ServiceNow Destination (Custom Webhook)

Set up ServiceNow alerts using Panther's custom webhook option


With a simple Scripted Rest API configuration in the ServiceNow console, alerts fired from Panther can be mapped directly to new incidents. Leveraging Python detections and our auxiliary functions allows customers to dynamically create alerts with custom webhooks.

How to configure ServiceNow to create tickets from Panther alerts


ServiceNow permissions to create a Scripted Rest API require a user with the web_service_admin role. The below ServiceNow references provide context on setting up these initial Scripted Rest API requirements:

Step 1: Create a Scripted Rest API in ServiceNow

  1. 1.
    In the ServiceNow console, click the All tab in the upper left-hand corner.
  2. 2.
    Expand the System Web Services and Scripted Web Services navigations, then click on Scripted REST APIs.
    In the ServiceNow console, the "All" tab is selected at the top. In the navigation menu, System Web Services is expanded, and Scripted REST APIs is highlighted.
  3. 3.
    Click New in the upper right-hand corner.
  4. 4.
    Select a Name and an ID, for example, Panther Incident Creation and panther_incident_creation, respectively.
    The image shows the form to create a new Scripted REST Service in ServiceNow. It contains fields for Name, API ID, Protection Policy, Application, and API namespace.
  5. 5.
    Click Submit.
  6. 6.
    On the Scripted Rest API's page, search for the name you just created. Click the hyperlinked name.
  7. 7.
    Near the bottom of the page, click the Resources tab. Click the New button in the right-hand corner.
  8. 8.
    Fill out the Scripted REST Resource Alert page:
    • Name: Enter a descriptive name, e.g., Panther_Alert.
      The image shows the Scripted REST Resource configuration page in Service Now. The "Name" field has a red circle around it, and it is filled in with "Panther_Alert".
    • HTTP method: Select POST.
    • Script: Paste in the schema code below:
      • (function process(/*RESTAPIRequest*/ request, /*RESTAPIResponse*/ response) {
        // prep the different fields
        var data =;
        var title = data.title;
        var alert = JSON.stringify(data);
        var alertContext = JSON.stringify(data.alertContext);
        var severity = data.severity;
        var link =;
        var runbook = data.runbook;
        var type = data.type;
        var alertId = data.alertId;
        var grIncident = new GlideRecord('incident');
        grIncident.setValue('short_description', title);
        grIncident.setValue('description', alert );
        grIncident.setValue('category', type);
        grIncident.setValue('subcategory', alertId);
        //Map urgency to Panther severity
        if (severity == "CRITICAL" || severity == "HIGH") {
        } else if (severity == "LOW" || severity == "MEDIUM") {
        } else {
        var recResponse = grIncident.insert(handleResponse);
        function handleResponse(recResponse, answer) {
        // Answer will be the sys_id of the created record or null
        alert('Newly created sys_id is - ' + answer + ' exists');
        var url = gs.getProperty('glide.servlet.uri');
        //building the response of the API, this example returns the incident ID that got created above.
        var body = {};
        body.sys_id = recResponse; = url + "" + recResponse;
        //example test event from Panther when creating and testing destination integration
        //{"id":"Test.Alert","createdAt":"2022-04-26T03:17:32.099054303Z","severity":"INFO","type":"RULE","link":"","title":"This is a Test Alert","name":"Test Alert","alertId":"Test.Alert","alertContext":{},"description":"This is a Test Alert","runbook":"Stuck? Check out our docs:","tags":["test"],"version":"abcdefg"}
        })(request, response);
      • Under the Security tab, uncheck the box next to Requires authentication.
        The Security tab is displayed in ServiceNow. The "Requires Authentication" box is circled, and the box next to it is not checked.
  9. 9.
    Click Submit.
The schema provided above maps the alert payload from Panther to the relevant fields in the ServiceNow ticket. The ServiceNow blog also provides a different example of receiving the POST payload. Each customer environment is different – select what works best for how the Alert payload is handled and parsed into your ServiceNow tickets.

Step 2: Create a Custom Webhook integration in Panther

  1. 1.
    In the Panther Console, navigate to Configure > Alert Destinations.
  2. 2.
    Click +Add your first Destination.
    • If you have already created Destinations, click Create New in the upper right side of the page to add a new Destination.
  3. 3.
    On the "Configure Your Webhook Destination page", fill out the form:
    • Display Name: Enter a descriptive name.
    • Custom Webhook URL: Enter your Custom Webhook forwarding URL.
      • Your webhook URL is in the following format:<base_api_path>
      • This domain is shown in the "Rest API" section of your ServiceNow console.
    • Severity: Select the severity level of alerts to send to this Destination.
    • Alert Types: Select the alert types to send to this Destination.
    • Log Type: By default, we will send alerts from all log types. Specify log types here if you want to only send alerts from specific log types.
      In the Panther Console, the "Configure your Custom Webhook Destination" page is displayed. It contains fields for Display Name, Custom Webhook URL, Severity, Alert Types, and Log Types.
  4. 4.
    Click Add Destination.
  5. 5.
    Click Send Test Alert to make sure everything works correctly.
    • A test event should now exist in your ServiceNow Incidents table.
      The image shows the Incidents Table in ServiceNow. There is a test event highlighted in the list.
  6. 6.
    Click Finish Setup.


Click the Test Alert button to generate an alert and send to ServiceNow; the payload of the alert is seen below:
{"id":"Test.Alert","createdAt":"2022-04-26T03:17:32.099054303Z","severity":"INFO","type":"RULE","link":"","title":"This is a Test Alert","name":"Test Alert","alertId":"Test.Alert","alertContext":{},"description":"This is a Test Alert","runbook":"Stuck? Check out our docs:","tags":["test"],"version":"1"}
Once the alert is received by ServiceNow, an incident is created in ServiceNow Incident table:
The Incident Table in ServiceNow contains a test alert.