ServiceNow Destination (Custom Webhook)

Overview

With a simple Scripted Rest API configuration in the ServiceNow console, alerts fired from Panther can be mapped directly to new incidents. You can customize the content of alerts with alert functions in Python detections and dynamic alert keys in YAML detections.

How to configure ServiceNow to create tickets from Panther alerts

To configure ServiceNow to create tickets from Panther alerts, you will create a Scripted REST API in ServiceNow, then create a custom webhook alert destination in Panther, using your ServiceNow forwarding URL.

Prerequisites

• To complete Step 1 of this process, creating a Scripted REST API in Service Now, your ServiceNow user must have the web_service_admin role.

Step 1: Create a Scripted REST API in ServiceNow

1. In the ServiceNow console, click the All tab in the upper left-hand corner.

2. Expand the System Web Services and Scripted Web Services navigations, then click on Scripted REST APIs.

3. Click New in the upper right-hand corner.

4. Select a Name and an ID, for example, Panther Incident Creation and panther_incident_creation, respectively.

5. Click Submit.

6. On the Scripted Rest API's page, search for the name you just created. Click the hyperlinked name.

7. Near the bottom of the page, click the Resources tab. Click the New button in the right-hand corner.

8. Fill out the Scripted REST Resource Alert page:

   • Name: Enter a descriptive name, e.g., Panther_Alert.

   • HTTP method: Select POST.

   • Script: Paste in the schema code below:

     • Copy

       (function process(/*RESTAPIRequest*/ request, /*RESTAPIResponse*/ response) {
       
       	// prep the different fields 
       	var data = request.body.data;
       	var title = data.title;
       	var alert = JSON.stringify(data);
       	var alertContext = JSON.stringify(data.alertContext);
       	var severity = data.severity;
       	var link = data.link;
       	var runbook = data.runbook;
       	var type = data.type;
       	var alertId = data.alertId;
       	
       	var grIncident = new GlideRecord('incident');
       
       	grIncident.initialize();
       	
       	grIncident.setValue('short_description', title);
       	grIncident.setValue('description', alert );
       	grIncident.setValue('category', type);
       	grIncident.setValue('subcategory', alertId);
       	
       	//Map urgency to Panther severity
       	if (severity == "CRITICAL" || severity == "HIGH") {
       		grIncident.setValue('urgency','1');
       		grIncident.setValue('impact','1');
       	} else if (severity == "LOW" || severity == "MEDIUM") {
       		grIncident.setValue('urgency','2');
       	} else {
       		grIncident.setValue('urgency','3');
       	}
       	
       	//grIncident.insert();
       	var recResponse = grIncident.insert(handleResponse);
       
       	function handleResponse(recResponse, answer) {
       	// Answer will be the sys_id of the created record or null
       	alert('Newly created sys_id is - ' + answer + ' exists');
       	}
       
       	var url = gs.getProperty('glide.servlet.uri');
       
               //building the response of the API, this example returns the incident ID that got created above.
       	var body = {};
       	body.sys_id = recResponse;
       	body.link = url + "task.do?sys_id=" + recResponse;
       	response.setBody(body);
       	
       	//example test event from Panther when creating and testing destination integration
       	//{"id":"Test.Alert","createdAt":"2022-04-26T03:17:32.099054303Z","severity":"INFO","type":"RULE","link":"https://domain.runpanther.net","title":"This is a Test Alert","name":"Test Alert","alertId":"Test.Alert","alertContext":{},"description":"This is a Test Alert","runbook":"Stuck? Check out our docs: https://docs.runpanther.io","tags":["test"],"version":"abcdefg"}
       
       })(request, response);

     • Under the Security tab, uncheck the box next to Requires authentication.

9. Click Submit.

Step 2: Create a Custom Webhook integration in Panther

1. In the left-hand navigation bar of your Panther Console, click Configure > Alert Destinations.

2. Click +Add your first Destination.

   • If you have already created Destinations, click Create New in the upper right side of the page to add a new Destination.

3. Click the Custom Webhook tile.

4. On the Configure Your Webhook Destination page, fill out the form:

   • Display Name: Enter a descriptive name.

   • Custom Webhook URL: Enter your Custom Webhook forwarding URL.

     • Your webhook URL is in the following format: https://<your_domain>.service-now.com/<base_api_path>

     • This value can be created by combining the following values in your ServiceNow console:

       • The domain in your browser address bar

       • The value in the Base API path field

         
   • Severity Levels: Select the severity level of alerts to send to this destination.

   • Default Alert Types: Select the alert types to send to this destination.

   • Log Types: By default, we will send alerts from all log types. Specify log types here if you want to only send alerts from specific log types.

5. Click Add Destination.

6. Click Send Test Alert to make sure everything works correctly.

   • A test event should now exist in your ServiceNow Incidents table.

7. Click Finish Setup.

Example

Click the Test Alert button to generate an alert and send to ServiceNow; the payload of the alert is seen below:

Once the alert is received by ServiceNow, an incident is created in ServiceNow Incident table: