> ## Documentation Index
> Fetch the complete documentation index at: https://docs.rad.security/llms.txt
> Use this file to discover all available pages before exploring further.

# ServiceNow (ITSM)

> Configure ServiceNow ITSM integration with RAD Security for automated security incident management.

# ServiceNow (ITSM) Integration Setup

<Note>
  **Beta Integration:** This integration is currently in beta. Features and setup steps may change as we refine the integration based on user feedback.
</Note>

This guide walks you through integrating ServiceNow ITSM with RAD Security for automated security incident and ticket management, enabling you to automatically create, update, and track security incidents as ServiceNow issues.

ServiceNow provides powerful IT service management capabilities, making it ideal for managing security incidents, vulnerabilities, and remediation workflows in enterprise environments.

<Info>
  **Token Authentication Required:** This integration requires ServiceNow API Key (token-based) authentication, which is only available in the ServiceNow Washington DC release or later. Earlier versions are not supported.
</Info>

## Prerequisites

Before you begin, ensure you have:

<Check>
  * Admin access to ServiceNow (Washington DC release or later)
  * Ability to create users, roles, and API keys in ServiceNow
  * The API Key and HMAC Authentication plugin enabled
  * Access to RAD Security workspace with integration permissions
</Check>

<Info>
  **Service User Recommended:** Create a dedicated service user for this integration rather than using a personal account. This ensures the integration continues working when team members leave or change roles.
</Info>

***

## Step 1: Log in to ServiceNow as Admin

<Steps>
  <Step title="Access ServiceNow Admin">
    Log in to your ServiceNow instance with administrator privileges
  </Step>

  <Step title="Verify API Key Plugin">
    1. Navigate to **All > Admin Center > Application Manager**
    2. Verify the **API Key and HMAC Authentication** plugin (`com.glide.tokenbased_auth`) is activated
    3. If not enabled, activate the plugin before proceeding

    <Warning>
      The API Key plugin is required for this integration and is only available in ServiceNow Washington DC release or later.
    </Warning>
  </Step>
</Steps>

***

## Step 2: Elevate Role and Create Custom Role

<Steps>
  <Step title="Elevate to Security Admin">
    1. Click on the **face icon** in the upper right corner
    2. Click **Elevate Role**
    3. Select **security\_admin**

    <Note>
      This elevation allows you to create the necessary roles and permissions for the integration.
    </Note>
  </Step>

  <Step title="Create Custom Role">
    1. Navigate to **All > System Security > Users and Groups > Roles**
    2. Click **New**
    3. Create a new custom role with a descriptive name (e.g., "rad\_security\_integration")
    4. **Save and note the role name** for use in later steps

    <Info>
      This custom role will be used to grant specific permissions to the service user for table access.
    </Info>
  </Step>
</Steps>

***

## Step 3: Create Service Account User

<Steps>
  <Step title="Navigate to User Management">
    Navigate to **All > Organization > Users**
  </Step>

  <Step title="Create New User">
    1. Select **New** from the upper right corner
    2. Fill in the required fields, making sure to select the **Internal Integration User** field
  </Step>

  <Step title="Assign Roles to User">
    Once the user is created, select it from the list of users:

    1. In the **Roles** tab, select **Edit...**
    2. Add the following role collections:
       * `sn_incident_write` - Write access to incidents
       * `sn_incident_read` - Read access to incidents
       * `itil_admin` - ITIL administration
       * `u_ticket_user` - Ticket management
    3. Add the **custom role** you created in Step 2
    4. Click **Save**
  </Step>
</Steps>

<Warning>
  **Service User Strongly Recommended:** While you can use an existing user account, creating a dedicated service user is strongly recommended. If a personal account is used and that person leaves your organization, the integration will break.
</Warning>

***

## Step 4: Create Inbound Authentication Profile

<Steps>
  <Step title="Navigate to Authentication Profiles">
    Navigate to **All > System Web Services > API Access Policies > Inbound Authentication Profile**
  </Step>

  <Step title="Create API Key Profile">
    1. Click **New**
    2. Click **Create API Key authentication profiles**
    3. Provide a **name** for the profile
    4. In the **Auth Parameter** field, add **Auth Header** using the `x-sn-apikey` header field
    5. Click **Submit**

    <Note>
      The `x-sn-apikey` header is the standard header used to send the API key in requests to ServiceNow.
    </Note>
  </Step>
</Steps>

***

## Step 5: Generate API Key

<Steps>
  <Step title="Navigate to REST API Keys">
    Navigate to **All > System Web Services > API Access Policies > REST API Key**
  </Step>

  <Step title="Create API Key">
    1. Click **New**
    2. Enter a **name** for the key (e.g., "RAD Security Integration Key")
    3. Select the **service user** created in Step 3 as the **User**
    4. Click **Save**

    <Note>
      The API key will be associated with the service user and inherit all the user's role assignments.
    </Note>
  </Step>

  <Step title="Copy API Key Token">
    1. After saving, the system generates a token
    2. Use the **lock icon** to view the token
    3. **Immediately copy the token** that appears below the field

    <Warning>
      **Save this token securely!** You'll need it to configure the integration in RAD Security. Store it in a password manager or secrets vault.
    </Warning>
  </Step>
</Steps>

***

## Step 6: Set API Access Policy

<Steps>
  <Step title="Navigate to API Access Policies">
    Navigate to **All > System Web Services > API Access Policies > REST API Access Policies**
  </Step>

  <Step title="Create New Policy">
    1. Click **New**
    2. Provide a descriptive **name** (e.g., "RAD Security Table API Access")
    3. Under **REST API**, select **Table API**
    4. Verify that **Apply to all methods** is checked
  </Step>
</Steps>

***

## Step 7: Create ACL for Table Access

<Steps>
  <Step title="Navigate to Access Control">
    Navigate to **All > System Security > Access Control (ACL) > New**
  </Step>

  <Step title="Configure ACL">
    1. In the **Type** field, select **record**
    2. In the **Operation** field, select **Create**
    3. In the **Name** field, select **Incident**
    4. Under **Requires Role**, in the **Roles** field, select the **custom role** created in Step 2
    5. Click **Submit**

    <Note>
      This ACL grants create permission on the Incident table to any user with the custom role you created.
    </Note>
  </Step>
</Steps>

<Warning>
  **Important for Mixed Authentication:** If you are using basic authentication for other integrations that use the Table API, you will need to add a basic auth authentication profile to this policy as well, or create a separate policy for basic auth integrations. ServiceNow uses a priority system to determine which authentication method to use, and adding an API key authentication profile will override the default basic auth profile.
</Warning>

***

## Step 8: Configure in RAD Security

Navigate to your RAD Security workspace and configure the ServiceNow ITSM integration with the following parameters:

### Required Parameters

| Parameter  | Description                          | Example                                 |
| ---------- | ------------------------------------ | --------------------------------------- |
| **URL**    | Root URL of your ServiceNow instance | `https://your-company.service-now.com/` |
| **Secret** | API Key token from Step 5            | `your-api-token-here`                   |

<Note>
  The URL should be your ServiceNow root URL in the format `https://<tenant>.service-now.com/` where `<tenant>` is your organization's ServiceNow instance name.
</Note>

***

## Verify Integration

After completing the setup, verify your integration is working:

1. Navigate to **Data Sources > Integrations > Ticketing** in RAD Security
2. Locate your ServiceNow ITSM integration
3. Check the connection status shows as **Connected**
4. Test by creating a sample incident from RAD Security

<Check>
  Your ServiceNow ITSM integration is now configured! RAD Security can now automatically create and manage security incidents in ServiceNow.
</Check>

## What Data is Synced

Once configured, RAD Security will sync the following with ServiceNow ITSM:

<AccordionGroup>
  <Accordion title="Incident Creation" icon="ticket">
    * Automatically create ServiceNow incidents for security events
    * Include detailed incident context and metadata
    * Attach relevant threat intelligence
    * Add affected assets and resources
    * Include remediation recommendations
    * Populate standard ITIL fields
  </Accordion>

  <Accordion title="Custom Field Mapping" icon="sliders">
    * Map RAD Security fields to ServiceNow fields
    * Configure custom field values
    * Set default incident types
    * Define priority and urgency mappings
    * Configure assignment rules
    * Support for custom ServiceNow fields
  </Accordion>

  <Accordion title="ITSM Workflow Integration" icon="diagram-project">
    * Integrate with ServiceNow workflows
    * Trigger automated assignment rules
    * Leverage ServiceNow escalation policies
    * Support approval processes
    * Enable change management integration
  </Accordion>
</AccordionGroup>

## Use Cases

<CardGroup cols={2}>
  <Card title="Automated Incident Creation" icon="wand-magic-sparkles">
    Automatically create ServiceNow incidents when security events, vulnerabilities, or policy violations are detected.
  </Card>

  <Card title="ITSM Workflow Integration" icon="diagram-project">
    Integrate security findings into existing IT service management workflows and processes.
  </Card>

  <Card title="Enterprise Incident Management" icon="building">
    Manage security incidents alongside IT incidents in a centralized ITSM platform.
  </Card>

  <Card title="Compliance Tracking" icon="file-check">
    Track security remediation efforts through ServiceNow's audit and compliance features.
  </Card>
</CardGroup>

## Troubleshooting

<AccordionGroup>
  <Accordion title="Authentication Failed" icon="triangle-exclamation">
    **Possible causes:**

    * API token is incorrect or expired
    * API token was revoked
    * Service user account was disabled or deleted
    * Incorrect ServiceNow instance URL

    **Solution:**

    * Verify the API token is copied correctly (no extra spaces)
    * Check that the service user account is still active
    * Try logging in to ServiceNow with the service user credentials
    * Generate a new API token if needed
    * Confirm the instance URL is correct
  </Accordion>

  <Accordion title="Insufficient Permissions" icon="shield-exclamation">
    **Possible causes:**

    * User missing required roles
    * Custom role not assigned
    * ACL not properly configured
    * User removed from necessary groups

    **Solution:**

    * Verify the service user has all required roles assigned
    * Check that the custom role is assigned to the user
    * Review ACL configuration for the Incident table
    * Ensure role collections are active and properly configured
    * Confirm no role restrictions have been added
  </Accordion>

  <Accordion title="Cannot Create Incidents" icon="ticket-slash">
    **Possible causes:**

    * Missing ACL permissions
    * Required fields not mapped
    * Table access restrictions
    * Workflow blocking creation

    **Solution:**

    * Verify the ACL for Incident table includes the custom role
    * Check that all required ServiceNow fields are properly mapped
    * Ensure the Incident table is accessible
    * Review ServiceNow workflow restrictions
    * Check ServiceNow business rules that might block creation
  </Accordion>

  <Accordion title="API Key Plugin Not Available" icon="plug-circle-xmark">
    **Possible causes:**

    * ServiceNow version is older than Washington DC release
    * Plugin not activated
    * License doesn't include API access

    **Solution:**

    * Verify your ServiceNow version supports API keys (Washington DC or later)
    * Check that the API Key and HMAC Authentication plugin is activated
    * Contact ServiceNow support about licensing if plugin is unavailable
    * Consider upgrading to a supported ServiceNow version
  </Accordion>

  <Accordion title="Wrong ServiceNow Instance URL" icon="globe">
    **Possible causes:**

    * Missing trailing slash
    * Incorrect instance name
    * Using developer instance URL format
    * Including additional path components

    **Solution:**

    * Ensure you're using the correct URL format: `https://<instance>.service-now.com/`
    * Include the trailing slash
    * Verify the instance name matches your organization
    * Don't include paths like `/api/` or `/incident.do`
  </Accordion>

  <Accordion title="Token Expired or Revoked" icon="key-skeleton">
    **Possible causes:**

    * Token was manually revoked
    * Service user was deleted or deactivated
    * Token reached configured expiration
    * API access policy changed

    **Solution:**

    * Log in as admin and verify the service user exists and is active
    * Navigate to REST API Keys and check if the token still exists
    * Check API access policies haven't changed
    * Create a new token if the old one was revoked
    * Update the token in RAD Security integration settings
  </Accordion>
</AccordionGroup>

## Security Best Practices

<CardGroup cols={2}>
  <Card title="Use Service Accounts" icon="user-gear">
    Always use a dedicated service account with a service email, never a personal account tied to an individual.
  </Card>

  <Card title="Least Privilege Access" icon="shield-halved">
    Only grant the minimum permissions required. Use custom roles rather than admin privileges for integration accounts.
  </Card>

  <Card title="Rotate Tokens Regularly" icon="rotate">
    Rotate API tokens every 90 days or according to your security policy to minimize risk of compromise.
  </Card>

  <Card title="Secure Token Storage" icon="lock">
    Store API tokens in a secure password manager or secrets vault. Never commit to version control or share via insecure channels.
  </Card>

  <Card title="Monitor Integration Activity" icon="chart-line">
    Regularly review incidents created by the integration to ensure proper operation and detect anomalies.
  </Card>

  <Card title="Audit Permissions" icon="clipboard-list">
    Periodically review the service user's role assignments and ACL configurations to ensure they remain appropriate.
  </Card>

  <Card title="Track Token Usage" icon="key">
    Document which tokens are used for which integrations to simplify rotation and troubleshooting.
  </Card>

  <Card title="Enable MFA on Admin Accounts" icon="shield-check">
    Ensure admin accounts used to create service users and API keys have multi-factor authentication enabled.
  </Card>
</CardGroup>

## Token Rotation

To rotate your ServiceNow API token:

<Steps>
  <Step title="Create New Token">
    1. Log in as admin to ServiceNow
    2. Navigate to **All > System Web Services > API Access Policies > REST API Key**
    3. Create a new API key for the same service user with a different name
    4. Copy the new token immediately
  </Step>

  <Step title="Update Integration">
    Update the token in RAD Security integration settings
  </Step>

  <Step title="Verify Connection">
    Test that the integration still works with the new token by creating a test incident
  </Step>

  <Step title="Revoke Old Token">
    Once verified, delete or deactivate the old token in ServiceNow
  </Step>
</Steps>

## Additional Resources

<CardGroup cols={2}>
  <Card title="ServiceNow API Key Authentication" icon="book" href="https://www.servicenow.com/community/developer-advocate-blog/inbound-rest-api-keys/ba-p/2854924">
    Official ServiceNow guide to API key authentication
  </Card>

  <Card title="ServiceNow REST API Documentation" icon="code" href="https://docs.servicenow.com/bundle/vancouver-application-development/page/integrate/inbound-rest/concept/c_RESTAPI.html">
    Learn about ServiceNow's REST API capabilities
  </Card>

  <Card title="ServiceNow Access Control" icon="shield" href="https://docs.servicenow.com/bundle/vancouver-platform-security/page/administer/security/concept/c_AccessControl.html">
    Understand ServiceNow access control and ACL configuration
  </Card>

  <Card title="ServiceNow ITSM Best Practices" icon="list-check" href="https://www.servicenow.com/products/itsm.html">
    ServiceNow IT Service Management overview and best practices
  </Card>
</CardGroup>

## Next Steps

<CardGroup cols={2}>
  <Card title="Ticketing Overview" icon="ticket" href="/rad-security/integrations/ticketing/overview">
    Learn about other ticketing integrations
  </Card>

  <Card title="Jira Cloud" icon="jira" href="/rad-security/integrations/ticketing/jira-cloud-setup">
    Add Jira Cloud for additional ticket management
  </Card>

  <Card title="Workflows" icon="diagram-project" href="/rad-security/platform/workspace">
    Configure custom workflows for incident response
  </Card>

  <Card title="Alerts & Incidents" icon="bell" href="/rad-security/platform/workspace">
    Set up alert rules that trigger ServiceNow incident creation
  </Card>
</CardGroup>