Skip to main content

ServiceNow

ServiceNow integration allows your product to create, read, and manage incidents, change requests, or problem records within the ServiceNow ITSM platform. This integration is ideal for vulnerability management, incident automation, and security orchestration, enabling your product to automatically open or update tickets in ServiceNow when issues are detected in your systems.

Credentials Needed

To connect to ServiceNow's REST API, you need API authentication credentials with permissions to access and modify the appropriate tables (e.g., Incident, Problem, Change Request).

Required credentials:

  • Instance URL (e.g., https://companyname.service-now.com)
  • Username (ServiceNow user account with ITSM permissions)
  • Password or API Key / OAuth Token

API access can use either Basic Authentication (username + password) or OAuth 2.0 tokens for enhanced security. Basic Auth is simple to implement; OAuth is recommended for production or enterprise use.

Permissions Needed / API Roles

The ServiceNow user account or API client must have the following roles:

RoleDescription
itilRequired for creating, viewing, and updating incidents
rest_serviceAllows REST API access
incident_manager (optional)For managing incident workflow
problem_manager (optional)For creating or modifying problem records
change_manager (optional)For change request management
sn_si.integration_user (optional)ServiceNow Security Incident Integration role

Minimum Required Role: itil + rest_service

Creating Users / Access Tokens

Option 1 — Create API User (Basic Auth)

  1. Log in to your ServiceNow instance as an admin
  2. Navigate to User Administration → Users
  3. Click New to create a user (e.g., api_integration_user)
  4. Assign roles:
    • itil
    • rest_service
  5. Set a strong password
  6. Save the user
  7. Use this username and password for API authentication

Option 2 — OAuth Client (Recommended for Production)

  1. Go to System OAuth → Application Registry → New → Create an OAuth API endpoint for external clients
  2. Enter:
    • Name: IntegrationApp
    • Client ID: (auto-generated)
    • Client Secret: (auto-generated)
    • Redirect URL: (your product's callback URL, if needed)
  3. Save the record and note the Client ID and Client Secret
  4. Assign the OAuth user the itil and rest_service roles

Test Connectivity

You can test your credentials by calling the ServiceNow Table API to list incidents.

Example: Test with Basic Auth

curl -u "<USERNAME>:<PASSWORD>" \
  -X GET \
  "https://companyname.service-now.com/api/now/table/incident?sysparm_limit=1" \
  -H "Accept: application/json"

Example Response:

{
  "result": [
    {
      "sys_id": "a12b34cd56ef78901234567890abcdef",
      "number": "INC0010015",
      "short_description": "Network outage in datacenter",
      "state": "In Progress",
      "priority": "2"
    }
  ]
}

Example: Test with OAuth

curl -X POST \
  -d "grant_type=password&client_id=<CLIENT_ID>&client_secret=<CLIENT_SECRET>&username=<USERNAME>&password=<PASSWORD>" \
  "https://companyname.service-now.com/oauth_token.do"

Response:

{
  "access_token": "eyJhbGciOiJSUzI1NiIsInR...",
  "token_type": "Bearer",
  "expires_in": 3600,
  "scope": "useraccount"
}

You can then use this access_token in API requests:

curl -X GET "https://companyname.service-now.com/api/now/table/incident" \
  -H "Authorization: Bearer <ACCESS_TOKEN>" \
  -H "Accept: application/json"

Save the Results in the Platform and Create Connection

  1. In your platform's integration settings, securely store:
    • SERVICENOW_INSTANCE_URL
    • SERVICENOW_USERNAME
    • SERVICENOW_PASSWORD or SERVICENOW_ACCESS_TOKEN
    • (Optional) SERVICENOW_CLIENT_ID and CLIENT_SECRET for OAuth
  2. Label the connection as ServiceNow Integration
  3. Test the connection by fetching a list of incidents
  4. Once verified, allow users to:
    • Automatically create incidents from vulnerabilities
    • Update incidents when findings are resolved
    • Sync ticket status and priority back to your platform

Best Practices

  • Use OAuth 2.0 instead of Basic Auth for security and audit compliance
  • Store credentials securely in your secret vault or key management system
  • Limit user roles to itil and rest_service for least privilege
  • Rotate credentials every 90 days
  • Respect ServiceNow's rate limits (default: 10 requests/second per instance)
  • Use pagination (sysparm_limit and sysparm_offset) for large datasets
  • Use ServiceNow's sys_id to track and correlate records between systems
  • Use retry logic with exponential backoff for transient HTTP errors (429, 503)
  • For enterprise setups, prefer Mid Server integrations for internal network access
  • Log all API activity for traceability (but mask credentials)

Useful ServiceNow API Endpoints

ResourceMethodEndpointDescription
List incidentsGET/api/now/table/incidentRetrieve incidents
Get incident by IDGET/api/now/table/incident/{sys_id}Get details of a specific incident
Create incidentPOST/api/now/table/incidentCreate a new incident
Update incidentPATCH/api/now/table/incident/{sys_id}Modify an existing incident
List problemsGET/api/now/table/problemRetrieve problem records
List change requestsGET/api/now/table/change_requestRetrieve change requests
Get sys_user infoGET/api/now/table/sys_userRetrieve user records
OAuth tokenPOST/oauth_token.doObtain OAuth access token

Official Documentation: https://developer.servicenow.com/dev.do#!/reference/api

Example: Create an Incident

Request:

curl -u "<USERNAME>:<PASSWORD>" \
  -X POST "https://companyname.service-now.com/api/now/table/incident" \
  -H "Content-Type: application/json" \
  -d '{
    "short_description": "SQL Injection vulnerability detected in production API",
    "description": "Scanner detected SQL Injection in /login endpoint. Impact: Critical. Assigned to Security Team.",
    "urgency": "1",
    "impact": "1",
    "category": "Security",
    "assignment_group": "Security Operations"
  }'

Response:

{
  "result": {
    "sys_id": "f3a3c3c11b9e3410c0a82f7e4e4bcb91",
    "number": "INC0012345",
    "short_description": "SQL Injection vulnerability detected in production API",
    "state": "New"
  }
}

Webhook / Outbound Integration (Optional)

To enable bidirectional sync (ServiceNow → Your Product):

  1. Go to System Web Services → Outbound → REST Message
  2. Create a new message named PlatformSyncWebhook
  3. Set Endpoint URL to your platform's webhook receiver
  4. Trigger it on Incident insert/update events via Business Rule or Flow Designer

This enables real-time updates (e.g., when a ServiceNow ticket is resolved).