ServiceNow Destination (Custom Webhook)
Set up ServiceNow alerts using Panther's custom webhook option
Overview
With a simple Scripted Rest API configuration in the ServiceNow console, alerts fired from Panther can be mapped directly to new incidents. You can customize the content of alerts with alert functions in Python detections and dynamic alert keys in YAML detections.
How to configure ServiceNow to create tickets from Panther alerts
To configure ServiceNow to create tickets from Panther alerts, you will create a Scripted REST API in ServiceNow, then create a custom webhook alert destination in Panther, using your ServiceNow forwarding URL.
Additional information on this process can be found in the ServiceNow documentation: How to Integrate Webhooks Into ServiceNow.
Prerequisites
To complete Step 1 of this process, creating a Scripted REST API in Service Now, your ServiceNow user must have the
web_service_admin
role.
Step 1: Create a Scripted REST API in ServiceNow
Learn more about Scripted REST APIs in the ServiceNow documentation: Scripted REST APIs.
In the ServiceNow console, click the All tab in the upper left-hand corner.
Click New in the upper right-hand corner.
Click Submit.
On the Scripted Rest API's page, search for the name you just created. Click the hyperlinked name.
Near the bottom of the page, click the Resources tab. Click the New button in the right-hand corner.
Fill out the Scripted REST Resource Alert page:
HTTP method: Select POST.
Script: Paste in the schema code below:
Click Submit.
The schema provided above maps the alert payload from Panther to the relevant fields in the ServiceNow ticket. The ServiceNow blog also provides a different example of receiving the POST payload. Each customer environment is different – select what works best for how the Alert payload is handled and parsed into your ServiceNow tickets.
Step 2: Create a Custom Webhook integration in Panther
In the left-hand navigation bar of your Panther Console, click Configure > Alert Destinations.
Click +Add your first Destination.
If you have already created Destinations, click Create New in the upper right side of the page to add a new Destination.
Click the Custom Webhook tile.
On the Configure Your Webhook Destination page, fill out the form:
Display Name: Enter a descriptive name.
Custom Webhook URL: Enter your Custom Webhook forwarding URL.
Your webhook URL is in the following format:
https://<your_domain>.service-now.com/<base_api_path>
This value can be created by combining the following values in your ServiceNow console:
The domain in your browser address bar
The value in the Base API path field
Severity: Select the severity level of alerts to send to this destination.
Alert Types: Select the alert types to send to this destination.
Click Add Destination.
Click Send Test Alert to make sure everything works correctly.
Click Finish Setup.
Example
Click the Test Alert button to generate an alert and send to ServiceNow; the payload of the alert is seen below:
Once the alert is received by ServiceNow, an incident is created in ServiceNow Incident table:
Last updated