# ServiceNow Destination (Custom Webhook)
## Overview
With a simple Scripted Rest API configuration in the ServiceNow console, alerts fired from Panther can be mapped directly to new incidents. You can customize the content of alerts with [alert functions in Python detections](https://docs.panther.com/detections/rules/python#alert-functions-in-python-detections) and [dynamic alert keys in YAML detections](https://docs.panther.com/detections/rules/writing-simple-detections#dynamic-alert-keys-in-yaml-detections).
## How to configure ServiceNow to create tickets from Panther alerts
To configure ServiceNow to create tickets from Panther alerts, you will create a Scripted REST API in ServiceNow, then create a custom webhook alert destination in Panther, using your ServiceNow forwarding URL.
{% hint style="info" %}
Additional information on this process can be found in the ServiceNow documentation: [How to Integrate Webhooks Into ServiceNow](https://www.servicenow.com/community/in-other-news/how-to-integrate-webhooks-into-servicenow/ba-p/2271745).
{% endhint %}
### Prerequisites
* To complete [Step 1 of this process](#step-1-create-a-scripted-rest-api-in-servicenow), creating a Scripted REST API in Service Now, your ServiceNow user must have the `web_service_admin` role.
### Step 1: Create a Scripted REST API in ServiceNow
{% hint style="info" %}
Learn more about Scripted REST APIs in the ServiceNow documentation: [Scripted REST APIs](https://docs.servicenow.com/bundle/washingtondc-api-reference/page/integrate/custom-web-services/concept/c_CustomWebServices.html).
{% endhint %}
1. In the ServiceNow console, click the **All** tab in the upper left-hand corner.
2. Expand the **System Web Services** and **Scripted Web Services** navigations, then click on **Scripted REST APIs.**\
3. Click **New** in the upper right-hand corner.
4. Select a Name and an ID, for example, `Panther Incident Creation` and `panther_incident_creation`, respectively.\
5. Click **Submit**.
6. On the Scripted Rest API's page, search for the name you just created. Click the **hyperlinked name.**
7. Near the bottom of the page, click the **Resources tab.** Click the **New** button in the right-hand corner.
8. Fill out the **Scripted REST Resource Alert** page:
* **Name:** Enter a descriptive name, e.g., `Panther_Alert`.\
* **HTTP method:** Select POST.
* **Script:** Paste in the schema code below:
* ```
(function process(/*RESTAPIRequest*/ request, /*RESTAPIResponse*/ response) {
// prep the different fields
var data = request.body.data;
var title = data.title;
var alert = JSON.stringify(data);
var alertContext = JSON.stringify(data.alertContext);
var severity = data.severity;
var link = data.link;
var runbook = data.runbook;
var type = data.type;
var alertId = data.alertId;
var grIncident = new GlideRecord('incident');
grIncident.initialize();
grIncident.setValue('short_description', title);
grIncident.setValue('description', alert );
grIncident.setValue('category', type);
grIncident.setValue('subcategory', alertId);
//Map urgency to Panther severity
if (severity == "CRITICAL" || severity == "HIGH") {
grIncident.setValue('urgency','1');
grIncident.setValue('impact','1');
} else if (severity == "LOW" || severity == "MEDIUM") {
grIncident.setValue('urgency','2');
} else {
grIncident.setValue('urgency','3');
}
//grIncident.insert();
var recResponse = grIncident.insert(handleResponse);
function handleResponse(recResponse, answer) {
// Answer will be the sys_id of the created record or null
alert('Newly created sys_id is - ' + answer + ' exists');
}
var url = gs.getProperty('glide.servlet.uri');
//building the response of the API, this example returns the incident ID that got created above.
var body = {};
body.sys_id = recResponse;
body.link = url + "task.do?sys_id=" + recResponse;
response.setBody(body);
//example test event from Panther when creating and testing destination integration
//{"id":"Test.Alert","createdAt":"2022-04-26T03:17:32.099054303Z","severity":"INFO","type":"RULE","link":"https://domain.runpanther.net","title":"This is a Test Alert","name":"Test Alert","alertId":"Test.Alert","alertContext":{},"description":"This is a Test Alert","runbook":"Stuck? Check out our docs: https://docs.runpanther.io","tags":["test"],"version":"abcdefg"}
})(request, response);
```
* Under the **Security** tab, uncheck the box next to **Requires authentication**.\
9. Click **Submit**.
{% hint style="warning" %}
The schema provided above maps the alert payload from Panther to the relevant fields in the ServiceNow ticket. The [ServiceNow blog](https://community.servicenow.com/community?id=community_blog\&sys_id=886d2a29dbd0dbc01dcaf3231f9619b0) also provides a different example of receiving the POST payload. Each customer environment is different – select what works best for how the Alert payload is handled and parsed into your ServiceNow tickets.
{% endhint %}
### Step 2: Create a Custom Webhook integration in Panther
1. In the left-hand navigation bar of your Panther Console, click **Configure > Alert Destinations.**
2. Click **+Add your first Destination**.
* If you have already created Destinations, click **Create New** in the upper right side of the page to add a new Destination.
3. Click the **Custom Webhook** tile.
4. On the **Configure Your Webhook Destination** page, fill out the form:
* **Display Name:** Enter a descriptive name.
* **Custom Webhook URL**: Enter your Custom Webhook forwarding URL.
* Your webhook URL is in the following format: `https://.service-now.com/`
* This value can be created by combining the following values in your ServiceNow console:
* The domain in your browser address bar
* The value in the **Base API path** field
* **Severity Levels**: Select the severity level of alerts to send to this destination.
* **Default Alert Types**: Select the alert types to send to this destination.
* **Log Types**: By default, we will send alerts from all log types. Specify log types here if you want to only send alerts from specific log types.
* **Allow Manual Dispatch**: Set this toggle ON if you'd like to be able to [manually dispatch alerts](https://docs.panther.com/alerts#manual-alert-dispatch) to this destination.\
5. Click **Add Destination**.
6. Click **Send Test Alert** to make sure everything works correctly.
* A test event should now exist in your ServiceNow Incidents table.\
%20\(1\)%20\(2\)%20\(1\)%20\(1\)%20\(1\)%20\(1\)%20\(1\).png?alt=media)
7. Click **Finish Setup.**
### Example
Click the **Test Alert** button to generate an alert and send to ServiceNow; the payload of the alert is seen below:
```json
{"id":"Test.Alert","createdAt":"2022-04-26T03:17:32.099054303Z","severity":"INFO","type":"RULE","link":"https://domain.runpanther.net","title":"This is a Test Alert","name":"Test Alert","alertId":"Test.Alert","alertContext":{},"description":"This is a Test Alert","runbook":"Stuck? Check out our docs: https://docs.runpanther.io","tags":["test"],"version":"1"}
```
Once the alert is received by ServiceNow, an incident is created in ServiceNow Incident table:
.png?alt=media)
3. Click **New** in the upper right-hand corner.
4. Select a Name and an ID, for example, `Panther Incident Creation` and `panther_incident_creation`, respectively.\
5. Click **Submit**.
6. On the Scripted Rest API's page, search for the name you just created. Click the **hyperlinked name.**
7. Near the bottom of the page, click the **Resources tab.** Click the **New** button in the right-hand corner.
8. Fill out the **Scripted REST Resource Alert** page:
* **Name:** Enter a descriptive name, e.g., `Panther_Alert`.\
* **HTTP method:** Select POST.
* **Script:** Paste in the schema code below:
* ```
(function process(/*RESTAPIRequest*/ request, /*RESTAPIResponse*/ response) {
// prep the different fields
var data = request.body.data;
var title = data.title;
var alert = JSON.stringify(data);
var alertContext = JSON.stringify(data.alertContext);
var severity = data.severity;
var link = data.link;
var runbook = data.runbook;
var type = data.type;
var alertId = data.alertId;
var grIncident = new GlideRecord('incident');
grIncident.initialize();
grIncident.setValue('short_description', title);
grIncident.setValue('description', alert );
grIncident.setValue('category', type);
grIncident.setValue('subcategory', alertId);
//Map urgency to Panther severity
if (severity == "CRITICAL" || severity == "HIGH") {
grIncident.setValue('urgency','1');
grIncident.setValue('impact','1');
} else if (severity == "LOW" || severity == "MEDIUM") {
grIncident.setValue('urgency','2');
} else {
grIncident.setValue('urgency','3');
}
//grIncident.insert();
var recResponse = grIncident.insert(handleResponse);
function handleResponse(recResponse, answer) {
// Answer will be the sys_id of the created record or null
alert('Newly created sys_id is - ' + answer + ' exists');
}
var url = gs.getProperty('glide.servlet.uri');
//building the response of the API, this example returns the incident ID that got created above.
var body = {};
body.sys_id = recResponse;
body.link = url + "task.do?sys_id=" + recResponse;
response.setBody(body);
//example test event from Panther when creating and testing destination integration
//{"id":"Test.Alert","createdAt":"2022-04-26T03:17:32.099054303Z","severity":"INFO","type":"RULE","link":"https://domain.runpanther.net","title":"This is a Test Alert","name":"Test Alert","alertId":"Test.Alert","alertContext":{},"description":"This is a Test Alert","runbook":"Stuck? Check out our docs: https://docs.runpanther.io","tags":["test"],"version":"abcdefg"}
})(request, response);
```
* Under the **Security** tab, uncheck the box next to **Requires authentication**.\
9. Click **Submit**.
{% hint style="warning" %}
The schema provided above maps the alert payload from Panther to the relevant fields in the ServiceNow ticket. The [ServiceNow blog](https://community.servicenow.com/community?id=community_blog\&sys_id=886d2a29dbd0dbc01dcaf3231f9619b0) also provides a different example of receiving the POST payload. Each customer environment is different – select what works best for how the Alert payload is handled and parsed into your ServiceNow tickets.
{% endhint %}
### Step 2: Create a Custom Webhook integration in Panther
1. In the left-hand navigation bar of your Panther Console, click **Configure > Alert Destinations.**
2. Click **+Add your first Destination**.
* If you have already created Destinations, click **Create New** in the upper right side of the page to add a new Destination.
3. Click the **Custom Webhook** tile.
4. On the **Configure Your Webhook Destination** page, fill out the form:
* **Display Name:** Enter a descriptive name.
* **Custom Webhook URL**: Enter your Custom Webhook forwarding URL.
* Your webhook URL is in the following format: `https://