Company logoHelp Center
Visit www.threatlocker.com

ServiceNow Integration

5 min. readlast update: 04.25.2024

ServiceNow Integration

ThreatLocker can be directly integrated with the ServiceNow 'Incidents' table for ticketing. For organizations that require integration with a different table in ServiceNow, please use the following Calendly link https://calendly.com/businessanalystteam to book a scoping call with one of ThreatLocker's business analysts to relay requirements for the appropriate field mappings to ensure the integration performs as needed. It would also be beneficial to have your internal ServiceNow expert in attendance for this call.

Setting Up the ServiceNow Integration - ServiceNow Portal

If you do not already have an OAuth API set up in ServiceNow to accept information from external clients, set this up prior to completing the integration settings within the ThreatLocker portal. 

In ServiceNow, navigate to System OAuth > Application Registry.

Select the top option, 'Create an OAuth API endpoint for external clients.

  1. Provide a name for the OAuth application.  In our example, we used ThreatLocker SNOW.
  2. The Client ID will be prepopulated.
  3. The Client Secret can either be set by you, or you can leave it blank to be automatically generated by ServiceNow. (If allowing ServiceNow to set the Client Secret, after saving you will need to open the application again and select the 'Lock' icon to view the Client Secret.)
  4. Be sure to click' Submit' to save the OAuth application.

At a minimum, these are the only items that need to be saved to create an OAuth application in ServiceNow that will accept an integration with ThreatLocker. 

Setting Up the ServiceNow Integration - ThreatLocker Portal

In the ThreatLocker portal, navigate to the Integrations page.

Search for ServiceNow.

Once selected, the sidebar will open.

  1. Provide a description/name for the integration. This is the name of the OAuth app displayed in ServiceNow in the Application Registry. The example below is named ThreatLocker SNOW.
  2. Instance Url - This is your organization's ServiceNow Url. -must be input without a \ at the end. For example, https://myinstance.service-now.com
  3. Client ID - This is the Client ID displayed for the specified OAuth app in ServiceNow.
  4. Client Secret- This is the Client Secret displayed for the specified OAuth App in ServiceNow.
  5. Username - This is the username used to log into ServiceNow.
  6. Password - This is the password used to log into ServiceNow.

Once you click 'Add,' the Client Secret and Password will be hidden from view. The Ticket Settings and Custom Mapping tabs will populate.

Ticket Settings

The Ticket Settings tab contains options for labeling directly from ServiceNow.

  1. Type - This is the table that the integration is mapped to. Currently, the only option is Incident.
  2. Impact - Select the impact you wish to give Approval Requests from ThreatLocker.
  3. Urgency - Select the urgency you wish to give Approval Requests from ThreatLocker.
    1. Impact and Urgency are used by ServiceNow to calculate the Priority of the ticket.
  4. Assignment Group - Select the ServiceNow Assignment Group you want to use for Approval Requests.

5.  Business Service - Select the desired Business Service classification for Approval Requests.

6.  State - Select the state you want Approval Requests to be raised as. In our example, we selected 'New'.

7.  Auto Close State - Select the state you want Approval Requests to be changed to when they are auto-closed. In our example, we selected 'Resolved.'

8.  Escalation State - for organizations using Cyber Hero Approvals, if an Approval Request is escalated from the Cyber Heroes, select the status you wish those tickets to be labeled as in ServiceNow.

9.  Category - Select the desired category for Approval Requests. In our example, we selected 'Software.'

10.  Assignee - Select the ServiceNow user you want to assign Approval Requests to.

11. Tags - This contains all tags used in your ServiceNow environment. If you wish to apply any or all of the tags to Approval Requests, you may need to change access in ServiceNow to give write access to the label_entry.table and label_entry.table_key.

The fields located in the Ticket Settings tab can be left at all default values if desired. 

Custom Mapping

The Custom Mapping tab provides the ability to map ServiceNow Fields to ThreatLocker Fields.

Please note: Only fields that are the data type of String will be displayed in the dropdown.

Select the field displayed in ServiceNow from the dropdown on the left, select the field displayed in ThreatLocker from the dropdown on the right, and click the blue '+' button to add that specific mapping.  Continue mapping as few or as many fields as needed, selecting the '+' button each time until all desired fields are mapped. 

Be sure to select the blue 'Save' button at the bottom left of the sidebar to complete the integration settings in ThreatLocker.

Now, Approval Requests received in ThreatLocker will also be received in ServiceNow, with the 'State' selected in the Ticket Settings tab. When tickets are closed in ThreatLocker, tickets will be closed in ServiceNow with the 'Auto Close State' selected in the Ticket Settings tab.

 

Was this article helpful?