The ExtraHop for ServiceNow bundle provides the ability to create incident tickets automatically in your ServiceNow instance. This allows you to integrate wire data visibility into your ServiceNow workflows.
- Allows automatic incident ticket creation from ExtraHop to your ServiceNow instance.
- Allows you to integrate wire data visibility into your ServiceNow incident resolution workflows.
- Allows you to leverage ServiceNow intelligent remediation with ExtraHop wire data.
Included in the bundle are example alerts that trigger incident tickets, an incidents status dashboard, and the new incident trigger which submits incident tickets to the ServiceNow instance.
- (1) Triggers
- ServiceNow New Incident Trigger
- (13) Alerts
- DB Error Ratio - Orange
- DB Error Ratio - Red
- DB Error Ratio - Yellow
- DNS Error Ratio - Orange
- DNS Error Ratio - Red
- DNS Error Ratio - Yellow
- HTTP 500 Responses > 1
- HTTP 500 Responses > 10
- HTTP 500 Responses > 25
- Active Directory High Global Catalog Processing Times
- Active Directory High Kerberos Response Time
- Active Directory New Privileged Alert
- Active Directory Privileged Alert
- (2) Dashboards
- ServiceNow - Setup
- ServiceNow - Incidents Status
You must have administrator privileges on both your ExtraHop appliance and your ServiceNow instance.
To set up the ServiceNow bundle, you will download the bundle, configure both your ServiceNow instance, and then configure your Discover appliance.
Install the bundle
- Download the bundle from this page.
- Log into the ExtraHop Web UI and complete the following procedures, which are available in the ExtraHop Web UI Guide.
- Upload a bundle
- Apply a Bundle
- Note: This bundle contains modifications to alerts that are included on ExtraHop appliances by default. If you have made any changes to these default alerts, be careful not to select the Overwrite option, which removes any changes you made to those alerts. You can manually configure the alerts to create incidents after you apply the bundle. See the Bundle Contents section to see which alerts are included.
You must create a special user on your ServiceNow instance before the ExtraHop system can create incident tickets.
- Log into your ServiceNow instance with administrator privileges.
- Select the menu item System Security - Users.
- Click New.
- Specify the following user settings:
- User ID: extrahop
- First Name: ExtraHop
- Last Name: ExtraHop
- Password: Specify a password. Make a note of this password; you will need to enter it later when configuring the Discover appliance.
- Click Submit.
- Click on the new user extrahop.
- On the Roles tab, click Edit…
- Add the rest_service and web_service_admin roles to the Roles List for the ExtraHop user.
- Click Save.
Create an Open Data Stream
You must configure an Open Data Stream (ODS) on your Discover appliance before you can submit incident tickets to your ServiceNow instance.
- Log into the ExtraHop Admin UI of your Discover appliance.
- Click System Configuration > Open Data Streams.
- Click Add Target.
- Specify the following settings:
- Target Type: HTTP
- Name: ServiceNow or default
If this target is the first HTTP ODS you have created on the appliance, the name will be automatically set to
default. Otherwise, type
ServiceNowas the ODS name.
- Host: The hostname or IP address of your ServiceNow instance
- Port: 443
- Type: HTTPS
- Authentication: Basic
- User: extrahop
- Password: The password you configured for the
extrahopuser on your ServiceNow instance.
- Click Save.
- Verify that the Status displays OK. If not, check the configuration settings for the ODS target and validate that there is network connectivity between the Discover appliance and the ServiceNow instance.
You must select which alerts will create ServiceNow incident tickets by placing a special flag in the alert description.
- Log into the Web UI on your Discover appliance.
- Click the System Settings icon.
- Click Alerts.
- Click an alert that you would like to configure for ServiceNow incident tickets.
Click the Description tab, and append the ServiceNow flag (described below) to the description field.
You can configure the incidents created by the alert by specifying ServiceNow settings in the flag. For example, the following flag creates incidents with the category set to software and the urgency level set to 3:
If you do not include a ServiceNow setting in the flag, the setting is set to the default value. For example, the following flag creates incidents with all fields set to their default value:
For more information about configuring default values, see the ServiceNow documentation
- Click OK.
Enable the ServiceNow New Incident Trigger
After you have configured the alerts that will create tickets, enable the ServiceNow New Incident Trigger.
- Log into the Web UI on the Discover appliance.
- Click the System Settings icon.
- Select the checkbox next to the ServiceNow New Incident Trigger.
- Click Enable.