Hi.
I am trying to use the ServiceNow plugin. I have a workflow that we want to trigger manually in an IDR incident. I have a successful connection to SNOW. When I manually run the Create Incident in ServiceNow workflow in a IDR incident the ticket does get created in SNOW. I’ve been trying to add more details in the ticket and also change the assignment group in SNOW but I am have a heck of a time trying to figure out where I add those variables within my workflow.
So I figured out the workflow that I imports from R7 was using the SNOW plugin 3.1.0 and I am unable to update the plugin to the latest version 8.1.0 because it is not compatible. Great. Does this mean I have to build a new SNOW workflow from scratch?
Can you tell me what that means when you say it isn’t compatible? What exactly isn’t compatible? If you are getting an error a screenshot would help out.
Which workflow are you leveraging that can’t be updated?
We have a workflow that creates new incidents from IDR investigations. That is a good place to review how the ServiceNow create incident or security incidents actions work.
Something is not right with my InsightConnect. I deleted all my SNOW workflows, I reimported it, I configured the workflow. Went into a IDR alert, Selected Take Action > Ticketing Workflows > Select a workflow name (why am I seeing two SNOW workflows)? When I only see one in my workflow page? Then it keeps asking me to configure it.
I’m also having issues with the plugin connections. I have a successful connection but it wont show it in the list when trying to configure the plugin…
There are a couple prebuilt automations that exist in IDR. What you are looking at is a native automation.
If you want to use the Take Action button to manually run workflows, then you need to build out the custom workflow in InsightConnect.
The trigger that allows you to use the take action button is the Legacy Detections trigger. That is the only one that will work for this scenario.
When you create a workflow that uses the Legacy Detection trigger, after you hit save and activate it will give you instructions as seen in my screenshot.
You then have to go into InsightIDR
Click the automation tab on the left hand side
Create Trigger in the top right
Choose the workflow name you created in ICON in my screenshot I named my workflow UBA Trigger
Select which types of investigations will trigger the workflow
Now if you go to the take action button you will not choose category “Ticketing Workflows”, rather you will choose custom.
We have other methods where these tickets can be created automatically. That workflow I shared with you earlier is based upon New investigations. When a new Investigation is created, it will create a ticket in ServiceNow.
Yes thank you very much for the detailed information. I actually just figured all that out! 
QQ. I am having trouble adding information in the “Description” field in SNOW. I’ve tried everything but it keeps opening a ticket with nothing in the description.
Do you know what version of the plugin that is using? You can find that by hitting previous in the window in your screenshot until you get to the plugin selection page, then using my example screenshot you will drop it down and you can see the version.
8.1.0
So you are able to create a ticket. It is creating data in other fields. The description field is being left completely empty, or you are not seeing a URL, but you are seeing the hardcoded words: “This is a test” IDR URL:
Yes, it creates the ticket with some fields but nothing is coming over in the “description” field with hardcoded strings, variables, etc.
I even tried the “Additional Fields” option:
ServiceNow ticket:
This seems to be a SNOW permissions issue. I think I fixed that issue.
I am now having issues trying to add artifacts from the IDR alert into the description field in SNOW such as {{[“InsightIDR Event”].[contents].[processes]}}
Ok.
I am still unable to add any data in the “description” field in SNOW. There are two steps that look like they add data to the ticket: “Action - 1” and “Update Ticket Information”. I’ve tried adding data to both and it’s still not working. This is the workflow was imported from the R7 library with very little changes to it.
Can you show the input tab in your jobs page?
So the create ticket step, if action-1 is your create step, go to the jobs page and show the input tab.
I am filling out the attribute fields in the “action-1” step but the only two that are being added to the ticket are: “assisgnment_group” and “short_description”. This might still be a permissions issue… Is it documented anywhere on the permissions needed for the SNOW integration?
Ok getting closer.
I was able to get more details in the SNOW ticket but I am not seeing any process/sysmon data in the ticket.
I am using the following variables in the “description” field:
{{[“InsightIDR Event”].[name]}}
{{[“InsightIDR Event”].[description]}}
{{[“InsightIDR Event”].[type]}}
{{[“InsightIDR Event”].[link]}}
{{[“InsightIDR Event”].[actors]}}
{{[“InsightIDR Event”].[contents]}}
I see that If I try to add all the artifacts from a IDR investigation (see below) then try to run this workflow on a IDR incident my workflow is greyed out.
{{[“InsightIDR Event”].[actors].[users]}}
{{[“InsightIDR Event”].[actors].[assets]}}
{{[“InsightIDR Event”].[actors].[assets]}}
{{[“InsightIDR Event”].[contents].[urls]}}
{{[“InsightIDR Event”].[contents].[domains]}}
{{[“InsightIDR Event”].[contents].[processes]}}
{{[“InsightIDR Event”].[contents].[ipAddresses]}}
Does that mean I have to create a workflow for every type of IDR investigation depending on what type of data is included? I’m just trying to figure out how other users are doing this.
