All Collections
UpGuard API
ServiceNow Incident Integration - Recommended Webhook Syntax
ServiceNow Incident Integration - Recommended Webhook Syntax

Detailed guidance on how to customize the payload template when setting up Incident creation integrations with ServiceNow using Webhooks

Kurt Brown avatar
Written by Kurt Brown
Updated over a week ago

We recommend you use the following approach to simplify the process of creating Incidents within ServiceNow. Use the template below as the basis for all notification types, modifying it as described.

Payload Template

{

"correlation_id":"{{notification.id}}",

"correlation_display":"UpGuard",

"short_description": "{{notification.description}}",

"description": "<Change as per table below>",

"impact":"<Use 1 Digit - 1=High, 2=Medium, 3=Low>",

"urgency":<Use 1 Digit - 1=High, 2=Medium, 3=Low>",

"caller_id":"<Change to the name of API User>",

"assignment_group":"<Change to the name of group>"

"assigned_to":"<Change to the name of Person>"

}

Syntax Highlights

  • The message needs to be in valid JSON format, surrounded by curly brackets { }, and is a comma delimited series of field name/field value pairs

  • The field names (such as correlation_id, short_description) must be enclosed in double quotes and must match ServiceNow column names

  • The field values may either be hardcoded values or interpreted fields that extract data from UpGuard, and must be enclosed in double quotes

  • The use of double left curly braces {{ triggers the inclusion of data fields from the UpGuard notification event. These must be followed by double right curly braces }}. You may include two or more UpGuard data elements within one ServiceNow field such as "{{notification.type}} - {{notification.description}}"

Remember to

  • Replace the contents of the impact field as either 1, 2 or 3 according to your classification of the issue

  • Replace the contents of the urgency field as either 1, 2 or 3 according to your classification of the issue

  • ServiceNow will calculate the Priority of the Incident based on the values of the Impact and Priority - see this article for full details

  • Field values beginning with < and ending with > need to be customized. Remove the < and > and replace inside the double quotes as described below.

  • Replace the contents of the caller_id based. on the name of the User you established to give UpGuard API permissions (remove the < and > from the field value).

  • Replace the contents of assignment_group based on the name of the Group established within ServiceNow(remove the < and > from the field value).

  • Replace the contents of assigned_to field based on the name of the User of the specific individual you want to allocate the Incident to (remove the < and > from the field value). You can omit this Delete this entire line if you wish to leave this field empty.

  • Replace the contents of the description field based on the suggested syntax below (remove the < and > from the field value)

Description Templates

Area

Type

Template

BreachSight - Data Leaks

Data leak published

UpGuard has detected a new Data Leak - {{notification.context.FindingName}} at {{notification.occurredAt}}. See more details at {{notification.context.FindingUrl}}

BreachSight - Risks & Scoring

Domain/IP removed

Domains and/or IPs have been removed:{% for item in notification.context.Hosts %}\r\n- {{ item }}{% endfor %}

BreachSight - Identity Breaches

Identity breach detected

UpGuard has detected a new Identity Breach - {{notification.context.BreachName}} at {{notification.occurredAt}}. See more details at {{notification.context.BreachUrl}}

BreachSight - Identity Breaches

Identity breach for VIP detected

UpGuard has detected a new VIP Identity Breach - {{notification.context.BreachName}} at {{notification.occurredAt}}. See more details at {{notification.context.BreachUrl}}

BreachSight - Risks & Scoring

New domain or IP detected

New domains and/or IPs have been detected: {% for item in notification.context.Hosts %}\r\n- {{ item }} {% endfor %}

BreachSight - Typosquatting

Registration changed on typosquatting domain

{{notification.context.SquatDomain}}, a permutation of {{notification.context.Domain}}, have changed.\r\nA Records{% for item in notification.context.SquatARecords %}\r\n- {{ item }} {% endfor %}\r\nNS Records{% for item in notification.context.SquatNSRecords %}\r\n- {{ item }} {% endfor %}\r\nMX Records{% for item in notification.context.SquatMXRecords %}\r\n- {{ item }} {% endfor %}

BreachSight - Typosquatting

Typosquatting domain registered

{{notification.context.SquatDomain}}, a permutation of {{notification.context.Domain}}, has been registered.\r\nA Records{% for item in notification.context.SquatARecords %}\r\n- {{ item }} {% endfor %}\r\nNS Records{% for item in notification.context.SquatNSRecords %}\r\n- {{ item }} {% endfor %}\r\nMX Records{% for item in notification.context.SquatMXRecords %}\r\n- {{ item }} {% endfor %}

Further reading

To continue building integrations, read these articles next:

Related Articles
How to set up templates
Using Liquid syntax to customize your integration
How to integrate notifications with ServiceNow
How to set up ServiceNow Vendor Risk integration with UpGuard
ServiceNow Incident Integration - Advanced Features
Did this answer your question?