Configure Incident Mirroring

Set up ServiceNow v2 integration to mirror ServiceNow incidents to Cortex XSOAR.
This document walks you through setting up the ServiceNow v2 integration to mirror incidents from ServiceNow in Cortex XSOAR. It includes steps for configuring the integration and incoming and outgoing mappers. However, it does not cover every option available in the integration nor classification and mapping features. For information about these features, refer to the specific feature documentation or integration documentation.
When mirroring incidents, you can make changes in ServiceNow that will be reflected in Cortex XSOAR, or vice versa. You can also attach files from either of the systems, which will then be available in the other system. This is made possible by the addition of 3 new functions in the integration, which are applied with the following options:
  • External schema support, which implements the
    get_mapping_fields_command
    function to display the 3rd-party schema.
  • Can sync mirror in, which implements the
    get_remote_data_command
    to mirror information from the 3rd party application.
  • Can sync mirror out, which implements
    update_remote_system_command
    to push mirroring information out to the 3rd-party application.
  1. Define the ServiceNowv2 integration.
    1. Navigate to
      Integrations
      and search for ServiceNowv2.
    2. Click
      Add instance
      .
    3. Under
      Name
      , make sure that the instance name matches the value in the
      dbotMirrorInstance
      field in the incoming mapper.
      To change the value in the mapper, you must first duplicate the mapper and edit the field in the copy of the mapper.
    4. Select the
      Fetches incidents
      radio button.
    5. Under
      Classifier
      , select
      ServiceNow Classifier
      .
    6. Under
      Incident type
      , select
      ServiceNowTicket
      .
    7. Under
      Mapper (incoming)
      , select
      ServiceNow - Incoming Mapper
      .
    8. Under
      Mapper (outgoing)
      , select
      ServiceNow - Outgoing Mapper
      .
    9. Enter the remaining connection parameters.
    10. To enable mirroring when closing an incident or ticket in Cortex XSOAR and ServiceNow, select the
      Close XSOAR Incident
      and
      Close ServiceNow Ticket
      checkboxes, respectively.
    11. Click
      Done
      .
  2. Modify the incoming mapper.
    1. Navigate to
      Classification and Mapping
      and click
      Mapper-Incoming-ServiceNow
      .
    2. Under the
      Incident Type
      dropdown, select
      ServiceNowTicket
      .
    3. Change the mapping according to your needs.
      5 fields have been added to support the mirroring feature:
      • dbotMirrorDirection - determines whether mirroring is incoming, outgoing, or both. Default is Both.
      • dbotMirrorId - the field used by the 3rd party integration to identify the ticket. In this case, the ServiceNow incident ID field.
      • dbotMirrorInstance - determines the ServiceNow instance with which to mirror.
      • dbotMirrorLastSync - determines the field by which to indicate the last time that the systems synchronized.
      • dbotMirrorTags - determines the tags that you need to add in Cortex XSOAR for entries to be pushed to ServiceNow.
        • To mirror files, use the
          ForServiceNow
          tag.
        • To mirror general notes, use the
          comments
          tag.
        • To mirror private notes that can be read only by users with the necessary permissions, use the
          work_notes
          tag.
    4. Save your changes.
  3. Modify the outgoing mapper.
    1. Under
      Classification and Mapping
      , click
      Mapper-Outgoing-ServiceNow
      .
      The left side of the screen shows the ServiceNow fields to which to map and the right side of the screen shows the Cortex XSOAR fields by which you are mapping.
    2. Under the
      Incident Type
      dropdown, select
      ServiceNowTicket
      .
    3. Under
      Schema Type
      , select
      incident
      . The Schema Type represents the ServiceNow entity that you are mapping to. In our example it is an incident, but it can also be any other kind of ticket that ServiceNow supports.
    4. On the right side of the screen, under
      Incident
      , select the incident based on which you want to match.
    5. Change the mapping according to your needs.
    6. Save your changes.
  4. Create an incident in ServiceNow. For purposes of this use case, it can be a very simple incident.
  5. In Cortex XSOAR, the new ticket will be ingested in approximately one minute.
    1. Add a note to the incident. In the example below, we have written
      A comment from Cortex XSOAR to ServiceNow
      .
    2. Click
      Actions
      Tags
      and add the
      comments
      tag.
    3. Add a file to the incident and mark it with the
      ForServiceNow
      tag.
    4. Navigate back to the incident in ServiceNow and within approximately one minute, the changes will be reflected there, too.
    You can make additional changes like closing the incident or changing severity and those will be reflected in both systems.
    The final source of truth for the incident for Cortex XSOAR are the values in Cortex XSOAR. Meaning, if you change the severity in Cortex XSOAR and then change it back in ServiceNow, the final value that will be presented is the one in Cortex XSOAR.

Recommended For You