ServiceNow integration

Investigator lets analysts send detections to ServiceNow for further analysis and case management. To enable this functionality, you need to configure the integration in the settings. The integration sets up a REST API connection between Investigator and ServiceNow.

To configure the integration, you need to have a ServiceNow license and Investigator admin access. (Analyst users can view the integration but cannot make changes.)

Important

Once configured, users send detections manually on a case-by-case basis.

Before you configure the integration in Investigator, you need to create a table in your ServiceNow instance to manage detections. When configuring the integration, you specify the table name to ensure this integration is associated with the correct table.

To create a table your ServiceNow instance

  1. From your app dashboard page in ServiceNow, create a table with these fields for the Investigator detection details.

    Column Label

    Column Name

    Type

    Max Length

    alert_category

    alert_category

    String

    500

    score

    score

    Integer

    description

    description

    String

    1000

    detection_url

    detection_url

    URL

    detection_status

    detection_status

    String

    10

    entity

    entity

    String

    40

    entity_type

    entity_type

    String

    40

    detection_created_at

    detection_created_at

    UTC Time

    detection_updated_at

    detection_updated_at

    UTC Time

    no_of_alerts

    no_of_alerts

    Integer

    assignee

    assignee

    String

    500

    For more information, see Create a table in the ServiceNow documentation.

  2. Note the table name and prefix. You will need to provide this value in the Investigator settings.

To integrate your ServiceNow instance with Investigator

  1. From System Settings in the left navigation, choose Integrations.

  2. In the Integrations tab, click the ServiceNow card.

    An integration dialog box appears.

  3. Toggle the integration value to Enabled.

  4. Enter your ServiceNow credentials, including username, password, and instance name.

    These values are available in ServiceNow in My Instance > Manage Instance Password.

    The ServiceNow instance name (or instance ID) is a unique identifier for your ServiceNow instance. It’s important to provide the correct value to ensure that actions and data are associated with the correct ServiceNow environment.

    For details, see the ServiceNow documentation.

  5. Provide the table name (including the prefix) for the table you created with the detection-specific fields.

  6. Click the Verify Connection button to ensure Investigator can communicate with your ServiceNow instance.

    You cannot save your connection until you verify it.

  7. Click Save.

With ServiceNow configured and enabled, analysts can manually send individual detections to ServiceNow.

If you want to pause the integration, toggle the integration setting to Disabled. This preserves your connection details.

If you want to disable the integration and delete your connection details, click the Delete icon.

Note

If needed, update your firewall rules to allow network traffic from Investigator. The source IP address for Investigator is fixed for a region: the North America (us-west-2) IP address is 35.81.184.144, the EU IP address is 35.157.240.249 (for eu.investigator.com), and the Middle East IP address is 40.172.28.44 (for me.investigator.com). For endpoint details, see the AWS help topic Amazon Kinesis Data Streams endpoints and quotas - AWS General Reference.

Additional learning resources

Watch a Corelight video on YouTube: How Corelight’s ServiceNow integration speeds response