableNot available
JSON resultNot available
Output messagesAvailable
Script resultAvailable
Script result

The following table lists the value for the script result output when usingtheClose Incident action:

Script result nameValue
is_successtrue orfalse

Create Alert Incident

Use theCreate Alert Incident action to create a new incident in ServiceNowbased on the details of the alert that initiates the playbook run.

This action doesn't run on Google SecOps entities.

Action inputs

TheCreate Alert Incident action requires the following parameters:

ParameterDescription
Impact

Required.

The impact level of the incident.

The possible values are as follows:

  • 1 for High
  • 2 for Medium
  • 3 for Low

The default value is1.

Urgency

Required.

The urgency level of the incident.

The possible values are as follows

  • 1 for High
  • 2 for Medium
  • 3 for Low

The default value is1.

Category

Optional.

The category of the incident.

Assignment Group ID

Optional.

The full name of the group to assign the incident to.

Assigned User ID

Optional.

The full name of the user to assign the incident to.

Description

Optional.

The incident description.

Action outputs

TheCreate Alert Incident action provides the following outputs:

Action output typeAvailability
Case wall attachmentNot available
Case wall linkNot available
Case wall tableNot available
Enrichment tableNot available
JSON resultAvailable
Output messagesAvailable
Script resultAvailable
JSON result

The following example shows the JSON result output received when using theCreate Alert Incident action:

{"sys_tags":" ","user_input":" ","calendar_stc":" ","subcategory":" ","watch_list":" ","follow_up":" ","made_sla":"true","sys_created_by":"admin","sla_due":" ","number":"INC0010005","group_list":" ","reassignment_count":"0","assigned_to":" ","sys_mod_count":"0","notify":"1","resolved_by":" ","upon_reject":"cancel","additional_assignee_list":" ","category":"inquiry","closed_at":" ","parent_incident":" ","cmdb_ci":" ","contact_type":" ","impact":"1","rfc":" ","expected_start":" ","knowledge":"false","sys_updated_by":"admin","caused_by":" ","comments":" ","closed_by":" ","priority":"1","state":"1","sys_id":"ID","opened_at":"2020-07-10 05:13:25","child_incidents":"0","work_notes":" ","delivery_task":" ","short_description":"4187b92c-7aaa-40ec-a032-833dd5a854e6","comments_and_work_notes":" ","time_worked":" ","upon_approval":"proceed","company":" ","business_stc":" ","correlation_display":" ","sys_class_name":"incident","delivery_plan":" ","escalation":"0","description":" ","parent":" ","close_notes":" ","business_duration":" ","problem_id":" ","sys_updated_on":"2020-07-10 05:13:25","approval_history":" ","approval_set":" ","business_service":" ","reopened_by":" ","calendar_duration":" ","caller_id":{"link":"https://example.service-now.com/api/now/v1/table/sys_user/ID","value":"ID"},"active":"true","approval":"not requested","service_offering":" ","sys_domain_path":"/","hold_reason":" ","activity_due":"2020-07-10 07:13:25","severity":"3","incident_state":"1","resolved_at":" ","location":" ","due_date":" ","work_start":" ","work_end":" ","work_notes_list":" ","sys_created_on":"2020-07-10 05:13:25","correlation_id":" ","contract":" ","reopened_time":" ","opened_by":{"link":"https://example.service-now.com/api/now/v1/table/sys_user/ID","value":"ID"},"close_code":" ","assignment_group":" ","sys_domain":{"link":"https://example.service-now.com/api/now/v1/table/sys_user_group/global","value":"global"},"order":" ","urgency":"1","reopen_count":"0"}
Script result

The following table lists the value for the script result output when usingtheCreate Alert Incident action:

Script result nameValue
is_successtrue orfalse

Create Incident

Use theCreate Incident action to create a new incident in ServiceNow.

This action doesn't run on Google SecOps entities.

Action inputs

TheCreate Incident action requires the following parameters:

ParameterDescription
Short Description

Required.

The short description of the incident.

Impact

Required.

The impact level of the incident.

The possible values are as follows:

  • 1 for High
  • 2 for Medium
  • 3 for Low

The default value is1.

Urgency

Required.

The urgency level of the incident.

The possible values are as follows

  • 1 for High
  • 2 for Medium
  • 3 for Low

The default value is1.

Category

Optional.

The category of the incident.

Assignment Group ID

Optional.

The full name of the group to assign the incident to.

Assigned User ID

Optional.

The full name of the user to assign the incident to.

Description

Optional.

The incident description.

Custom Fields

Optional.

A comma-separated list of field names and their corresponding values to include in the new ServiceNow incident record, in the formatfield_1:value_1,field_2:value_2 (for example,company:ACME,location:London).

You can use this parameter to set values for fields not explicitly listed as action inputs (such as `location` or `priority`).

Action outputs

TheCreate Incident action provides the following outputs:

Action output typeAvailability
Case wall attachmentNot available
Case wall linkNot available
Case wall tableNot available
Enrichment tableNot available
JSON resultAvailable
Output messagesAvailable
Script resultAvailable
JSON result

The following example shows the JSON result output received when using theCreate Incident action:

{"sys_tags":" ","user_input":" ","calendar_stc":" ","subcategory":" ","watch_list":" ","follow_up":" ","made_sla":"true","sys_created_by":"admin","sla_due":" ","number":"INC0010005","group_list":" ","reassignment_count":"0","assigned_to":" ","sys_mod_count":"0","notify":"1","resolved_by":" ","upon_reject":"cancel","additional_assignee_list":" ","category":"inquiry","closed_at":" ","parent_incident":" ","cmdb_ci":" ","contact_type":" ","impact":"1","rfc":" ","expected_start":" ","knowledge":"false","sys_updated_by":"admin","caused_by":" ","comments":" ","closed_by":" ","priority":"1","state":"1","sys_id":"ID","opened_at":"2020-07-10 05:13:25","child_incidents":"0","work_notes":" ","delivery_task":" ","short_description":"4187b92c-7aaa-40ec-a032-833dd5a854e6","comments_and_work_notes":" ","time_worked":" ","upon_approval":"proceed","company":" ","business_stc":" ","correlation_display":" ","sys_class_name":"incident","delivery_plan":" ","escalation":"0","description":" ","parent":" ","close_notes":" ","business_duration":" ","problem_id":" ","sys_updated_on":"2020-07-10 05:13:25","approval_history":" ","approval_set":" ","business_service":" ","reopened_by":" ","calendar_duration":" ","caller_id":{"link":"https://example.service-now.com/api/now/v1/table/sys_user/ID","value":"ID"},"active":"true","approval":"not requested","service_offering":" ","sys_domain_path":"/","hold_reason":" ","activity_due":"2020-07-10 07:13:25","severity":"3","incident_state":"1","resolved_at":" ","location":" ","due_date":" ","work_start":" ","work_end":" ","work_notes_list":" ","sys_created_on":"2020-07-10 05:13:25","correlation_id":" ","contract":" ","reopened_time":" ","opened_by":{"link":"https://example.service-now.com/api/now/v1/table/sys_user/ID","value":"ID"},"close_code":" ","assignment_group":" ","sys_domain":{"link":"https://example.service-now.com/api/now/v1/table/sys_user_group/global","value":"global"},"order":" ","urgency":"1","reopen_count":"0"}
Script result

The following table lists the value for the script result output when usingtheCreate Incident action:

Script result nameValue
incident_numberINCIDENT_NUMBER

Create Record

Use theCreate Record action to create new records in different ServiceNowtables.

This action doesn't run on Google SecOps entities.

Action inputs

TheCreate Record action requires the following parameters:

ParameterDescription
Table Name

Optional.

The name of the ServiceNow table where the new record is created (for example,incident).

Object Json Data

Optional.

The JSON object containing the field-value pairs required to define the new record (such as incident fields or CMDB item attributes).

Action outputs

TheCreate Record action provides the following outputs:

Action output typeAvailability
Case wall attachmentNot available
Case wall linkNot available
Case wall tableNot available
Enrichment tableNot available
JSON resultAvailable
Output messagesAvailable
Script resultAvailable
JSON result

The following example shows the JSON result output received when using theCreate Record action:

{"sys_tags":" ","user_input":" ","calendar_stc":" ","subcategory":" ","watch_list":" ","follow_up":" ","made_sla":"true","sys_created_by":"admin","sla_due":" ","number":"INC0010021","group_list":" ","reassignment_count":"0","assigned_to":" ","sys_mod_count":"0","notify":"1","resolved_by":" ","upon_reject":"cancel","additional_assignee_list":" ","category":"inquiry","closed_at":" ","parent_incident":" ","cmdb_ci":" ","contact_type":" ","impact":"3","rfc":" ","expected_start":" ","knowledge":"false","sys_updated_by":"admin","caused_by":" ","comments":" ","closed_by":" ","priority":"5","state":"1","sys_id":"ID","opened_at":"2020-07-10 08:24:34","child_incidents":"0","work_notes":" ","delivery_task":" ","short_description":" ","comments_and_work_notes":" ","time_worked":" ","upon_approval":"proceed","company":" ","business_stc":" ","correlation_display":" ","sys_class_name":"incident","delivery_plan":" ","escalation":"0","description":" ","parent":" ","close_notes":" ","business_duration":" ","problem_id":" ","sys_updated_on":"2020-07-10 08:24:34","approval_history":" ","approval_set":" ","business_service":" ","reopened_by":" ","calendar_duration":" ","caller_id":" ","active":"true","approval":"not requested","service_offering":" ","sys_domain_path":"/","hold_reason":" ","activity_due":" ","severity":"3","incident_state":"1","resolved_at":" ","location":" ","due_date":" ","work_start":" ","work_end":" ","work_notes_list":" ","sys_created_on":"2020-07-10 08:24:34","correlation_id":" ","contract":" ","reopened_time":" ","opened_by":{"link":"https://example.service-now.com/api/now/v1/table/sys_user/ID","value":"ID"},"close_code":" ","assignment_group":" ","sys_domain":{"link":"https://example.service-now.com/api/now/v1/table/sys_user_group/global","value":"global"},"order":" ","urgency":"3","reopen_count":"0"}
Script result

The following table lists the value for the script result output when usingtheCreate Record action:

Script result nameValue
object_sys_idOBJECT_SYS_ID

Download Attachments

Use theDownload Attachments action to download files and documents that areattached to a specific ServiceNow record to a local folder in yourGoogle SecOps environment.

This action doesn't run on Google SecOps entities.

Action inputs

TheDownload Attachments action requires the following parameters:

ParameterDescription
Table Name

Required.

The name of the ServiceNow table that contains the record to download attachments from (such asincident).

Record Sys ID

Required.

The system ID (sys_id) of the record from which the attachments are downloaded.

Download Folder Path

Required.

The absolute path to the folder in the Google SecOps environment where the downloaded attachments are saved.

Overewrite

Optional.

If selected, the action overwrites files with the same name.

Disabled by default.

Action outputs

TheDownload Attachments action provides the following outputs:

Action output typeAvailability
Case wall attachmentNot available
Case wall linkNot available
Case wall tableNot available
Enrichment tableNot available
JSON resultAvailable
Output messagesAvailable
Script resultAvailable
JSON result

The following example shows the JSON result output received when using theDownload Attachments action:

{"result":[{"absolute_file_path":["PATH"]"size_bytes":"187","file_name":"example.txt","sys_mod_count":"1","average_image_color":"","image_width":"","sys_updated_on":"2020-10-19 09:58:39","sys_tags":"","table_name":"problem","sys_id":"SYS_ID","image_height":"","sys_updated_by":"system","download_link":"https://example.service-now.com/api/now/attachment/ID/file","content_type":"text/plain","sys_created_on":"2020-10-19 09:58:38","size_compressed":"172","compressed":"true","state":"available","table_sys_id":"57771d002f002010c518532a2799b6cc","chunk_size_bytes":"700000","hash":"a4fbb8ab71268903845b59724835274ddc66e095de553c5e0c1da8fecd04ee45","sys_created_by":"admin"}]}
Output messages

TheDownload Attachments action can return the following output messages:

Output messageMessage description

Successfully downloaded the following attachments related to the record with Sys IDSYS_ID from tableTABLE_NAME in ServiceNow:FILENAME

Action wasn't able to download the following attachments related to the record with Sys IDSYS_ID from tableTABLE_NAME in ServiceNow:FILENAME

Action wasn't able to download attachments related to the record with Sys IDSYS_ID from tableTABLE_NAME in ServiceNow:FILENAME

The action succeeded.
Error executing action "Download Attachments". Reason:ERROR_REASON

The action failed.

Check the connection to the server, input parameters, or credentials.

Script result

The following table lists the value for the script result output when usingtheDownload Attachments action:

Script result nameValue
is_successtrue orfalse

Get Child Incident Details

Use theGet Child Incident Details action to retrieve information aboutchild incidents based on the parent incident in ServiceNow.

This action doesn't run on Google SecOps entities.

Action inputs

TheGet Child Incident Details action requires the following parameters:

ParameterDescription
Parent Incident Number

Required.

The number of the parent incident from which to retrieve the child incident details, in the formatINCINCIDENT_NUMBER.

Max Child Incident To Return

Optional.

The maximum number of child incidents the action returns from the parent incident.

The default value is50.

Action outputs

TheGet Child Incident Details action provides the following outputs:

Action output typeAvailability
Case wall attachmentNot available
Case wall linkNot available
Case wall tableAvailable
Enrichment tableNot available
JSON resultAvailable
Output messagesAvailable
Script resultAvailable
Case wall table

TheGet Child Incident Details action provides the following table:

Table name:Child Incident Details

Table columns:

  • Sys ID (mapped assys_id)
  • Number (mapped asnumber)
  • Short Description (mapped asshort_description)
  • Created At (mapped assys_created_on)
JSON result

The following example shows the JSON result output received when using theGet Child Incident Details action:

{"result":[{"parent":"","made_sla":"true","caused_by":"","watch_list":"","upon_reject":"cancel","sys_updated_on":"2020-10-20 07:19:11","child_incidents":"0","hold_reason":"","approval_history":"","skills":"","number":"INC0010009","resolved_by":"","sys_updated_by":"admin","opened_by":{"link":"https://example.service-now.com/api/now/table/sys_user/ID","value":"ID"},"user_input":"","sys_created_on":"2020-10-20 07:19:11","sys_domain":{"link":"https://example.service-now.com/api/now/table/sys_user_group/global","value":"global"},"state":"1","sys_created_by":"admin","knowledge":"false","order":"","calendar_stc":"","closed_at":"","cmdb_ci":"","delivery_plan":"","contract":"","impact":"3","active":"true","work_notes_list":"","business_service":"","priority":"5","sys_domain_path":"/","rfc":"","time_worked":"","expected_start":"","opened_at":"2020-10-20 07:18:56","business_duration":"","group_list":"","work_end":"","caller_id":{"link":"https://example.service-now.com/api/now/table/sys_user/ID","value":"ID"},"reopened_time":"","resolved_at":"","approval_set":"","subcategory":"","work_notes":"","short_description":"Assessment :  ATF Assessor","close_code":"","correlation_display":"","delivery_task":"","work_start":"","assignment_group":"","additional_assignee_list":"","business_stc":"","description":"","calendar_duration":"","close_notes":"","notify":"1","service_offering":"","sys_class_name":"incident","closed_by":"","follow_up":"","parent_incident":{"link":"https://example.service-now.com/api/now/table/incident/ID","value":"ID"},"sys_id":"2a100a1c2fc42010c518532a2799b621","contact_type":"","reopened_by":"","incident_state":"1","urgency":"3","problem_id":"","company":"","reassignment_count":"0","activity_due":"","assigned_to":"","severity":"3","comments":"","approval":"not requested","sla_due":"","comments_and_work_notes":"","due_date":"","sys_mod_count":"0","reopen_count":"0","sys_tags":"","escalation":"0","upon_approval":"proceed","correlation_id":"","location":"","category":"inquiry"}]}
Output messages

TheGet Child Incident Details action can return the following outputmessages:

Output messageMessage description

Successfully retrieved information about child incidents related to thePARENT_INCIDENT_NUMBER incident in ServiceNow.

Action wasn't able to retrieve information about the child incidents in ServiceNow. Reason: incidentPARENT_INCIDENT_NUMBER was not found.

No child incidents were found.

The action succeeded.
Error executing action "Get Child Incident Details". Reason:ERROR_REASON

The action failed.

Check the connection to the server, input parameters, or credentials.

Script result

The following table lists the value for the script result output when usingtheGet Child Incident Details action:

Script result nameValue
is_successtrue orfalse

Get CMDB Record Details

Use theGet CMDB Record Details action to get detailed CMDB records from thesame class in ServiceNow.

This action doesn't run on Google SecOps entities.

Important: This action requires you to assign theitil role to the user inServiceNow. For more details, seeConfigure user access in ServiceNow.

Action inputs

TheGet CMDB Record Details action requires the following parameters:

ParameterDescription
Class Name

Required.

The name of the CMDB class from which to retrieve records, such ascmdb_ci_appl.

For more information on class names, seeView and edit class definition and metadata.

Sys ID

Required.

A comma-separated list of the system IDs (`sys_id`) of the CMDB records for which to retrieve details.

Max Records To Return

Optional.

The maximum number of record relations to return for each relation type (such asrelates to ordepends on).

The default value is50.

Action outputs

TheGet CMDB Record Details action provides the following outputs:

Action output typeAvailability
Case wall attachmentNot available
Case wall linkNot available
Case wall tableNot available
Enrichment tableNot available
JSON resultAvailable
Output messagesAvailable
Script resultAvailable
JSON result

The following example shows the JSON result output received when using theGet CMDB Record Details action:

{"result":{"outbound_relations":[{"sys_id":"56f3a7ad7f701200bee45f19befa910f","type":{"display_value":"Members::Member of","link":"https://example.service-now.com/api/now/table/cmdb_rel_type/ID","value":"ID"},"target":{"display_value":"Example","link":"https://example.service-now.com/api/now/cmdb/instance/cmdb_ci/ID","value":"ID"}}],"attributes":{"attested_date":"","skip_sync":"false","operational_status":"1","caption":"","cluster_type":"","sys_updated_on":"2016-01-06 19:04:07","attestation_score":"","discovery_source":"","first_discovered":"","sys_updated_by":"example.user","cluster_status":"","due_in":"","sys_created_on":"2016-01-06 16:47:15","sys_domain":{"display_value":"global","link":"https://example.service-now.com/api/now/table/sys_user_group/global","value":"global"},"install_date":"","invoice_number":"","gl_account":"","sys_created_by":"example.user","warranty_expiration":"","cluster_version":"","asset_tag":"","fqdn":"","change_control":"","owned_by":"","checked_out":"","sys_domain_path":"/","delivery_date":"","maintenance_schedule":"","install_status":"1","cost_center":"","attested_by":"","supported_by":"","dns_domain":"","name":"SAP-LB-Win-Cluster","assigned":"","purchase_date":"","subcategory":"Cluster","short_description":"","assignment_group":"","managed_by":"","managed_by_group":"","last_discovered":"","can_print":"false","sys_class_name":"cmdb_ci_win_cluster","manufacturer":"","sys_id":"SYS_ID","cluster_id":"","po_number":"","checked_in":"","sys_class_path":"/!!/!5/!$","vendor":"","mac_address":"","company":"","model_number":"","justification":"","department":"","assigned_to":"","start_date":"","cost":"","comments":"","sys_mod_count":"1","serial_number":"","monitor":"false","model_id":"","ip_address":"","duplicate_of":"","sys_tags":"","cost_cc":"USD","support_group":"","order_date":"","schedule":"","environment":"","due":"","attested":"false","unverified":"false","correlation_id":"","attributes":"","location":"","asset":"","category":"Resource","fault_count":"0","lease_id":""},"inbound_relations":[{"sys_id":"3b3d95297f701200bee45f19befa910c","type":{"display_value":"Depends on::Used by","link":"https://example.service-now.com/api/now/table/cmdb_rel_type/ID","value":"ID"},"target":{"display_value":"IP-Router-3","link":"https://example.service-now.com/api/now/cmdb/instance/cmdb_ci/ID","value":"ID"}}]}}
Output messages

TheGet CMDB Record Details action can return the following output messages:

Output messageMessage description

Successfully returned details for CMDB records in the ClassCLASS_NAME from ServiceNow for the following Sys IDs:SYS_ID_LIST.

Action wasn't able to return details for CMDB records in the ClassCLASS_NAME from ServiceNow for the following Sys IDs:SYS_ID_LIST

Action wasn't able to return details for CMDB records in the ClassCLASS_NAME in ServiceNow. Reason: ClassCLASS_NAME was not found.

Action wasn't able to return details for CMDB record with Sys IDSYS_ID in the ClassCLASS_NAME in Service Now. Reason: Record with Sys IDSYS_ID was not found in ClassCLASS_NAME.

Information about the provided Sys IDs was not found.

The action succeeded.
Error executing action "Get CMDB Record Details". Reason:ERROR_REASON

The action failed.

Check the connection to the server, input parameters, or credentials.

Script result

The following table lists the value for the script result output when usingtheGet CMDB Record Details action:

Script result nameValue
is_successtrue orfalse

Get Incident

Use theGet Incident action to retrieve information about a ServiceNowincident.

This action doesn't run on Google SecOps entities.

Action inputs

TheGet Incident action requires the following parameters:

ParameterDescription
Incident Number

Required.

The unique identifier of the ServiceNow incident to retrieve, in the formatINCINCIDENT_NUMBER.

Action outputs

TheGet Incident action provides the following outputs:

Action output typeAvailability
Case wall attachmentNot available
Case wall linkNot available
Case wall tableNot available
Enrichment tableNot available
JSON resultAvailable
Output messagesAvailable
Script resultAvailable
JSON result

The following example shows the JSON result output received when using theGet Incident action:

{"sys_tags":" ","user_input":" ","calendar_stc":"2012","subcategory":" ","watch_list":" ","follow_up":" ","made_sla":"true","sys_created_by":"admin","sla_due":" ","number":"INC0010041","group_list":" ","reassignment_count":"0","assigned_to":" ","sys_mod_count":"10","notify":"1","resolved_by":{"link":"https://example.service-now.com/api/now/v1/table/sys_user/ID","value":"ID"},"upon_reject":"cancel","additional_assignee_list":" ","category":"inquiry","closed_at":"2020-07-10 12:53:06","parent_incident":" ","cmdb_ci":" ","contact_type":" ","impact":"1","rfc":" ","expected_start":" ","knowledge":"false","sys_updated_by":"admin","caused_by":" ","comments":" ","closed_by":{"link":"https://example.service-now.com/api/now/v1/table/sys_user/ID","value":"ID"},"priority":"1","state":"7","sys_id":"SYS_ID","opened_at":"2020-07-10 12:18:04","child_incidents":"0","work_notes":" ","delivery_task":" ","short_description":"sdf","comments_and_work_notes":" ","time_worked":" ","upon_approval":"proceed","company":" ","business_stc":"0","correlation_display":" ","sys_class_name":"incident","delivery_plan":" ","escalation":"0","description":" ","parent":" ","close_notes":"Closed by Caller","business_duration":"1970-01-01 00:00:00","problem_id":" ","sys_updated_on":"2020-07-10 13:13:57","approval_history":" ","approval_set":" ","business_service":" ","reopened_by":" ","calendar_duration":"1970-01-01 00:35:02","caller_id":{"link":"https://example.service-now.com/api/now/v1/table/sys_user/ID","value":"ID"},"active":"false","approval":"not requested","service_offering":" ","sys_domain_path":"/","hold_reason":" ","activity_due":"2020-07-10 14:33:28","severity":"3","incident_state":"7","resolved_at":"2020-07-10 12:53:06","location":" ","due_date":" ","work_start":" ","work_end":" ","work_notes_list":" ","sys_created_on":"2020-07-10 12:18:04","correlation_id":" ","contract":" ","reopened_time":" ","opened_by":{"link":"https://example.service-now.com/api/now/v1/table/sys_user/ID","value":"ID"},"close_code":"Closed/Resolved by Caller","assignment_group":" ","sys_domain":{"link":"https://example.service-now.com/api/now/v1/table/sys_user_group/global","value":"global"},"order":" ","urgency":"1","reopen_count":"0"}
Script result

The following table lists the value for the script result output when usingtheGet Incident action:

Script result nameValue
incident_numberINCIDENT_NUMBER

Get Oauth Token

Use theGet Oauth Token action to get an OAuth refresh token for ServiceNow.

This action doesn't run on Google SecOps entities.

Note:

This action requires you to set the followingintegration parameters:

  • Username
  • Password
  • Client ID
  • Client Secret

Action inputs

None.

Action outputs

TheGet Oauth Token action provides the following outputs:

Action output typeAvailability
Case wall attachmentNot available
Case wall linkNot available
Case wall tableNot available
Enrichment tableNot available
JSON resultAvailable
Output messagesAvailable
Script resultAvailable
JSON result

The following example shows the JSON result output received when using theGet Oauth Token action:

{"access_token":"Na4Kb1oWpFcYNUnyAjsYldiTMxYF1Cz79Q","refresh_token":"0ryCENbbvfggZbNG9rFFd8_C8X0UgAQSMQkPJNStGwEEt0qNt-F1lw","scope":"useraccount","token_type":"Bearer","expires_in":1799}
Output messages

TheGet Oauth Token action can return the following output messages:

Output messageMessage description
Successfully generated Oauth tokens for ServiceNow. Now navigate to the configuration tab and put "refresh_token" value in the "Refresh Token" parameter. Note: "Username" and "Password" parameters can be emptied.The action succeeded.
Error executing action "Get Oauth Token". Reason:ERROR_REASON

The action failed.

Check the connection to the server, input parameters, or credentials.

Script result

The following table lists the value for the script result output when usingtheGet Oauth Token action:

Script result nameValue
is_successtrue orfalse

Get Record Details

Use theGet Record Details action to retrieve information about specifictable records in ServiceNow.

This action doesn't run on Google SecOps entities.

Action inputs

TheGet Record Details action requires the following parameters:

ParameterDescription
Table Name

Required.

The name of the ServiceNow table that contains the record to retrieve information from (such asincident).

Record Sys ID

Required.

The system ID (sys_id) of the specific ServiceNow record for which to retrieve details.

Fields

Optional.

A comma-separated list of specific fields (columns) to return from the retrieved record (such assys_id,number,short_description).

If no value is provided, the action returns the default fields for the record.

Action outputs

TheGet Record Details action provides the following outputs:

Action output typeAvailability
Case wall attachmentNot available
Case wall linkNot available
Case wall tableNot available
Enrichment tableNot available
JSON resultAvailable
Output messagesAvailable
Script resultAvailable
JSON result

The following example shows the JSON result output received when using theGet Record Details action:

{"result":[{"parent":"","made_sla":"true","caused_by":"","watch_list":"","upon_reject":"cancel","sys_updated_on":"2020-10-20 07:19:11","child_incidents":"0","hold_reason":"","approval_history":"","skills":"","number":"INC0010009","resolved_by":"","sys_updated_by":"admin","opened_by":{"link":"https://example.service-now.com/api/now/table/sys_user/ID","value":"ID"},"user_input":"","sys_created_on":"2020-10-20 07:19:11","sys_domain":{"link":"https://example.service-now.com/api/now/table/sys_user_group/global","value":"global"},"state":"1","sys_created_by":"admin","knowledge":"false","order":"","calendar_stc":"","closed_at":"","cmdb_ci":"","delivery_plan":"","contract":"","impact":"3","active":"true","work_notes_list":"","business_service":"","priority":"5","sys_domain_path":"/","rfc":"","time_worked":"","expected_start":"","opened_at":"2020-10-20 07:18:56","business_duration":"","group_list":"","work_end":"","caller_id":{"link":"https://example.service-now.com/api/now/table/sys_user/ID","value":"ID"},"reopened_time":"","resolved_at":"","approval_set":"","subcategory":"","work_notes":"","short_description":"Assessment :  ATF Assessor","close_code":"","correlation_display":"","delivery_task":"","work_start":"","assignment_group":"","additional_assignee_list":"","business_stc":"","description":"","calendar_duration":"","close_notes":"","notify":"1","service_offering":"","sys_class_name":"incident","closed_by":"","follow_up":"","parent_incident":{"link":"https://example.service-now.com/api/now/table/incident/ID","value":"ID"},"sys_id":"SYS_ID","contact_type":"","reopened_by":"","incident_state":"1","urgency":"3","problem_id":"","company":"","reassignment_count":"0","activity_due":"","assigned_to":"","severity":"3","comments":"","approval":"not requested","sla_due":"","comments_and_work_notes":"","due_date":"","sys_mod_count":"0","reopen_count":"0","sys_tags":"","escalation":"0","upon_approval":"proceed","correlation_id":"","location":"","category":"inquiry"}]}
Output messages

TheGet Record Details action can return the following output messages:

Output messageMessage description

Successfully retrieved information about theTABLE_NAME record with a Sys IDRECORD_SYS_ID in ServiceNow.

Action wasn't able to retrieve information about theTABLE_NAME record with a Sys IDRECORD_SYS_ID in ServiceNow. Reason:ERROR_REASON.

The action succeeded.
Error executing action "Get Record Details". Reason:ERROR_REASON

The action failed.

Check the connection to the server, input parameters, or credentials.

Script result

The following table lists the value for the script result output when usingtheGet Record Details action:

Script result nameValue
is_successtrue orfalse

Get User Details

Use theGet User Details action to retrieve information about the userusing thesys_id parameter in ServiceNow.

This action doesn't run on Google SecOps entities.

Action inputs

TheGet User Details action requires the following parameters:

ParameterDescription
User Sys IDs

Optional.

A comma-separated list of the system IDs corresponding to the users for whom to retrieve details (such assys_id_1,sys_id_2).

Emails

Optional.

A comma-separated list of email addresses corresponding to the users for whom to retrieve details (such asemail1@example.com,email2@example.com).

Action outputs

TheGet User Details action provides the following outputs:

Action output typeAvailability
Case wall attachmentNot available
Case wall linkNot available
Case wall tableAvailable
Enrichment tableNot available
JSON resultAvailable
Output messagesAvailable
Script resultAvailable
Case wall table

TheGet User Details action provides the following table:

Table name:User Details

Table columns:

  • Sys ID (mapped assys_id)
  • Name (mapped asname)
  • Username (mapped asuser_name)
  • Email (mapped asemail)
JSON result

The following example shows the JSON result output received when using theGet User Details action:

{"result":[{"calendar_integration":"1","country":"","last_position_update":"","user_password":"example","last_login_time":"","source":"","sys_updated_on":"2020-08-29 02:42:42","building":"","web_service_access_only":"false","notification":"2","enable_multifactor_authn":"false","sys_updated_by":"user@example","sys_created_on":"2012-02-18 03:04:52","agent_status":"","sys_domain":{"link":"https://example.service-now.com/api/now/table/sys_user_group/global","value":"global"},"state":"","vip":"false","sys_created_by":"admin","longitude":"","zip":"","home_phone":"","time_format":"","last_login":"","default_perspective":"","geolocation_tracked":"false","active":"true","sys_domain_path":"/","cost_center":{"link":"https://example.service-now.com/api/now/table/cmn_cost_center/ID","value":"ID"},"phone":"","name":"Example User","employee_number":"","password_needs_reset":"false","gender":"Male","city":"","failed_attempts":"","user_name":"example.user","latitude":"","roles":"","title":"","sys_class_name":"sys_user","sys_id":"SYS_ID","internal_integration_user":"false","ldap_server":"","mobile_phone":"","street":"","company":{"link":"https://example.service-now.com/api/now/table/core_company/ID","value":"ID"},"department":{"link":"https://dev98773.service-now.com/api/now/table/cmn_department/ID","value":"ID"},"first_name":"Example","email":"example@example.com","introduction":"","preferred_language":"","manager":"","business_criticality":"3","locked_out":"false","sys_mod_count":"4","last_name":"User","photo":"","avatar":"063e38383730310042106710ce41f13b","middle_name":"","sys_tags":"","time_zone":"","schedule":"","on_schedule":"","date_format":"","location":{"link":"https://example.service-now.com/api/now/table/cmn_location/ID","value":"ID"}}]}
Output messages

TheGet User Details action can return the following output messages:

Output messageMessage description

Successfully retrieved information about users from ServiceNow with the following Sys IDs:SYS_ID_LIST.

Action wasn't able to retrieve information about the users in ServiceNow with the following Sys IDs:SYS_ID_LIST.

Information about the users with specified Sys IDs was not found in ServiceNow.

The action succeeded.
Error executing action "Get User Details". Reason:ERROR_REASON

The action failed.

Check the connection to the server, input parameters, or credentials.

Script result

The following table lists the value for the script result output when usingtheGet User Details action:

Script result nameValue
is_successtrue orfalse

List CMDB Records

Use theList CMDB Records action to list CMDB records from the same classin ServiceNow.

This action doesn't run on Google SecOps entities.

Important: This action requires you to assign theitil role to the user inServiceNow. For more details, go toConfigure user access in ServiceNow.

Generating the query filter

TheQuery Filter parameter accepts standard ServiceNow encoded query strings (sysparm_query). You can generate these strings directly within the ServiceNow interface (for example, by creating a filter on a list view and selectingCopy query) or by constructing them manually.

For instructions on how to generate and use these strings, seeEncoded query strings in the ServiceNow documentation.

Action inputs

TheList CMDB Records action requires the following parameters:

ParameterDescription
Class Name

Required.

The name of the CMDB class from which to retrieve records, such ascmdb_ci_appl.

For more information on ServiceNow class names, seeView and edit class definition and metadata.

Query Filter

Optional.

The encoded query string used to filter the records returned (such assys_idLIKE1^sys_idSTARTSWITH0).

You can generate valid query strings using theCopy query option in ServiceNow list views. For more information, seeEncoded query strings.

Max Records To Return

Optional.

The maximum number of records to retrieve based on the applied filters.

The default value is50.

Action outputs

TheList CMDB Records action provides the following outputs:

Action output typeAvailability
Case wall attachmentNot available
Case wall linkNot available
Case wall tableAvailable
Enrichment tableNot available
JSON resultAvailable
Output messagesAvailable
Script resultAvailable
Case wall table

TheList CMDB Records action provides the following table:

Table name:CLASS_NAME Records

Table columns:

  • Name (mapped asname)
  • Sys ID (mapped assys_id)
JSON result

The following example shows the JSON result output received when using theList CMDB Records action:

{"result":[{"sys_id":"SYS_ID","name":"Example server"}]}
Output messages

TheList CMDB Records action can return the following output messages:

Output messageMessage description

Successfully listed CMDB records for the ClassCLASS_NAME in ServiceNow.

Action wasn't able to list CMDB records for the ClassCLASS_NAME in ServiceNow. Reason: ClassCLASS_NAME was not found in Service Now.".format(Class name)

The action succeeded.
Error executing action "List CMDB Records". Reason:ERROR_REASON

The action failed.

Check the connection to the server, input parameters, or credentials.

Script result

The following table lists the value for the script result output when usingtheList CMDB Records action:

Script result nameValue
is_successtrue orfalse

List Record Comments

Use theList Record Comments action to list comments related to a specifictable record in ServiceNow.

This action doesn't run on Google SecOps entities.

Action inputs

TheList Record Comments action requires the following parameters:

ParameterDescription
Table Name

Required.

The name of the ServiceNow table that contains the record for which to list comments (such asincident).

Record Sys ID

Required.

The system ID (sys_id) of the record for which to list comments.

Type

Required.

The type of comments or notes to retrieve.

The possible values are as follows:

  • Comment
  • Work Note

The default value isComment.

Max Results To Return

Optional.

The maximum number of comments or work notes to return.

The default value is50.

Action outputs

TheList Record Comments action provides the following outputs:

Action output typeAvailability
Case wall attachmentNot available
Case wall linkNot available
Case wall tableNot available
Enrichment tableNot available
JSON resultAvailable
Output messagesAvailable
Script resultAvailable
JSON result

The following example shows the JSON result output received when using theList Record Comments action:

{"sys_id":"SYS_ID","sys_created_on":"2021-09-03 10:29:48","name":"incident","element_id":"552c48888c033300964f4932b03eb092","sys_tags":"","value":"test","sys_created_by":"admin","element":"comments"}
Output messages

TheList Record Comments action can return the following output messages:

Output messageMessage description

Successfully returnedCONTENT_TYPE related to TABLE_NAME with Sys IDSYS_ID in ServiceNow.

No CONTENT_TYPE were found forTABLE_NAME with Sys IDSYS_ID in ServiceNow.

The action succeeded.
Error executing action "List Record Comments". Reason:ERROR_REASON

The action failed.

Check the connection to the server, input parameters, or credentials.

Script result

The following table lists the value for the script result output when usingtheList Record Comments action:

Script result nameValue
is_successtrue orfalse

List Records Related To User

Use theList Records Related To User action to list records from a tablethat are related to a user in ServiceNow.

This action doesn't run on Google SecOps entities.

Action inputs

TheList Records Related To User action requires the following parameters:

ParameterDescription
Table Name

Required.

The name of the ServiceNow table to search for related records (such asincident).

Usernames

Required.

A comma-separated list of usernames for which to retrieve the related records.

Max Days Backwards

Required.

The number of days back from the current date to search for related records.

The default value is1.

Max Records To Return

Optional.

The maximum number of records to return for every user.

The default value is50.

Action outputs

TheList Records Related To User action provides the following outputs:

Action output typeAvailability
Case wall attachmentNot available
Case wall linkNot available
Case wall tableNot available
Enrichment tableNot available
JSON resultAvailable
Output messagesAvailable
Script resultAvailable
JSON result

The following example shows the JSON result output received when using theList Records Related To User action:

{"result":[{"parent":"","made_sla":"true","caused_by":"","watch_list":"","upon_reject":"cancel","sys_updated_on":"2020-10-19 14:18:40","child_incidents":"0","hold_reason":"","approval_history":"","skills":"","number":"INC0010008","resolved_by":"","sys_updated_by":"admin","opened_by":{"link":"https://example.service-now.com/api/now/table/sys_user/ID","value":"ID"},"user_input":"","sys_created_on":"2020-10-19 14:18:40","sys_domain":{"link":"https://example.service-now.com/api/now/table/sys_user_group/global","value":"global"},"state":"1","sys_created_by":"admin","knowledge":"false","order":"","calendar_stc":"","closed_at":"","cmdb_ci":"","delivery_plan":"","contract":"","impact":"3","active":"true","work_notes_list":"","business_service":"","priority":"5","sys_domain_path":"/","rfc":"","time_worked":"","expected_start":"","opened_at":"2020-10-19 14:18:20","business_duration":"","group_list":"","work_end":"","caller_id":{"link":"https://example.service-now.com/api/now/table/sys_user/ID","value":"ID"},"reopened_time":"","resolved_at":"","approval_set":"","subcategory":"","work_notes":"","short_description":"TEST","close_code":"","correlation_display":"","delivery_task":"","work_start":"","assignment_group":"","additional_assignee_list":"","business_stc":"","description":"","calendar_duration":"","close_notes":"","notify":"1","service_offering":"","sys_class_name":"incident","closed_by":"","follow_up":"","parent_incident":"","sys_id":"SYS_ID","contact_type":"","reopened_by":"","incident_state":"1","urgency":"3","problem_id":"","company":{"link":"https://example.service-now.com/api/now/table/core_company/ID","value":"ID"},"reassignment_count":"0","activity_due":"","assigned_to":"","severity":"3","comments":"","approval":"not requested","sla_due":"","comments_and_work_notes":"","due_date":"","sys_mod_count":"0","reopen_count":"0","sys_tags":"","escalation":"0","upon_approval":"proceed","correlation_id":"","location":"","category":"inquiry"}]}
Output messages

TheList Records Related To User action can return the following outputmessages:

Output messageMessage description

Successfully retrieved related records from the tableTABLE_NAME in ServiceNow for the following users: USERNAME_LIST.

Action wasn't able to retrieve related records from the tableTABLE_NAME in ServiceNow for the following users: USERNAME_LIST.

No related table records were retrieved for the provided users.

The action succeeded.
Error executing action "List Records Related To User". Reason:ERROR_REASON

The action failed.

Check the connection to the server, input parameters, or credentials.

Script result

The following table lists the value for the script result output when usingtheList Records Related To User action:

Script result nameValue
is_successtrue orfalse

Ping

Use thePing action to test the connectivity to ServiceNow.

This action doesn't run on Google SecOps entities.

Action inputs

None.

Action outputs

ThePing action provides the following outputs:

Action output typeAvailability
Case wall attachmentNot available
Case wall linkNot available
Case wall tableNot available
Enrichment tableNot available
JSON resultNot available
Output messagesAvailable
Script resultAvailable
Script result

The following table lists the value for the script result output when usingthePing action:

Script result nameValue
is_successtrue orfalse

Update Incident

Use theUpdate Incident action to update the incident information.

This action doesn't run on Google SecOps entities.

Important: To run this action, you must assign thesn_incident_write role tothe user in ServiceNow. For more details, go toConfigure user access in ServiceNow.

Action inputs

TheUpdate Incident action requires the following parameters:

ParameterDescription
Incident Number

Required.

The unique identifier of the ServiceNow incident to update, in the formatINCINCIDENT_NUMBER.

Short Description

Optional.

A short description for the incident.

Impact

Optional.

An impact level for the incident.

The possible values are as follows:

  • 1 for High
  • 2 for Medium
  • 3 for Low

The default value is1.

Urgency

Optional.

An urgency level for the incident.

The possible values are as follows

  • 1 for High
  • 2 for Medium
  • 3 for Low

The default value is1.

Category

Optional.

A category for the incident.

Assignment Group ID

Optional.

The full name of a group to assign the incident to.

Assigned User ID

Optional.

The full name of a user to assign the incident to.

Description

Optional.

The description for the incident.

Incident State

Optional.

A status name or status ID for the incident (such asNew orIn Progress).

Custom Fields

Optional.

A comma-separated list of field names and their corresponding values to update, in the formatfield_1:value_1,field_2:value_2 (such ascompany:ACME,location:London).

You can use this parameter to modify fields not explicitly defined as action inputs (such aslocation orpriority).

Action outputs

TheUpdate Incident action provides the following outputs:

Action output typeAvailability
Case wall attachmentNot available
Case wall linkNot available
Case wall tableNot available
Enrichment tableNot available
JSON resultNot available
Output messagesAvailable
Script resultAvailable
JSON result

The following example shows the JSON result output received when using theUpdate Incident action:

{"sys_tags":" ","user_input":" ","calendar_stc":"2012","subcategory":" ","watch_list":" ","follow_up":" ","made_sla":"true","sys_created_by":"admin","sla_due":" ","number":"INC0010041","group_list":" ","reassignment_count":"0","assigned_to":" ","sys_mod_count":"10","notify":"1","resolved_by":{"link":"https://example.service-now.com/api/now/v1/table/sys_user/ID","value":"ID"},"upon_reject":"cancel","additional_assignee_list":" ","category":"inquiry","closed_at":"2020-07-10 12:53:06","parent_incident":" ","cmdb_ci":" ","contact_type":" ","impact":"1","rfc":" ","expected_start":" ","knowledge":"false","sys_updated_by":"admin","caused_by":" ","comments":" ","closed_by":{"link":"https://example.service-now.com/api/now/v1/table/sys_user/ID","value":"ID"},"priority":"1","state":"7","sys_id":"SYS_ID","opened_at":"2020-07-10 12:18:04","child_incidents":"0","work_notes":" ","delivery_task":" ","short_description":"sdf","comments_and_work_notes":" ","time_worked":" ","upon_approval":"proceed","company":" ","business_stc":"0","correlation_display":" ","sys_class_name":"incident","delivery_plan":" ","escalation":"0","description":" ","parent":" ","close_notes":"Closed by Caller","business_duration":"1970-01-01 00:00:00","problem_id":" ","sys_updated_on":"2020-07-10 13:13:57","approval_history":" ","approval_set":" ","business_service":" ","reopened_by":" ","calendar_duration":"1970-01-01 00:35:02","caller_id":{"link":"https://example.service-now.com/api/now/v1/table/sys_user/ID","value":"ID"},"active":"false","approval":"not requested","service_offering":" ","sys_domain_path":"/","hold_reason":" ","activity_due":"2020-07-10 14:33:28","severity":"3","incident_state":"7","resolved_at":"2020-07-10 12:53:06","location":" ","due_date":" ","work_start":" ","work_end":" ","work_notes_list":" ","sys_created_on":"2020-07-10 12:18:04","correlation_id":" ","contract":" ","reopened_time":" ","opened_by":{"link":"https://example.service-now.com/api/now/v1/table/sys_user/ID","value":"ID"},"close_code":"Closed/Resolved by Caller","assignment_group":" ","sys_domain":{"link":"https://example.service-now.com/api/now/v1/table/sys_user_group/global","value":"global"},"order":" ","urgency":"1","reopen_count":"0"}
Script result

The following table lists the value for the script result output when usingtheUpdate Incident action:

Script result nameValue
incident_numberINCIDENT_NUMBER

Update Record

Use theUpdate Record action to modify existing records belonging to varioustables in ServiceNow.

This action doesn't run on Google SecOps entities.

Action inputs

TheUpdate Record action requires the following parameters:

ParameterDescription
Table Name

Optional.

The name of the ServiceNow table that contains the record to update (such asincident).

Object Json Data

Required.

A JSON object containing the field-value pairs to apply to the record (such as{"short_description": "Updated description"}).

Record Sys ID

Required.

The system ID (sys_id) of the specific record to update.

Action outputs

TheUpdate Record action provides the following outputs:

Action output typeAvailability
Case wall attachmentNot available
Case wall linkNot available
Case wall tableNot available
Enrichment tableNot available
JSON resultAvailable
Output messagesAvailable
Script resultAvailable
JSON result

The following example shows the JSON result output received when using theUpdate Record action:

{"sys_tags":" ","user_input":" ","calendar_stc":" ","subcategory":" ","watch_list":" ","follow_up":" ","made_sla":"true","sys_created_by":"admin","sla_due":" ","number":"INC0010021","group_list":" ","reassignment_count":"0","assigned_to":" ","sys_mod_count":"0","notify":"1","resolved_by":" ","upon_reject":"cancel","additional_assignee_list":" ","category":"inquiry","closed_at":" ","parent_incident":" ","cmdb_ci":" ","contact_type":" ","impact":"3","rfc":" ","expected_start":" ","knowledge":"false","sys_updated_by":"admin","caused_by":" ","comments":" ","closed_by":" ","priority":"5","state":"1","sys_id":"SYS_ID","opened_at":"2020-07-10 08:24:34","child_incidents":"0","work_notes":" ","delivery_task":" ","short_description":" ","comments_and_work_notes":" ","time_worked":" ","upon_approval":"proceed","company":" ","business_stc":" ","correlation_display":" ","sys_class_name":"incident","delivery_plan":" ","escalation":"0","description":" ","parent":" ","close_notes":" ","business_duration":" ","problem_id":" ","sys_updated_on":"2020-07-10 08:24:34","approval_history":" ","approval_set":" ","business_service":" ","reopened_by":" ","calendar_duration":" ","caller_id":" ","active":"true","approval":"not requested","service_offering":" ","sys_domain_path":"/","hold_reason":" ","activity_due":" ","severity":"3","incident_state":"1","resolved_at":" ","location":" ","due_date":" ","work_start":" ","work_end":" ","work_notes_list":" ","sys_created_on":"2020-07-10 08:24:34","correlation_id":" ","contract":" ","reopened_time":" ","opened_by":{"link":"https://example.service-now.com/api/now/v1/table/sys_user/ID","value":"ID"},"close_code":" ","assignment_group":" ","sys_domain":{"link":"https://example.service-now.com/api/now/v1/table/sys_user_group/global","value":"global"},"order":" ","urgency":"3","reopen_count":"0"}
Script result

The following table lists the value for the script result output when usingtheUpdate Record action:

Script result nameValue
record_sys_idRECORD_SYS_ID

Wait For Comments

Use theWait For Comments action to pause the playbook execution until acomment or work note is added to a specific table record in ServiceNow.

Note: This action operates asynchronously. You should adjust the script timeoutvalue in the Google SecOps IDE if the expected wait time for acomment exceeds the default timeout.

This action doesn't run on Google SecOps entities.

Action inputs

TheWait For Comments action requires the following parameters:

ParameterDescription
Table Name

Required.

The name of the ServiceNow table that contains the record from which to wait for comments (such asincident).

Record Sys ID

Required.

The system ID (sys_id) of the record to monitor for comments.

Type

Required.

The type of comments or notes the action should wait for.

The possible values are as follows:

  • Comment
  • Work Note

The default value isComment.

Wait Mode

Required.

The condition that determines when the action stops waiting and proceeds.

The possible values are as follows:

  • Until Timeout: The action waits for the entire timeout period and then returns all accumulated comments.
  • Until First Message: The action waits until the first new comment or work note is posted after the action starts.
  • Until Specific Text: The action waits until a comment or work note containing the text specified inText is posted.Note: If selected, you must also setText.

The default value isUntil Timeout.

Text

Optional.

The specific string of text the action waits for within a new comment or work note.

This parameter is only used whenUntil Specific Text is selected for the value ofWait Mode.

Action outputs

TheWait For Comments action provides the following outputs:

Action output typeAvailability
Case wall attachmentNot available
Case wall linkNot available
Case wall tableNot available
Enrichment tableNot available
JSON resultAvailable
Output messagesAvailable
Script resultAvailable
JSON result

The following example shows the JSON result output received when using theWait For Comments action:

{"sys_id":"SYS_ID","sys_created_on":"2021-09-03 10:29:48","name":"incident","element_id":"552c48888c033300964f4932b03eb092","sys_tags":"","value":"test","sys_created_by":"admin","element":"comments"}
Output messages

TheWait For Comments action can return the following output messages:

Output messageMessage description

Successfully returned CONTENT_TYPE related toTABLE_NAME with Sys IDSYS_ID in ServiceNow.

No newCONTENT_TYPE were added during the timeframe of action execution toTABLE_NAME with Sys IDSYS_ID in ServiceNow.

The action succeeded.
Error executing action "Wait For Comments". Reason:ERROR_REASON

The action failed.

Check the connection to the server, input parameters, or credentials.

Script result

The following table lists the value for the script result output when usingtheWait For Comments action:

Script result nameValue
is_successtrue orfalse

Wait for Field Update

Use theWait for Field Update action to pause the playbook execution until aspecific field in a ServiceNow data record is updated to one of the expectedvalues.

This action doesn't run on Google SecOps entities.

Action inputs

TheWait for Field Update action requires the following parameters:

ParameterDescription
Table Name

Required.

The name of the ServiceNow table that contains the record to monitor (such asincident).

Record Sys ID

Required.

The system ID (sys_id) of the record to monitor for the field update.

Field - Column Name

Required.

The name of the column (field) that the action monitors for changes.

Field - Values

Required.

A comma-separated list of values that, if found in the monitored field, causes the action to stop waiting and proceed (such asIn Progress,Resolved).

Action outputs

TheWait for Field Update action provides the following outputs:

Action output typeAvailability
Case wall attachmentNot available
Case wall linkNot available
Case wall tableNot available
Enrichment tableNot available
JSON resultNot available
Output messagesAvailable
Script resultAvailable
Script result

The following table lists the value for the script result output when usingtheWait for Field Update action:

Script result nameValue
updated_fieldUPDATED_FIELD

Wait for Status Update

Use theWait for Status Update action to pause the playbook execution untila specific ServiceNow incident status (state) is updated to one of the expectedvalues.

This action doesn't run on Google SecOps entities.

Action inputs

TheWait for Status Update action requires the following parameters:

ParameterDescription
Incident Number

Required.

The unique identifier of the ServiceNow incident to monitor, in the formatINCINCIDENT_NUMBER.

Statuses

Required.

A comma-separated list of incident statuses (states) that, if reached, cause the action to stop waiting and proceed (such asIn Progress,Resolved).

Action outputs

TheWait for Status Update action provides the following outputs:

Action output typeAvailability
Case wall attachmentNot available
Case wall linkNot available
Case wall tableNot available
Enrichment tableNot available
JSON resultNot available
Output messagesAvailable
Script resultAvailable
Script result

The following table lists the value for the script result output when usingtheWait for Status Update action:

Script result nameValue
new_statusSTATUS

Connectors

To learn more about configuring connectors in Google SecOps,seeIngest your data (connectors).Note: To prevent data loss, connectors utilizeEvent Flattening. If a raw alert contains a list of entities (such as multiple email addresses, hostnames, or IP addresses), connectors automatically flatten them into separate, unique events.

For example, a single raw alert containing three different email addresses is ingested as three separate events, each containing one distinct email address.

This process ensures that every entity is correctly indexed as a unique asset, making it fully searchable and actionable in playbooks.

ServiceNow Connector

Use theServiceNow Connector to retrieve incidents from ServiceNow.

Note: This connector supports proxies, dynamic lists, and blocklists.

Working with the dynamic query list

In theServiceNow Connector, the dynamic list modifies thesysparm_querythat the connector uses to query ServiceNow. This provides the ability to filterrecords based on any supported field for the record type.

To define a filter, configure each dynamic list item to contain one field-valuepair in the following format:FIELD_NAME=VALUE.

For example:category=security.

WhenUse whitelist as a blacklist is enabled, the connector inverts the querylogic, causing the dynamic list to function as a blocklist instead of as afilter.

Connector inputs

TheServiceNow Connector requires the following parameters:

ParameterDescription
Product Field Name

Required.

The name of the field where the product name is stored.

The product name primarily impacts mapping. To streamline and improve the mapping process for the connector, the default value resolves to a fallback value that is referenced from the code. Any invalid input for this parameter resolves to a fallback value by default.

The default value isProduct Name.

Event Field Name

Required.

The name of the field that determines the event name (subtype).

The default value issys_class_name.

Rule Generator

Optional.

The name of the field whose value defines the specific query or rule set to apply during record retrieval.

Api Root

Required.

The API root of the ServiceNow instance.

The default value ishttps://INSTANCE.service-now.com/api/now/v1/.

Username

Required.

The username of the ServiceNow account.

Password

Required.

The password of the ServiceNow account.

Verify SSL

Optional.

If selected, the integration validates the SSL certificate when connecting tothe ServiceNow server.

Enabled by default.

Days Backwards

Optional.

The number of days back from the current time to retrieve records.

This parameter is used for the initial connector run, or as a fallback value if a previous connector timestamp has expired.

The default value is5.

Max Incidents Per Cycle

Optional.

The maximum number of incidents to retrieve during each connector iteration.

The default value is10.

Environments Whitelist

Optional.

A comma-separated list of environments (domains) for the connector to ingest into Google SecOps, such asenv1,env2.

Use whitelist as a blacklist

Optional.

If selected, the connector uses the dynamic list as a blocklist.

Disabled by default.

PythonProcessTimeout

Required.

The timeout limit, in seconds, for the Python process that runs thecurrent script.

The default value is60.

Incident Table

Optional.

The API table name or path to use for incident-related actions and record retrieval.

By default, the integration uses thetable/incident path.

Client ID

Optional.

The client ID for the ServiceNow integration, required for OAuth 2.0 authentication using client credentials.

You can authenticate using either the refresh token or client credentials. If both the refresh token and client credentials are configured, the integration uses the refresh token for authentication.

Client Secret

Optional.

The client secret for the ServiceNow integration, required for OAuth 2.0 authentication using client credentials.

You can authenticate using either the refresh token or client credentials. If both the refresh token and client credentials are configured, the integration uses the refresh token for authentication.

Refresh Token

Optional.

The refresh token for the ServiceNow integration, required for OAuth 2.0 authentication using a refresh token.

This configured refresh token expires every 90 days.

You can authenticate using either the refresh token or client credentials. If both the refresh token and client credentials are configured, the integration uses the refresh token for authentication.

Assignment Group

Optional.

The name of the assignment group whose records the connector should ingest.

Use Oauth Authentication

Optional.

If selected, the integration uses OAuth 2.0 to authenticate.

OAuth 2.0 authentication requires setting either the client credentials (Client ID andClient Secret) orRefresh Token.

Disabled by default.

Server Time Zone

Optional.

The time zone configured on the ServiceNow server (such asUTC orAsia/Jerusalem).

The default value isUTC.

Table Name

Optional.

The name of the table to retrieve records from, such asincident.

Event Name

Optional.

The name of the Google SecOps event created when a record is ingested (such asServiceNowEvent).

Proxy Server Address

Optional.

The address of the proxy server to use.

Proxy Username

Optional.

The proxy username to authenticate with.

Proxy Password

Optional.

The proxy password to authenticate with.

Get User Information

Optional.

If selected, the connector additionally retrieves the information about users that are related to the incident.

Disabled by default.

Jobs

For more information on jobs, seeConfigure a new job andAdvanced scheduling.

ServiceNow - Sync Closed Incidents

Use theServiceNow - Sync Closed Incidents job to synchronize closed ServiceNow incidentswith corresponding Google SecOps alerts and cases.

This job processes ServiceNow incidents ingested as alerts and cases containingtheServiceNow tag and aTICKET_ID context value with the incident number.

Job parameters

TheServiceNow - Sync Closed Incidents job requires the following parameters:

ParameterDescription
Api Root

Required.

The API root of the ServiceNow instance.

The default value ishttps://INSTANCE.service-now.com/api/now/v1/.

Username

Required.

The username of the ServiceNow instance.

Password

Required.

The password of the ServiceNow instance.

Verify SSL

Optional.

If selected, the integration validates the SSL certificate when connecting tothe ServiceNow server.

Enabled by default.

Client ID

Optional.

The client ID for the ServiceNow integration, required for OAuth 2.0 authentication using client credentials.

You can authenticate using either the refresh token or client credentials. If both the refresh token and client credentials are configured, the integration uses the refresh token for authentication.

Client Secret

Optional.

The client secret for the ServiceNow integration, required for OAuth 2.0 authentication using client credentials.

You can authenticate using either the refresh token or client credentials. If both the refresh token and client credentials are configured, the integration uses the refresh token for authentication.

Refresh Token

Optional.

The refresh token for the ServiceNow integration, required for OAuth 2.0 authentication using a refresh token.

This configured refresh token expires every 90 days.

You can authenticate using either the refresh token or client credentials. If both the refresh token and client credentials are configured, the integration uses the refresh token for authentication.

Use Oauth Authentication

Optional.

If selected, the integration uses OAuth 2.0 to authenticate.

OAuth 2.0 authentication requires setting either the client credentials (Client ID andClient Secret) orRefresh Token.

Disabled by default.

Max Hours Backwards

Optional.

The number of hours back from the current time to search for and synchronize closed incidents.

The default value is24.

Table Name

Required.

The name of the database table to search for closed incidents (such asincident).

ServiceNow - Sync Incidents

Use theServiceNow - Sync Incidents job to synchronize ServiceNow incident fields andattachments with related cases and alerts in Google SecOps.

Important: To run this job, the ServiceNow integration user must have the ITIL(itil) role.

For more information, seeBase system rolesin the ServiceNow documentation.

Job requirements

For the job to function correctly, make sure the following are configuredon the Google SecOps case or alert (depending on theSync Levelparameter):

  • Tag: The case must have theServiceNow Incident Sync tag.

  • Context value: The case or alert must have aTICKET_ID context keycontaining a comma-separated list of ServiceNow incident numbers (for example,INC0000050,INC0000051).Note: You can set theTICKET_ID context value using theSet Scope Context Valueaction from the Siemplify Utilities integration.

Job parameters

TheServiceNow - Sync Incidents job requires the following parameters:

ParameterDescription
Api Root

Required.

The API root of the ServiceNow instance.

The default value ishttps://INSTANCE.service-now.com/api/now/v1/.

Username

Required.

The username of the ServiceNow instance.

Password

Required.

The password of the ServiceNow instance.

Sync Level

Required.

The level at which the job synchronizes data.

The possible values are as follows:

  • Case
  • Alert

The default value isCase.

Max Hours Backwards

Required.

The maximum number of hours back from the current time to search for cases to synchronize.

The default value is24.

Verify SSL

Optional.

If selected, the integration validates the SSL certificate when connecting tothe ServiceNow server.

Enabled by default.

Sync Table Record Comments

Use theSync Table Record Comments job to synchronize comments betweenServiceNow table records and Google SecOps cases.

Job parameters

TheSync Table Record Comments job requires the following parameters:

ParameterDescription
Api Root

Required.

The API root of the ServiceNow instance.

The default value ishttps://INSTANCE.service-now.com/api/now/v1/.

Username

Required.

The username of the ServiceNow instance.

Password

Required.

The password of the ServiceNow instance.

Verify SSL

Optional.

If selected, the integration validates the SSL certificate when connecting tothe ServiceNow server.

Enabled by default.

Client ID

Optional.

The client ID for the ServiceNow integration, required for OAuth 2.0 authentication using client credentials.

You can authenticate using either the refresh token or client credentials. If both the refresh token and client credentials are configured, the integration uses the refresh token for authentication.

Client Secret

Optional.

The client secret for the ServiceNow integration, required for OAuth 2.0 authentication using client credentials.

You can authenticate using either the refresh token or client credentials. If both the refresh token and client credentials are configured, the integration uses the refresh token for authentication.

Refresh Token

Optional.

The refresh token for the ServiceNow integration, required for OAuth 2.0 authentication using a refresh token.

This configured refresh token expires every 90 days.

You can authenticate using either the refresh token or client credentials. If both the refresh token and client credentials are configured, the integration uses the refresh token for authentication.

Use Oauth Authentication

Optional.

If selected, the integration uses OAuth 2.0 to authenticate.

OAuth 2.0 authentication requires setting either the client credentials (Client ID andClient Secret) orRefresh Token.

Disabled by default.

Table Name

Required.

The name of the ServiceNow table to search for records to synchronize comments from (such asincident).

Sync table record comments by tag

Use theSync Table Record Comments By Tag job to synchronize commentsbetween ServiceNow table records and Google SecOps cases.

Job requirements

For the job to function correctly, the Google SecOps case mustpossess the following two tags:

  • ServiceNowTABLE_NAME (where<var class="readonly">TABLE_NAME</var> is the name of the ServiceNow table,such asincident).

  • ServiceNow TicketId:TICKET_ID (where<var class="readonly">TICKET_ID</var> is the corresponding record's system IDor number).

Job parameters

TheSync Table Record Comments By Tag job requires the following parameters:

ParameterDescription
API Root

Required.

The API root of the ServiceNow instance.

The default value ishttps://INSTANCE.service-now.com/api/now/v1/.

Username

Required.

The username of the ServiceNow instance.

Password

Required.

The password of the ServiceNow instance.

Table Name

Required.

The name of the database table to search, such asincident.

Verify SSL

Optional.

If selected, the integration validates the SSL certificate when connecting tothe ServiceNow server.

Enabled by default.

Need more help?Get answers from Community members and Google SecOps professionals.

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-02-19 UTC.