Documentation

ServiceNow Incident Management

Suggest Edits

Configuring a webhook integration with ServiceNow IT Service Management (ITSM) allows you to create security incidents automatically in ServiceNow ITSM. This eliminates the need for manual intervention, reduces delays, and helps your organization improve its overall security posture.

⚠️

Important

Third-party documentation is subject to change. Updates might not be reflected in BeyondTrust documentation. For the most up-to-date information, visit ServiceNow product documentation.

Requirements

  • An Insights service account in ServiceNow, with permissions to create a new user in ServiceNow with the itil role.
  • An Identity Security Insights account with administrator privileges.
  • An account that has access to the applicable tenant in Identity Security Insights.

Create a service account

The webhook integration between ServiceNow and Identity Security Insights requires an Insights service account in ServiceNow. You must create a new user in ServiceNow with the itil role and copy the user's sys_id. You require the user's sys_id when configuring the webhook in Insights.

Create a new user and assign a role

  1. In ServiceNow, navigate to All > User Administration > Users.
  2. Click New.
  3. Fill in the form and click Submit. The new user record appears at the top of the list.
  4. Open the user record for the new user.
  5. In the Roles related list, click Edit.
  6. In the Collection list, select the itil role, and then click Add. The role is listed in the Roles List
  7. Click Save.

ℹ️

Note

For more information on creating users and assign roles in ServiceNow, see Create a user and Assign a role to a user.

Copy the sys_id for the user

  1. In ServiceNow, locate the user record for the account you created in the above steps.
  2. Right-click the user.
  3. Select Copy_sys_id from the context menu.

ℹ️

Note

For more information on the sys_id unique record identifier in ServiceNow, see Unique record identifier (sys_id).

Create a webhook for ServiceNow ITSM Incidents

  1. In Identity Security Insights, select your tenant.
  2. In the upper left menu, click Insights > Integrations.
    The Integrations page displays the available integrations.
  3. Click Webhooks or your product.
    The Summary page displays.
  4. Click Create Integration.
    The Configure Integration page displays.
  5. Enter the following information:
    • Provide a name for the Webhook.
    • For the Webhook URL, use the following: https://{ServiceNow Instance}.service-now.com/api/now/table/incident
    • Select Basic for the Authorization Type.
    • Provide the username and password for the previously created service account.
    • Use this test template for Webhook Template. After a successful test with the static test data, the template can be configured. Create or change the fields and add variables as per your requirements.
      • The caller_id is the sys_id and must be replaced by the actual sys_id for your instance that you copied from the ServiceNow service account
      • assignment_group is configured for the built-in Help Desk group sys_id, which is common across instances. This can be replaced later with another assignment group sys_id.
{
			"short_description":"Suspicious Account detected in Cloud Application",
			"description":"Suspicious API Account detected in Cloud instance: dev234567 account=rogueAdmin",
			"active":"true", 
			"assignment_group":"d625dccec0a8016700a222a0f79",
			"caller_id":"3636077997100210e815b82de053afea",
			"i mpact":"1",
			"urgency":"2"
			}

Updated 18 days ago

©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.