Documentation

ServiceNow SecOps

Suggest Edits

Configuring a webhook integration with ServiceNow SecOps allows Identity Security Insights to create security incidents automatically in ServiceNow SecOps, eliminating the need for manual intervention and reducing delays. This helps your organization to improve its overall security posture.

⚠️

Important

Third-party documentation is subject to change. Updates might not be reflected in BeyondTrust documentation. For the most up-to-date information, visit ServiceNow product documentation.

Requirements

Create a service account user

The webhook integration between ServiceNow SecOps and Identity Security Insights requires an Insights service account in ServiceNow. You must create a new user in ServiceNow with the sn_si.basic role and copy the user's sys_id. You require the sys_id for the user when configuring the webhook in Insights.

Create a new user and assign a role

  1. In ServiceNow, navigate to All > User Administration > Users.
  2. Click New.
  3. Fill in the form and click Submit. The new user record appears at the top of the list.
  4. Open the user record for the new user.
  5. In the Roles related list, click Edit.
  6. In the Collection list, select the sn_si.basic role, and then click Add. The role is listed in the Roles List
  7. Click Save.

ℹ️

Note

For more information on creating users and assign roles in ServiceNow, see Create a user and Assign a role to a user.

Copy the sys_id for the user

  1. In ServiceNow, locate the user record for the account you created in the above steps.
  2. Right-click the user.
  3. Select Copy_sys_id from the context menu.

ℹ️

Note

For more information on the sys_id unique record identifier in ServiceNow, see Unique record identifier (sys_id).

Create webhook for ServiceNow SecOps

  1. In Identity Security Insights, select your tenant.

  2. In the upper left menu, click Insights > Integrations.
    The Integrations page displays the available integrations.

  3. Click Webhooks or your product.
    The Summary page displays.

  4. Click Create Integration.
    The Configure Integration page displays.

  5. Enter the following information:

    • Name: A name for the new webhook.
    • Webhook URL: https://{Your ServiceNow Instance Name}.service-now.com/api/now/table/sn_si_incident
    • Authorization Type: Basic
    • Username: a username for the service account you created in ServiceNow
    • Password: password for the user
    • Webhook Template: Use the below test webhook JSON template to test the connection and create a security incident in ServiceNow SecOps. After a successful test with the static test data, the template can be configured. Create or change the fields and add variables as per your requirements.
      • caller is the sys_id for the user account you created in ServiceNow
      • assignment_group is the sys_id for the group assigned to the security incident in ServiceNow. In ServiceNow, copy the sys_id for that group record.
      • assigned_to is the sys_id for the security analyst user assigned to the security incident in ServiceNow. In ServiceNow, copy the sys_id for that user record.
      • cmdb_ci is the name of the configuration item created in the ServiceNow SecOps database
{
			"active":"true",
			"short_description":"Suspicious Account detected in Cloud Application",
			"description":"Suspicious API Account detected: Dev334567 account=DevAdmin",
			"assignment_group":"dea26263ff0331007a6dffffffffff19",
			"caller":"963080bf3b5946504fef6b0c95e45a06",
			"impact":"1",
			"cmdb_ci": "Identity Security Insights",
			"assigned_to":"31620b30c3694e507ba03aec0501319c",
			"urgency":"2"
			}

⚠️

Important

Once the webhook testing is completed with static data, configure the webhook with variables and other attributes based on your requirements, and generate a security incident in ServiceNow SecOps.
To view the incident details, navigate to your open Security Incidents list in ServiceNow and click any of the listed security incidents created by Insights.

Updated 18 days ago

©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.