ServiceNow SecOps
Create security incidents from database audit events in ServiceNow Security Operations. Integrate with CMDB for asset correlation and leverage workflow automation for incident response.
Security Incidents
Automatically create security incidents from database alerts with full context.
CMDB Integration
Link incidents to database Configuration Items for asset-aware incident management.
Workflow Automation
Trigger Flow Designer workflows for automated incident response and escalation.
Configuration Reference
1 Connection Settings
| Field | Type | Required | Default | Description |
|---|---|---|---|---|
| name | string | Yes | - | A unique name for this SIEM connection (e.g., "servicenow-prod") |
| provider | select | Yes | servicenow | SIEM provider - select "ServiceNow SecOps" |
| enabled | boolean | No | true | Enable or disable event forwarding |
| instance_url | string | Yes | - | ServiceNow instance URL (e.g., "https://your-instance.service-now.com") |
| username | string | Yes | - | ServiceNow user with security incident creation permissions |
| password | password | Yes | - | ServiceNow user password or OAuth token |
2 ServiceNow-Specific Settings
| Field | Type | Required | Default | Description |
|---|---|---|---|---|
| table | string | No | sn_si_incident | Target table for incidents (sn_si_incident for Security Incidents) |
| assignment_group | string | No | - | Default assignment group sys_id for incidents |
| category | string | No | Database Security | Incident category |
| subcategory | string | No | Audit Event | Incident subcategory |
| cmdb_ci | string | No | - | Default Configuration Item sys_id for database assets |
3 Event Filtering
| Field | Type | Required | Default | Description |
|---|---|---|---|---|
| event_types | multiselect | No | all | Event types to forward: audit_events, alerts, ai_detections, policy_violations, classification_findings |
| severity_filter | multiselect | No | all | Filter by severity: critical, warning, info |
| database_filter | array | No | - | Limit to specific databases (empty = all databases) |
4 Batching & Reliability
| Field | Type | Required | Default | Description |
|---|---|---|---|---|
| batch_size | number | No | 1 | Number of events per batch (1 recommended for incidents) |
| flush_interval_seconds | number | No | 5 | Maximum time between flushes (5-300 seconds) |
| retry_attempts | number | No | 3 | Number of retry attempts on failure |
Setup Instructions
1
Create Integration User
Create a ServiceNow user with appropriate roles for security incident creation.
# Create ServiceNow integration user:
# 1. Navigate to User Administration → Users
# 2. Create new user "dbaudit_integration"
# 3. Assign roles:
# - sn_si.write (Security Incident write)
# - itil (for incident management)
# - cmdb_read (for CI lookup)
# 4. Set a strong password
# Or use OAuth for authentication:
# 1. Navigate to Application Registry
# 2. Create new OAuth API endpoint
# 3. Note the Client ID and Client Secret
# 4. Generate refresh token
# Required permissions:
# - Create Security Incidents
# - Read Configuration Items
# - Read Assignment Groups
2
Configure CMDB (Optional)
Set up Configuration Items for your databases in the CMDB.
# Set up CMDB Configuration Items for databases:
# Navigate to Configuration → Servers → Database Servers
# Create CI for each monitored database:
{
"name": "production-postgres",
"dns_domain": "db.example.com",
"ip_address": "10.0.1.100",
"category": "Database Server",
"subcategory": "PostgreSQL",
"environment": "Production",
"support_group": "Database Team",
"u_db_audit_enabled": true
}
# Store the sys_id for each CI:
# Example: 8a5055c91b5b89100116f5c1b24bcb12
# Map databases to CIs in DB Audit configuration
Tip: CMDB integration enables automatic asset correlation and team assignment based on database ownership.
3
Test API Connection
Verify the integration user can create security incidents.
# Test ServiceNow API connection
curl -X GET "https://your-instance.service-now.com/api/now/table/sys_user?sysparm_limit=1" \
-u "username:password" \
-H "Accept: application/json"
# Test incident creation
curl -X POST "https://your-instance.service-now.com/api/now/table/sn_si_incident" \
-u "username:password" \
-H "Content-Type: application/json" \
-H "Accept: application/json" \
-d '{
"short_description": "Test incident from DB Audit",
"description": "Test incident to verify integration",
"category": "Database Security",
"priority": "4"
}'
# Expected response:
{
"result": {
"sys_id": "abc123...",
"number": "SIN0010001",
...
}
}
4
Configure in DB Audit
Add the ServiceNow SecOps integration in the DB Audit dashboard.
- Navigate to Integrations → SIEM in DB Audit
- Click Add SIEM Integration
- Select ServiceNow SecOps as the provider
- Enter your instance URL and credentials
- Configure assignment group and CMDB CI mappings
- Select event types to forward
- Test the connection and save
5
Create Workflows (Optional)
Create Flow Designer workflows for automated incident handling.
// ServiceNow Flow Designer - DB Audit Alert Workflow
// Flow Designer → New Flow
Flow Name: DB Audit Security Alert Processing
Trigger: Record Created
Table: Security Incident [sn_si_incident]
Condition: source = "DB Audit"
Actions:
1. Look Up CI
- Table: Configuration Items
- Query: name = trigger.u_database
2. If CI Found:
- Update incident.cmdb_ci = CI.sys_id
- Update incident.assignment_group = CI.support_group
3. If Priority = 1 (Critical):
- Create Event
- Send Notification to SOC team
- Create PagerDuty incident
4. If Contains PII:
- Add Work Note: "PII data access detected"
- Notify Privacy team
5. Log Subflow Completion
Incident Format
Security incidents are created with full audit context and custom fields.
{
"short_description": "Database Audit Alert: Large Data Access Detected",
"description": "User app_user executed SELECT query returning 1500 rows from customers table containing PII data\n\nDatabase: production-postgres\nType: postgresql\nClient IP: 10.0.1.50\nQuery: SELECT * FROM customers WHERE...\n\nTimestamp: 2024-01-15T10:30:45.123Z",
"category": "Database Security",
"subcategory": "Data Access",
"priority": "2",
"impact": "2",
"urgency": "2",
"assignment_group": "Database Security Team",
"cmdb_ci": "8a5055c91b5b89100116f5c1b24bcb12",
"u_source": "DB Audit",
"u_event_type": "audit_event",
"u_database": "production-postgres",
"u_actor_user": "app_user",
"u_actor_ip": "10.0.1.50",
"u_action_type": "SELECT",
"u_rows_affected": 1500,
"u_contains_pii": true
}
Sample ServiceNow Queries
Use these queries to filter and report on DB Audit security incidents.
// ServiceNow Security Incident queries
// All DB Audit incidents
u_source=DB Audit
// Critical database incidents
u_source=DB Audit^priority=1
// Incidents with PII access
u_source=DB Audit^u_contains_pii=true
// Incidents by database
u_source=DB Audit^u_database=production-postgres
// Open incidents assigned to team
u_source=DB Audit^state!=7^assignment_group.name=Database Security Team
// GlideRecord example (Script):
var gr = new GlideRecord('sn_si_incident');
gr.addQuery('u_source', 'DB Audit');
gr.addQuery('state', '!=', 7);
gr.orderByDesc('sys_created_on');
gr.query();
while (gr.next()) {
gs.info('Incident: ' + gr.number + ' - ' + gr.short_description);
}
Troubleshooting
Authentication failed (401)
Verify the username and password are correct. Check if the user is active and not locked out.
Permission denied (403)
Ensure the integration user has the sn_si.write role for Security Incidents. Check ACL rules.
Table not found
The sn_si_incident table requires Security Operations license. Use 'incident' table for standard incidents.
Custom field errors
Ensure custom fields (u_*) are created on the incident table before sending events with those fields.
Ready to Integrate with ServiceNow?
Start creating security incidents from database audit events in minutes.