The ServiceNow data exporter allows you to export incidents and investigations to ServiceNow, the ticketing system. Once this is configured within InsightIDR, you can export incident and investigation details with a click of a button to start the ticketing process.

You can also use ServiceNow with automated workflows to create tickets during Investigations.

Before You Begin

The integration with ServiceNow currently requires the URL of a ServiceNow server that accepts inbound communication from the Rapid7 Insight Platform, and an account with an admin permission or one of the following permissions:

  • itil_admin
  • itil
  • mid_server

The above minimum permissions will allow you to create a connection, but you must be aware of other fields required to create a ticket. If the account does not have access to a required field you may not be able to save field mappings correctly.

Make sure to configure an account for the integration that has permissions to create an incident in Service Now outlined above.

How to Configure ServiceNow for InsightIDR

You can read instructions on ServiceNow configuration with third party applications here:

How to Configure this Event Source in InsightIDR

  1. From your dashboard, select Data Collection on the left hand menu.
  2. When the Data Collection page appears, click the Setup Event Source dropdown and choose Add Event Source.
  3. From the “Security Data” section, click the Data Exporter icon. The “Add Event Source” panel appears.
  4. Choose your collector and event source. You can also name your event source if you want.
  5. In the "URL" field, enter the URL to the ServiceNow server.
  6. Optionally choose to export asset-specific Investigations from InsightIDR by checking the Investigations box.
  7. Select the credentials to your ServiceNow Controller or create a new credential.
  8. In the "Password" field, enter the password for the ServiceNow Controller.
  9. Click Save.

You now have the ability to view a particular investigation or incident and click a button called "Export to ServiceNow."

This will automatically post the Incident details to the incident table in ServiceNow with the same heading it had in InsightIDR. It will also attach a JSON object with all the details from that investigation.