Configure ServiceNow Integration

Connect AttackLens to your ServiceNow instance to create incidents directly from security findings. This integration streamlines remediation workflows by automatically populating ServiceNow incidents with finding details, severity, affected assets, and remediation guidance.

INFO

Requires Admin role or higher.

Prerequisites

Before configuring the ServiceNow integration, ensure you have:

ServiceNow instance URL: The base URL of your ServiceNow instance (e.g., https://yourcompany.service-now.com).
Service account credentials: A username and password for a ServiceNow user with permission to create incidents. See Creating a Service Account below.
Network access: Your AttackLens backend must be able to reach the ServiceNow instance over HTTPS.

Step 1: Navigate to Issue Integrations

Go to Integrations > Issue Integrations in the left sidebar and click Create Integration.

Step 2: Select ServiceNow

Select ServiceNow from the integration type list.

Step 3: Configure Connection

Fill in the connection details:

Instance URL (Required)

The base URL of your ServiceNow instance:

https://yourcompany.service-now.com

Username (Required)

The username of the ServiceNow service account. This account must have the itil role or equivalent permissions to create incidents.

Password (Required)

The password for the ServiceNow service account.

TIP

Use a dedicated service account rather than a personal account. Assign only the minimum required roles (typically itil for incident creation). This follows the principle of least privilege and ensures the integration survives personnel changes.

Step 4: Configure Incident Settings

Define how AttackLens findings are translated into ServiceNow incidents.

Severity to Impact/Urgency Mapping

ServiceNow incidents use a combination of Impact and Urgency to derive Priority. Configure how AttackLens severity maps to these fields:

AttackLens Severity	ServiceNow Impact	ServiceNow Urgency	Resulting Priority
Critical	1 - High	1 - High	1 - Critical
High	1 - High	2 - Medium	2 - High
Medium	2 - Medium	2 - Medium	3 - Moderate
Low	3 - Low	2 - Medium	4 - Low
Informational	3 - Low	3 - Low	5 - Planning

You can customize this mapping to match your organization's incident priority matrix.

Assignment Group (Optional)

Select the ServiceNow assignment group that incidents should be assigned to. AttackLens fetches available groups from your ServiceNow instance after you provide the connection details. Click Fetch Groups to load the list.

Common choices:

Security Operations
Vulnerability Management
IT Security

Category (Optional)

Select an incident category. Typical values:

Security
Software
Hardware

Subcategory (Optional)

Select an incident subcategory to further classify the incident.

Step 5: Configure Field Mapping

Map AttackLens finding fields to ServiceNow incident fields:

AttackLens Field	ServiceNow Field	Notes
Finding title	Short description	Always mapped. Truncated to 160 characters per ServiceNow limits.
Finding description + remediation	Description	Full finding details, formatted as plain text with sections.
Severity	Impact / Urgency	Based on the mapping table above.
Affected asset name	Configuration item (CI)	If CMDB integration is configured, the asset is linked to the corresponding CI.
Policy/Ruleset name	Category or subcategory	Optionally mapped to classify the incident.

Step 6: Test the Connection

Click Test Connection to verify that AttackLens can reach your ServiceNow instance and authenticate successfully. The test will:

Authenticate with the provided credentials.
Verify the user has permission to create incidents.
Verify the assignment group exists (if configured).
Confirm the ServiceNow Table API is accessible.

WARNING

If the test fails, check the following:

The instance URL is correct (include https://, no trailing slash).
The credentials are valid and the account is not locked.
The account has the itil role or equivalent.
Your AttackLens backend can reach the ServiceNow instance (check firewall rules for outbound HTTPS).

Step 7: Save

Click Save to create the integration. Credentials are encrypted at rest in the AttackLens database.

Creating a Service Account

To create a dedicated service account in ServiceNow:

In ServiceNow, navigate to User Administration > Users.
Click New.
Set the User ID (e.g., attacklens-integration).
Set a strong Password.
Assign the itil role (minimum required for incident creation).
Optionally assign cmdb_read if you want CI lookups.
Click Submit.

INFO

In ServiceNow environments with MFA enabled, you may need to configure the service account to bypass MFA or use OAuth tokens instead of basic authentication. Consult your ServiceNow administrator for the appropriate approach.

Using the Integration

After configuration, you can create ServiceNow incidents from findings:

Navigate to Findings.
Select one or more findings.
Click Create Issue.
Select the ServiceNow integration.
Review the mapped fields and click Create.

The created incident number and URL are logged in the integration's issue history. See Manage Integrations for details.

Configure ServiceNow Integration ​

Prerequisites ​

Step 1: Navigate to Issue Integrations ​

Step 2: Select ServiceNow ​

Step 3: Configure Connection ​

Instance URL (Required) ​

Username (Required) ​

Password (Required) ​

Step 4: Configure Incident Settings ​

Severity to Impact/Urgency Mapping ​

Assignment Group (Optional) ​

Category (Optional) ​

Subcategory (Optional) ​

Step 5: Configure Field Mapping ​

Step 6: Test the Connection ​

Step 7: Save ​

Creating a Service Account ​

Using the Integration ​