_
_
ServiceNow
Integrating an external event source to ServiceNow Event Management can be done in a few ways, one is inserting events into the event (em_event) table via REST API. The endpoint ServiceNow provides out of the box is robust. You can either write a single event at a time, or multiple. There are a few best practices to follow regarding the user account that will not only protect the instance from security risks, but also provide the ServiceNow platform team a way to identify who to escalate issues to.
1. Create a user for the event source with the following attributes. It’s best practice for every event source to be assigned a ServiceNow service account for the integration. For security reasons, ensure that the “Web service access only” checkbox is selected and assign the evt_mgmt_integration role. This locks the user’s access down to using REST API and create, read and write privileges to the em_event table. For the name, follow a good naming convention that can scale for future event source integrations. The only below equates to “service_”+[event management]+[Event Source]. Don’t forget to pick a strong password unique to the account.
2. Download Postman on a PC that has access to the ServiceNow instance.
3. Add the ServiceNow environment to Postman. While they are not required, environments make it really easy to fire the same API call against different destinations using variables to modularize your API calls.
4. Create a POST call to insert a record to the em_event table using the jsonv2 endpoint with the following parameters.
Endpoint
POST: https://{{SNowInstance}}.service-now.com/api/global/em/jsonv2
(Optionally) Swap out the URI and body with what’s necessary to insert multiple records at a time. This is not much of a leep from what we are doing in this article so have fun! Be adventurous and go hog wild on the em_event table.
Auth
Type: Basic
User: {{userEventMgmt}}
Password: {{passEventMgmt}}
Headers
Content-Type: application/json
Accept: application/json
Pre-req
Note the Pre-req script. This will populate the Event Management uses the em_event.message field to correlate events to alerts. If the same value is found to already be associated with an alert, the incoming event will not generate a new alert. Rather it will be bound to the existing alert record. This is how “clear” events are correlated to the “new” event that first opened the alert. The Pre-req script will generate a unique UUID in the environment {{myGuid}} variable to be used for the em_event.message field. This will ensure that each event sent from Postman will generate a NEW alert. If you wish to have your test event correlate to an existing alert, then simply replace the {{myGuid}} string in the body with a mock event ID (e.g. “myEvent01”).
Body
The body of this payload is JSON, reference the ServiceNow documentation for a field list. If the goal is to insert multiple records at a time, merely add a new record to the payload as shown in the ServiceNow documentation.
5. Click Send to test the API call. Upon success (200), expect the result in the prior screenshot. If an ACL permissions failure is returned like the following, validate that the evt_mgmt_integration role is assigned to the configured service account and try again.
6. After a successful call has been made, validate that the event shows on the em_event table. Go to the target ServiceNow Instance and use the Filter Navigator to search for “Event Management” and then click “All Events.” If it’s not listed, ensure that your user has the “evt_mgmt_admin” role assigned.
