>
    Strata Copilot
    ServiceNow CloudBlade Integration
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma SD-WAN
    3. ServiceNow CloudBlade Integration
    Download PDF
    Prisma SD-WAN

    ServiceNow CloudBlade Integration

    Table of Contents

    ServiceNow CloudBlade Integration

    Leran to integrate the Prisma SD-WAN ServiceNow CloudBlade and get information on the Evenets, Alerts and Alarm attributes.
    Where Can I Use This?What Do I Need?
    • Prisma SD-WAN (Managed by Strata Cloud Manager)
    • Prisma SD-WAN
    • ServiceNow CloudBlade
    The ServiceNow CloudBlade is used to translate events raised on Prisma SD-WAN into incident tickets on ServiceNow. Once a ticket is created in ServiceNow, the IT Operations team can be alerted to check the network condition and take immediate action for remediation, thus making sure that network Service Level Agreements (SLAs) and thereby application SLAs are met.The following sections provide information about the Prisma SD-WAN events and alerts.
    The ServiceNow CloudBlade can also be used to create incident tickets on any of the Circuit Insights. Similar to events, customers can subscribe to the insights they want to be alerted on via ServiceNow. More details on the Circuit Insights can be found in the datasheet here.

    Prisma SD-WAN Events

    In day-to-day network functioning, many incidents occur that may be a cause for concern. Prisma SD-WAN identifies these incidents that occur in the network and classifies them into two types to determine the type of fault.
    An alarm is an indication of a fault in the system. Alarms can be raised and cleared, and can be of the following severity:
    • Critical – Whole or part of a network is down, and requires immediate action.
    • Major – Network is impacted, and needs immediate attention.
    • Minor – Network is degraded, and needs attention soon.
    An alert may or may not be an indication of fault in the network. An alert is raised when system-defined or customer-defined thresholds are reached.
    These alerts and alarms can be viewed from the Events tab of the Prisma SD-WAN portal.
    Alerts and alarms generated in the system are triggered by different types of events, categorized broadly as hardware issues, software issues, device interface issues, device registration issues, peering issues, site level issues, tunnel issues, and application performance issues. These issues, based on the type of event, may originate from the ION device or the controller.

    Alert and Alarm Attributes

    Each event contains a bunch of attributes that can be used to gain more information on the condition. Depending on the type of event, the attributes that constitute the event differ.
    An alarm typically consists of the following attributes:
    {    "_created_on_utc": "2021-07-15T05:48:39.121000Z",
    "_etag": 1,
    "_updated_on_utc": "2021-07-15T05:48:39.121000Z",
    "acknowledged": false,
    "acknowledgement_info": null,
    "cleared": false, 
   "code": "SITE_CONNECTIVITY_DEGRADED",
    "correlation_id": "6Qeqj3iD",
    "element_id": null,
    "entity_ref": "tenants/1092/sites/16015589439620037",
    "id": "60efcc376534671b7600e09f",
    "info": null,
    "notes": null,
    "policy_info": {
        "policy_applied_time": "2021-07-15T05:48:39.121000Z",
        "policyrule_id": null,
        "policyset_id": "16226851857240070"
    },
    "priority": "p3",
    "severity": "major",
    "site_id": "16015589439620037",
    "suppressed": false,
    "suppressed_info": {
        "event_ids": null,
        "other_reasons": null,
        "summary_event_ids": null,
        "suppressed_time": null
    },
    "time": "2021-07-15T05:10:00.098000Z",
    "type": "alarm"
}
    ID
    A unique ID used to identify an event.
    Code
    An event code which describes the event.
    Correlation ID*
    Correlation ID is a system-generated ID for a raised alarm. An Alarm is associated with two states – raise and clear. At any given time, there can be multiple alarms with the same event code in either a raised or cleared state. Using the Correlation ID, you may distinguish among alarms with the same event code.
    When an alarm is cleared, the Correlation ID will indicate that the specific alarm is cleared. This ID will continue to be associated with an alarm, even if the alarm is cleared or resolved.
    Time
    The time at which this condition was seen or the event was raised or cleared.
    Element ID
    ID of the device on which this condition was seen.
    Site ID
    If the device is associated with a site, site_id will also be packaged in the event. If not, this attribute is not present.
    Type
    This field indicates the event type i.e. alert or alarm.
    Severity
    Severity for alarms are based on the following categories:
    • Critical - Whole or part of a network is down, and requires immediate action.
    • Major - Network is impacted, and needs immediate attention.
    • Minor - Network is degraded, and needs attention soon.
    Entity Reference
    Entity reference refers to the specific entity where the alarming condition is seen. This string can be used as an API URI to query the entity using the Prisma SD-WAN SDK. In the example above, the entity_ref attribute contains information about the element that is disconnected from the controller.
    Info
    Info sheds more lights on the entity that is causing the alarming condition. It can contain information regarding interfaces, or IP addresses if there is a collision. The value in this field changes depending on the event code.
    Notes
    The Notes field is used to add remarks or comments to events. You can edit notes for active alarms only.
    Priority
    This attribute indicates the priority of the event or alarm.
    Suppressed
    Suppressed is a boolean attribute that indicates if the event is suppressed by the Prisma SD-WAN Event Correlation & Suppression engine.
    Suppressed Info
    If the event is suppressed, suppressed_info contains details about the suppression time and correlated event IDs.
    Policy Info
    If the event was updated using an event policy rule, the policy_info attribute contains details about the event policy set, event policy rule, and rule application time.
    Clear*
    This attribute is Boolean and indicates if the event condition still exists or is cleared. A value of True indicates that the condition no longer exists. When an alarm is raised, it is raised with Clear set to False.
    Acknowledged*
    This attribute is Boolean and indicates if an event has been acknowledged by a user. If acknowledged, the acknowledgement_info field contains the time and the user who acknowledged the event.
    (*) indicates it is not part of the Prisma SD-WAN alert.
    A Prisma SD-WAN alert contains most of these attributes except cleared, acknowledged and correlation_id - as alerts are not standing conditions. Here’s a sample alert:
    {
            "info": { 
               "name": "internet 1", 
                "circuit_labels": "Budapest-INET-VZ" 
           }, 
            "code": "DEVICEHW_INTERFACE_ERRORS", 
            "severity": "major", 
            "_updated_on_utc": "2019-12-23T14:04:34.736000Z",
             "site_id": "15282991838450011",
             "id": "5e00c972d7b0fa2f8cb418ce", 
            "entity_ref": "tenants/1083/sites/15282991838450011/elements/15230097588400085/interfaces/15230098062640233",  
           "correlation_id": null, 
            "time": "2019-12-23T14:04:31.395000Z",
             "element_id": "15230097588400085",
             "_created_on_utc": "2019-12-23T14:04:34.736000Z",
             "type": "alert",
             "_etag": 1
        }

    © 2026 Palo Alto Networks, Inc. All rights reserved.