We recommend you use the following approach to simplify the process of creating Incidents within ServiceNow. Use the template below as the basis for all notification types, modifying it as described.
Payload Template
{
"correlation_id":"{{notification.id}}",
"correlation_display":"UpGuard",
"short_description": "{{notification.description}}",
"description": "<Change as per table below>",
"impact":"<Use 1 Digit - 1=High, 2=Medium, 3=Low>",
"urgency":<Use 1 Digit - 1=High, 2=Medium, 3=Low>",
"caller_id":"<Change to the name of API User>",
"assignment_group":"<Change to the name of group>"
"assigned_to":"<Change to the name of Person>"
}
Syntax Highlights
The message needs to be in valid JSON format, surrounded by curly brackets { }, and is a comma delimited series of field name/field value pairs
The field names (such as correlation_id, short_description) must be enclosed in double quotes and must match ServiceNow column names
The field values may either be hardcoded values or interpreted fields that extract data from UpGuard, and must be enclosed in double quotes
The use of double left curly braces {{ triggers the inclusion of data fields from the UpGuard notification event. These must be followed by double right curly braces }}. You may include two or more UpGuard data elements within one ServiceNow field such as "{{notification.type}} - {{notification.description}}"
Remember to
Replace the contents of the impact field as either 1, 2 or 3 according to your classification of the issue
Replace the contents of the urgency field as either 1, 2 or 3 according to your classification of the issue
ServiceNow will calculate the Priority of the Incident based on the values of the Impact and Priority - see this article for full details
Field values beginning with < and ending with > need to be customized. Remove the < and > and replace inside the double quotes as described below.
Replace the contents of the caller_id based. on the name of the User you established to give UpGuard API permissions (remove the < and > from the field value).
Replace the contents of assignment_group based on the name of the Group established within ServiceNow(remove the < and > from the field value).
Replace the contents of assigned_to field based on the name of the User of the specific individual you want to allocate the Incident to (remove the < and > from the field value). You can omit this Delete this entire line if you wish to leave this field empty.
Replace the contents of the description field based on the suggested syntax below (remove the < and > from the field value)
Description Templates
Area | Type | Template |
BreachSight - Data Leaks | Data leak published | UpGuard has detected a new Data Leak - {{notification.context.FindingName}} at {{notification.occurredAt}}. See more details at {{notification.context.FindingUrl}} |
BreachSight - Risks & Scoring | Domain/IP removed | Domains and/or IPs have been removed:{% for item in notification.context.Hosts %}\r\n- {{ item }}{% endfor %} |
BreachSight - Identity Breaches | Identity breach detected | UpGuard has detected a new Identity Breach - {{notification.context.BreachName}} at {{notification.occurredAt}}. See more details at {{notification.context.BreachUrl}} |
BreachSight - Identity Breaches | Identity breach for VIP detected | UpGuard has detected a new VIP Identity Breach - {{notification.context.BreachName}} at {{notification.occurredAt}}. See more details at {{notification.context.BreachUrl}} |
BreachSight - Risks & Scoring | New domain or IP detected | New domains and/or IPs have been detected: {% for item in notification.context.Hosts %}\r\n- {{ item }} {% endfor %} |
BreachSight - Typosquatting | Registration changed on typosquatting domain | {{notification.context.SquatDomain}}, a permutation of {{notification.context.Domain}}, have changed.\r\nA Records{% for item in notification.context.SquatARecords %}\r\n- {{ item }} {% endfor %}\r\nNS Records{% for item in notification.context.SquatNSRecords %}\r\n- {{ item }} {% endfor %}\r\nMX Records{% for item in notification.context.SquatMXRecords %}\r\n- {{ item }} {% endfor %} |
BreachSight - Typosquatting | Typosquatting domain registered | {{notification.context.SquatDomain}}, a permutation of {{notification.context.Domain}}, has been registered.\r\nA Records{% for item in notification.context.SquatARecords %}\r\n- {{ item }} {% endfor %}\r\nNS Records{% for item in notification.context.SquatNSRecords %}\r\n- {{ item }} {% endfor %}\r\nMX Records{% for item in notification.context.SquatMXRecords %}\r\n- {{ item }} {% endfor %} |
Further reading
To continue building integrations, read these articles next: