Configure ServiceNow Templated Connection
You can configure a templated connection in the Alert Logic console to send notifications to ServiceNow. When you set up a notification and subscribe a templated connection, Alert Logic sends the event to the URL you configured and generates a service ticket in ServiceNow automatically.
Alert Logic notifications alert you to threats, changes, and scheduled events in your environment so you can respond quickly. From the Alert Logic console, you can subscribe your ServiceNow templated connection to receive:
- Incident notifications—Generate a service ticket when incidents occur that match specific criteria, such as escalated incidents.
- Log correlation notifications—Generate a service ticket when your log correlation rules trigger an incident or observation.
- Health Notifications—Generate a service ticket when health exposures are found that match specific criteria.
- Scheduled report notifications—Generate a service ticket when Alert Logic generates a scheduled report that is available for download.
Complete the following steps to successfully generate service tickets in ServiceNow:
- Identify the connection
- (Optional) Identify your ServiceNow URL path
- (Optional) Customize the payload template
- Create the ServiceNow templated connection from the Alert Logic console
- Subscribe your templated connection to receive notifications
This templated connection requires a ServiceNow connection, which stores authentication and credential information that grants Alert Logic access to ServiceNow. If you do not have the connection already, you can create it now or when you create the templated connection.
For more information, see Configure ServiceNow Connection.
The Alert Logic console provides the default URL path that ServiceNow requires for ticket creation. The URL path is added to the base URL in the connection to define the full URL. Advanced API integration targeting can be done by modifying the URL path.
Decide which type of security information that you want Alert Logic to send to ServiceNow: Incident, Observation (of a log correlation), Scheduled Report Notification, or Health Notification payload.
Alert Logic provides a template for each payload type using JQ transformation. A payload template converts the Alert Logic security information to the format expected by ServiceNow. You can add or remove lines in the sample template to meet your workflow requirements and security goals.
For definitions of the Alert Logic variables in the templates and the full JSON that you can use to configure your payload template in JQ or JSON format, see:
- Incident Schema
- Correlation Rule Observation Schema
- Scheduled Report Notification Schema
- Health Schema
Incident payload template
"short_description": (.incident.summary + ". Incident ID: " + .humanFriendlyId),
"description": ("Customer: " + .customer + "\n" + "Deployment: " + .assets.al__deployment + "\n\n" + .incident.description + "\nIncident Link: " + .extra.incidentUrl),
"state": (if .customer_status.status == "open" then "1" elif .customer_status.status == "snoozed" then "3" elif .customer_status.status == "closed" then "7" else "8" end),
"severity": (if .incident_threat_rating == "Critical" then "1" elif .incident_threat_rating == "High" then "1" elif .incident_threat_rating == "Medium" then "2" else "3" end),
"urgency": (if .incident_threat_rating == "Critical" then "1" elif .incident_threat_rating == "High" then "1" elif .incident_threat_rating == "Medium" then "2" else "3" end)
Observation payload template
"short_description": (.fields.summary + ". Observation ID: " + .fields.id),
"description": ("Recommendations:\n\n" + .fields.recommendations + "\n\nUnique correlation data:\n\n" + .fields.keys),
"severity": (if .fields.severity == "critical" then "1" elif .fields.severity == "high" then "1" elif .fields.severity == "medium" then "2" else "3" end)
Scheduled Report Notification payload template
"short_description": ("Alert Logic scheduled report " + .name + " is ready to view"),
"description": ("Alert Logic scheduled report on " + .artifact_data.metadata.report_type + " is ready"),
Health Notification payload template
"short_description": "Alert Logic Health Notification",
"description": ("Alert Logic detected an exposure in Alert Logic customer account " + .customer_account_name + " (ID: " + .cid + "): " + .report_description + " Exposure Impact: " + .exposure_impact + ", Resolution: " + .resolution + ", Deployment: " + .deployment_name + ", Target Asset Type: " + .target_asset_type),
The next step is to create the templated connection in the Alert Logic console and test the payload.
To create a ServiceNow templated connection:
- In the Alert Logic console, click the navigation menu icon (), click Configure, and then click Connections.
- Click the Templated Connections tab.
- On the Templated Connections page, click the add icon (), and then click ServiceNow.
- On the Create a ServiceNow Templated Connection page, type a descriptive name for the templated connection—for example, "ServiceNow Templated Connection for Incidents."
- In Connection, select or create a ServiceNow connection.
- In URL Path, leave the information as is. The field is prepopulated with the URL path that ServiceNow requires.
- (Optional) In Additional Header(s), enter any custom HTTP request headers your integration requires, in addition to the ones defined in the ServiceNow connection, as HTTP header name-value pairs. Each header must be on a separate line.
- Select the Payload Type, which is the type of Alert Logic security information that you want to send: Incident, Observation (of a log correlation), Scheduled Report Notification, or Health Notification.
- Select the format of the payload template you customized earlier: JSON or JQ.
- Select an HTTP verb for the templated connection payload. If you are unsure, leave it as the default verb: POST.
- In the Payload Template area, enter the payload template that you customized.
- Click TEST to send a test event to the URL provided. For more information about test results, see the next section.
- If your templated connection sent the test event to the URL successfully, click SAVE.
If you receive a message that the templated connection was successfully tested, Alert Logic sent the payload template you configured and populated a service ticket in ServiceNow with sample data. Check ServiceNow to ensure the results are expected, and adjust the payload template if necessary.
If the test is unsuccessful, Alert Logic displays an error message. For server response errors, you can use the error code and message that Alert Logic passes through to troubleshoot the issue. Alert Logic also informs you if your JSON or JQ payload template contains syntax errors.
After you test and save the templated connection configuration, the last step is to set up your notification criteria and subscribe the templated connection.
You can set up and manage a notification of any type directly from the Notifications page. For more information, see Manage Notifications. You can create notifications from other pages according to notification type:
- For incidents, you can also create a notification from the Incidents page. For more information, see Incident Notifications.
- For observations, you can also create a notification from the Search page (Log Search tab or Correlations tab) during the process of creating the correlation or by editing an existing correlation listed on the Correlations tab. For more information, see Correlations and Notifications and Observation Notifications.
- For health exposures, you can also create a notification from the Health page. For more information, see Health Notifications.
- For scheduled reports, you can also schedule the report and subscribe notification recipients from the Reports page. For more information, see Scheduled Reports and Notifications.
Manage your templated connections
You can view the list of templated connections and edit or delete an existing one. For more information, see Manage Templated Connections.