1. Home
    2. Security Operations
    3. Cortex XSOAR
    4. Cortex XSOAR Administrator’s Guide
    5. Incidents
    6. Classification and Mapping
    7. Configure Incident Mirroring
    End-of-Life (EoL)

    Configure Incident Mirroring

    This document walks you through setting up the ServiceNow v2 integration to mirror incidents from ServiceNow in Cortex XSOAR. It includes steps for configuring the integration and incoming and outgoing mappers. However, it does not cover every option available in the integration nor classification and mapping features. For information about these features, refer to the specific feature documentation or integration documentation.
    When mirroring incidents, you can make changes in ServiceNow that will be reflected in Cortex XSOAR, or vice versa. You can also attach files from either of the systems, which will then be available in the other system. This is made possible by the addition of 3 new functions in the integration, which are applied with the following options:
    • External schema support, which implements the
      get_mapping_fields_command
       function to display the 3rd-party schema.
    • Can sync mirror in, which implements the
      get_remote_data_command
       to mirror information from the 3rd party application.
    • Can sync mirror out, which implements
      update_remote_system_command
       to push mirroring information out to the 3rd-party application.
    1. Define the ServiceNowv2 integration.
      1. Navigate to
        Integrations
         and search for ServiceNowv2.
      2. Click
        Add instance
        .
      3. Under
        Name
        , make sure that the instance name matches the value in the
        dbotMirrorInstance
         field in the incoming mapper.
        To change the value in the mapper, you must first duplicate the mapper and edit the field in the copy of the mapper.
      4. Select the
        Fetches incidents
         radio button.
      5. Under
        Classifier
        , select
        ServiceNow Classifier
        .
      6. Under
        Incident type
        , select
        ServiceNowTicket
        .
      7. Under
        Mapper (incoming)
        , select
        ServiceNow - Incoming Mapper
        .
      8. Under
        Mapper (outgoing)
        , select
        ServiceNow - Outgoing Mapper
        .
      9. Enter the remaining connection parameters.
      10. To enable mirroring when closing an incident or ticket in Cortex XSOAR and ServiceNow, select the
        Close XSOAR Incident
         and
        Close ServiceNow Ticket
         checkboxes, respectively.
      11. Click
        Done
        .
    2. Modify the incoming mapper.
      1. Navigate to
        Classification and Mapping
         and click
        Mapper-Incoming-ServiceNow
        .
      2. Under the
        Incident Type
         dropdown, select
        ServiceNowTicket
        .
      3. Change the mapping according to your needs.
        5 fields have been added to support the mirroring feature:
        • dbotMirrorDirection - determines whether mirroring is incoming, outgoing, or both. Default is Both.
        • dbotMirrorId - the field used by the 3rd party integration to identify the ticket. In this case, the ServiceNow incident ID field.
        • dbotMirrorInstance - determines the ServiceNow instance with which to mirror.
        • dbotMirrorLastSync - determines the field by which to indicate the last time that the systems synchronized.
        • dbotMirrorTags - determines the tags that you need to add in Cortex XSOAR for entries to be pushed to ServiceNow.
          • To mirror files, use the
            ForServiceNow
             tag.
          • To mirror general notes, use the
            comments
             tag.
          • To mirror private notes that can be read only by users with the necessary permissions, use the
            work_notes
             tag.
      4. Save your changes.
    3. Modify the outgoing mapper.
      1. Under
        Classification and Mapping
        , click
        Mapper-Outgoing-ServiceNow
        .
        The left side of the screen shows the ServiceNow fields to which to map and the right side of the screen shows the Cortex XSOAR fields by which you are mapping.
      2. Under the
        Incident Type
         dropdown, select
        ServiceNowTicket
        .
      3. Under
        Schema Type
        , select
        incident
        . The Schema Type represents the ServiceNow entity that you are mapping to. In our example it is an incident, but it can also be any other kind of ticket that ServiceNow supports.
      4. On the right side of the screen, under
        Incident
        , select the incident based on which you want to match.
      5. Change the mapping according to your needs.
      6. Save your changes.
    4. Create an incident in ServiceNow. For purposes of this use case, it can be a very simple incident.
    5. In Cortex XSOAR, the new ticket will be ingested in approximately one minute.
      1. Add a note to the incident. In the example below, we have written
        A comment from Cortex XSOAR to ServiceNow
        .
      2. Click
        Actions
        Tags
         and add the
        comments
         tag.
      3. Add a file to the incident and mark it with the
        ForServiceNow
         tag.
      4. Navigate back to the incident in ServiceNow and within approximately one minute, the changes will be reflected there, too.
      You can make additional changes like closing the incident or changing severity and those will be reflected in both systems.
      The final source of truth for the incident for Cortex XSOAR are the values in Cortex XSOAR. Meaning, if you change the severity in Cortex XSOAR and then change it back in ServiceNow, the final value that will be presented is the one in Cortex XSOAR.

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2022 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo