Skip to main content
Skip table of contents

ServiceNow v2

LAST UPDATED: OCT 31, 2024

Overview

ServiceNow is an IT service management platform that helps organizations manage digital workflows for enterprise operations. ServiceNow operations such as creating, updating, or closing tickets can be launched from D3 SOAR with this integration.

D3 SOAR is providing REST operations to function with ServiceNow.

ServiceNow is available for use in:

D3 SOAR

V12.7.83.0+

Category

Case Management

Deployment Options

Option II, Option IV

Known Limitations

Push Integration:

Limitation 1: The integration mapping file only allows mapping concrete CITs and relationships to the CITs and relationships in Servicenow. That is, a parent CIT cannot be used to map its children CIs.

Limitation 2: Since this adapter uses the Servicenow Direct Web Services API, which does not support CI coalescing (reconciliation), if some CIs being pushed from UCMDB are already present in the Servicenow CMDB, before the integration with UCMDB is installed, and if those CIs are (a) also in UCMDB; and (b) pushed into Servicenow by the integration, those CIs are duplicated. (This is because UCMDB does not know these CIs are already in the Servicenow CMDB.) After the adapter is installed, UCMDB keeps track of the CIs it pushes to Servicenow, to prevent duplication.

Limitation 3: Servicenow Web Service Import Sets are currently not supported.

Population Integration:

Limitation 1: Data replication in chunks is not supported.

Limitation 2: Only full synchronization is supported (not delta synchronization).

Limitation 3: Integration only works with Jython 2.5.3 and later.

Please refer to Limitations – ServiceNow Integration for detailed information.

Connection

To connect to ServiceNow from D3 SOAR, please follow this part to collect the required information below:

Parameter

Description

Example

Default

Server URL

The server URL of the ServiceNow instance to connect to.

https://dev12345.service-now.com

Authentication Type

The authentication type (Basic Authentication or OAuth2.0 Authorization Code) for the API connection. Note: For the OAuth2.0 Authorization Code authentication type, ensure you have the System OAuth Application Registry configured.

Basic Authentication

Authentication Type: Basic Authentication

User Name

The user name to authenticate the API connection.

Admin

Password

The password to authenticate the API connection.

Yourpassword

Authentication Type: OAuth2.0 Authorization Code

Client ID

The client ID to authenticate the API connection.

554e****e202011036a272ac****72f1

Client Secret

The client secret to authenticate the API connection.

jFUV****yZvyxorR****Bg==

Authorization Code

The authorization code for the OAuth2.0 authentication. Click the "Get Authorization" button on the Connection page to automatically generate an authorization code.

1l2E*******************************MaQ

Callback URL

The callback URL is used for OAuth2.0 with the grant type of authorization code. Add this URL to your app’s Redirect URIs. In your ServiceNow instance’s console, navigate to System OAuth > Application Registry > "APP Name" > Redirect URL.

https://qa8.d3securityonline.net/V140Cyber/VSOC/Auth2Callback.aspx

Refresh Token

The refresh token for authentication with the grant type of authorization code. Click the "Get Refresh Token" button on the Connection page to automatically generate a refresh token.

This parameter is read-only and auto-generated.

Ajf******************************QzIw

Permission Requirement

Each endpoint in the ServiceNow API requires a certain permission scope. If your connection is built with the Basic authentication type, the following scopes are required for each command. Please note that admin permissions are required for all commands if your connection is built with the OAuth 2.0 authentication type. Refer to Set up OAuth for more details.

Commands

Required Permissions (Basic Authentication)

Remarks

Add Ticket Attachment

No permissions required

Close Tickets

incident_manager

Create Record

admin or dependent on the selected table*

Create Request

catalog_admin

Create Requested Item

catalog_admin

Create Security Incident

sn_si.basic

Create Ticket

incident_manager

Creating a ticket requires no specific permissions, but certain parameters, such as the assigned user, may not be added successfully. If you want to create a ticket with only the required parameters filled, then no permissions are required.

Delete Records

admin or dependent on the selected table*

Download Ticket Attachments

No permissions required

Fetch Event

sn_si.read

Fetch Event can run with no additional permissions. However, the returned events will be limited in quantity.

Get Group Details

admin or no permissions required

Get Group Details can run with no additional permissions. However, the returned raw data will be less detailed.

Get Record Details

admin or dependent on the selected table*

Get Requested Items

sn_request_read

Get Requested Items can run with no additional permissions. However, the returned raw data will be less detailed.

Get Request

admin or no permissions required

Get Request can run with no additional permissions. However, the returned raw data will be less detailed.

Get Security Incidents

sn_si.read

Get SysID

admin or no permissions required

Get SysID can run with no additional permissions. However, the returned raw data will be limited in quantity.

Get Table Fields

sn_sec_core.read_dictionary

Get Tickets

rest_api_explorer

Get Tickets can run with no additional permissions. However, the returned raw data will be less detailed.

Get User Details

rest_api_explorer

Get User Details can run with no additional permissions. However, the returned raw data will be less detailed.

Query Group Members

sn_si.basic

Query Records

admin or dependent on the selected table*

Query Requested Items

sn_request_read

Query Requested Items can run with no additional permissions. However, the returned request items will be limited in quantity.

Query Requests

sn_request_read

Query Requests can run with no additional permissions. However, the returned requests will be limited in quantity.

Query Security Incidents

sn_si.read

Query Server Info

rest_api_explorer

Query Tables

sn_incident_write

Update Records

admin or dependent on the selected table*

Update Request Items

sn_request_write

Update Request

sn_request_write

Update Security Incident

sn_si.basic

Update Tickets

incident_manager

Test Connection

No permissions required

*Finding Table Permissions

If you do not have admin privileges, you need to assign specific roles to the tables you want to access. To ensure security, Access Control Lists (ACLs) are mandatory for anyone other than administrators to work with a table. By creating default security rules, full access to the table will be granted to users with the specified role.

Here are the steps to follow:

  1. In ServiceNow, navigate to All > System Definition > Tables and select the desired table.

  2. Go to Controls > Check Create Access Control. The role needed to access the table will be displayed. Finally, add this role to the user account you are using for connection.

* The Close Ticket command will only be effective if the state is indicated to be 7 in the returned raw data. It is important to note that proper permissions are necessary to carry out this action.

Configuring ServiceNow to Work with D3 SOAR

Creating a User

  1. Log in to ServiceNow.

  2. Select All from the top navigation bar. Type System Security into the filter search bar and select Users under Users and Groups. Click New to add a new user.

  3. Enter a User ID and other required fields, then click Submit.

  4. Set the password for the created user. On the Users page, locate select the created user. Click on Set Password and select Generate. Store the generated password in a secure location. Finally click Save Password.

ALERT

Before a created user can build an integration connection in D3 SOAR, they must log in and reset their password. Otherwise, the error message "Test Connection Failed: {"error":{"message":"User Not Authenticated","detail":"Required to provide Auth information"},"status":"failure"}" will be returned.

  1. Under the Roles tab, click Edit to grant roles to the user you created.

  2. Edit the roles as desired, then click Save. Please refer to Permission Requirement for information on required roles.

Creating an Application Registry for OAuth 2.0 Connections

READER NOTE

The following steps are for OAuth 2.0 configurations. The OAuth 2.0 Client ID and Secret will require admin permission. Please refer to Set up OAuth for more details.

  1. Log in to an account with admin permission.

  2. Select All from the top navigation bar. Type System OAuth into the filter search bar and select Users under Application Registry. Click New to add an application registry.

  3. Select Create an OAuth API endpoint for external clients.

  4. Name the new registry and click Submit. You do not need to manually edit the client ID and secret, these fields will be auto generated.

  1. On the Application Registry page, find the registry you created and open it to view more details.

  2. Click the lock button to get your client secret. You can view the secret again by clicking the lock button.

  3. Click on the lock button adjacent to the Redirect URL field to edit it. Copy and paste the D3 callback URL from the connection to the Redirect URL field (see the OAuth2.0 Authorization Code section of Configuring D3 SOAR to work with ServiceNow), then click Update.

Configuring D3 SOAR to work with ServiceNow

  1. Log in to D3 SOAR.

  2. Find the ServiceNow integration.

    Frame 42 (6)-20241031-180734.png
    1. Navigate to Configuration on the top header menu.

    2. Click on the Integration icon on the left sidebar.

    3. Type ServiceNow v2 in the search box to find the integration, then click it to select it.

    4. Click + Connection, on the right side of the Connections section. A new connection window will appear.

  3. Configure the following fields to create a connection to ServiceNow.

    Frame 43 (8)-20241031-194221.png
    1. Connection Name: The desired name for the connection.

    2. Site: Specifies the site to use the integration connection. Use the drop-down menu to select the site. The Share to Internal Sites option enables all sites defined as internal sites to use the connection. Selecting a specific site will only enable that site to use the connection.

    3. Recipient site for events from connections Shared to Internal Sites: This field appears if you selected Share to Internal Sites for Site to let you select the internal site to deploy the integration connection.

    4. Agent Name (Optional): Specifies the proxy agent required to build the connection. Use the dropdown menu to select the proxy agent from a list of previously configured proxy agents.

    5. Description (Optional): Add your desired description for the connection.

    6. Tenant (Optional): When configuring the connection from a master tenant site, you have the option to choose the specific tenant sites you want to share the connection with. Once you enable this setting, you can filter and select the desired tenant sites from the dropdowns to share the connection.

    7. Configure User Permissions: Defines which users have access to the connection.

    8. Active: Check the tick box to ensure the connection is available for use.

    9. System: This section contains the parameters defined specifically for the integration. These parameters must be configured to create the integration connection. Note: There are two methods of authentication for building the connection between D3 SOAR and ServiceNow. Refer to the section corresponding to your use case below.

      1. If you choose the Basic Authentication Authentication Type:

        Frame 46 (8)-20241031-194351.png
        1. Input the ServiceNow instance URL for the Server URL.

        2. Select Basic Authentication for Authentication Type.

        3. Input your ServiceNow username.

        4. Input your ServiceNow password.

      2. If you choose the OAuth2.0 Authorization Code Authentication Type:

        Frame 50 (7)-20241031-194439.png
        1. Input the ServiceNow instance URL for the Server URL.

        2. Select OAuth 2.0 Authorization Code for Authentication Type.

        3. Input your saved Client ID (see step 8 to 13 of Configuring ServiceNow to work with D3 SOAR).

        4. Input your saved Client Secret (see step 8 to 13 of Configuring ServiceNow to work with D3 SOAR).

        5. Click Get Authorization. You will be directed to ServiceNow to approve the authorization. Make sure your login user is correct, then click Allow. You will be directed to the Authorization Code page. You may close the page and return to D3 SOAR.

          Frame 49 (8)-20241031-194541.png

        6. Add the Callback URL to your app's Redirect URIs. In your ServiceNow instance's console, navigate to System OAuth > Application Registry > "APP Name" > Redirect URL.

        7. Click Get Refresh Token. The token will be automatically generated.

          Frame 47 (8)-20241031-194737.png
    10. Connection Health Check: Updates the connection status you have created. A connection health check is done by scheduling the Test Connection command of this integration. This can only be done when the connection is active.
      To set up a connection health check, check the Connection Health Check tickbox. You can customize the interval (minutes) for scheduling the health check. An email notification can be set up after a specified number of failed connection attempts.

    11. Enable Password Vault: An optional feature that allows users to take the stored credentials from their own password vault. Please refer to the password vault connection guide if needed.

  4. Test the connection.

    1. Click Test Connection to verify the account credentials and network connection. If the Test Connection Passed alert window appears, the test connection is successful. You will see Passed with a green checkmark appear beside the Test Connection button. If the test connection fails, please check your connection parameters and try again.

    2. Click OK to close the alert window.

    3. Click + Add to create and add the configured connection.

Commands

ServiceNow includes the following executable commands for users to set up schedules or create playbook workflows. With the Test Command, you can execute these commands independently for playbook troubleshooting.

Integration API Note

For more information about the ServiceNow API, please refer to the ServiceNow API reference.

READER NOTE

Certain permissions are required for each command. Please refer to the Permission Requirements and Configuring ServiceNow to Work with D3 SOAR for details.

Add Ticket Attachment

Uploads an attachment to the specified ticket.

READER NOTE

Ticket Sys ID is a required parameter to run this command.

  • You should already have your desired Ticket Sys IDs on hand to run this command. If you don’t, you may use the Fetch Event command with defined filters to retrieve the desired Ticket Sys IDs. The Ticket Sys IDs can be found in the raw data, at the path $.result[*].sys_id.

  • Ensure that your input Sys ID belongs to a ticket. To do this, select the Incident Type parameter as "Incident". Note that any other format will not work.

It is not recommended to use the Test Command feature with the Add Ticket Attachment command as it is designed for dynamic input files in Playbooks, Incident Attachments, and Artifact Attachments. There is a simple workaround to test the command:

  1. Navigate to Configuration on the top bar menu.

  2. Click on Utility Commands on the left sidebar menu.

  3. Use the search box to find and select the Create a File from input Text Array command.

  4. Click on the Test tab.

  5. Input the required information for the parameters.

  6. Click on the Test Command button. A D3 File ID will appear in the output data after the file has been successfully created. The D3 File Source of the created file will be Playbook File.

Input

Input Parameter

Required/Optional

Description

Example

Ticket Sys ID

Required

The Sys ID of the incident ticket to upload the attachment to. Sys IDs can be obtained using the Fetch Event command.

435******************67b

File IDs

Required

The file paths of the file source.

[ "473" ]

File Source

Required

The file source of the file to attach. The options for file sources are:

Incident Attachment File: Manually uploaded file from Incident

Playbook File: Output from another Task

Artifact File: Ingested Artifact in an Event

Playbook File

Output

Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

CODE
[
    {
        "result": {
            "size_bytes": "4290",
            "file_name": "bl***ay.png",
            "sys_mod_count": "0",
            "average_image_color": "",
            "image_width": "",
            "sys_updated_on": "2022-05-09 23:28:59",
            "sys_tags": "",
            "table_name": "incident",
            "encryption_context": "",
            "sys_id": "3af*****************008",
            "image_height": "",
            "sys_updated_by": "admin",
            "download_link": "https://dev*****.service-now.com/api/now/attachment/3af*****************008/file",
            "content_type": "image/png",
            "sys_created_on": "2022-05-09 23:28:59",
            "size_compressed": "4313",
            "compressed": "true",
            "state": "pending",
            "table_sys_id": "7ca****************0de",
            "chunk_size_bytes": "700000",
            "hash": "7d2c*****************************c2a9",
            "sys_created_by": "admin"
        }
    }
]
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
      "AttachmentSysIDs": ["3af*****************008"] 
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

result

{'size_bytes': '4290', 'file_name': 'bl***ay.png', 'sys_mod_count': '0', 'average_image_color': '', 'image_width': '', 'sys_updated_on': '2022-05-09 23:28:59', 'sys_tags': '', 'table_name': 'incident', 'encryption_context': '', 'sys_id': '3af*****************008', 'image_height': '', 'sys_updated_by': 'admin', 'download_link': 'https://dev*****.service-now.com/api/now/attachment/3af*****************008/file', 'content_type': 'image/png', 'sys_created_on': '2022-05-09 23:28:59', 'size_compressed': '4313', 'compressed': 'true', 'state': 'pending', 'table_sys_id': '7ca****************0de', 'chunk_size_bytes': '700000', 'hash': '7d2c*****************************c2a9', 'sys_created_by': 'admin'}

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Add Ticket Attachment failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the ServiceNow portal. Refer to the HTTP Status Code Registry for details.

Status Code: 404.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Ticket Sys ID Not Found.

Error Sample Data

Add Ticket Attachment failed.

Status Code: 404.

Message: Ticket Sys ID Not Found.

Close Tickets

Closes incident tickets based on incident ticket Sys ID(s).

READER NOTE

The parameter Ticket Sys IDs is required to run this command.

  • You should already have your desired Ticket Sys IDs on hand to run this command. If you don’t, you may use the Fetch Event command with defined filters to retrieve the desired Ticket Sys IDs. The Ticket Sys IDs can be found in the raw data, at the path $.result[*].sys_id.

  • Ensure that your input Sys ID belongs to a ticket. To do this, select the Incident Type parameter as "Incident". Note that any other format will not work.

Resolved By is an optional parameter to run this command.

  • You can enter a user name, user email or user Sys ID in this field.

  • If you have a user's email or username, you can input it into the Get User Details command to obtain the corresponding Sys ID. The Sys ID can can be found in the returned raw data, at the path $result[*].sys_id.

  • User names and user emails can be found from the ServiceNow user interface. Search for System Security, then navigate to Users and Groups > Users.

Input

Input Parameter

Required/Optional

Description

Example

Ticket Sys IDs

Required

The Sys ID(s) of the incident ticket(s) to close. Sys IDs can be obtained using the Fetch Event command.

[ "369*******************f90" ]

Resolution Notes

Required

Notes indicating the reason for closing the ticket.

Closed by admin on 511

Resolution Code

Required

The code to categorize the resolution action of the specified ticket(s).

Resolved by caller

Resolved By

Optional

The user resolving the specified ticket(s). You can enter a user name, user email or user Sys ID. User Sys IDs can be obtained using the Get User Details command.

Mic**** Ho****

Output

Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

CODE
[
    {
        "result": {
            "parent": "",
            "made_sla": "true",
            "caused_by": "",
            "watch_list": "",
            "upon_reject": "cancel",
            "sys_updated_on": "2023-02-10 21:41:12",
            "child_incidents": "0",
            "hold_reason": "",
            "origin_table": "",
            "task_effective_number": "INC00*****",
            "approval_history": "",
            "skills": "",
            "number": "INC00*****",
            "resolved_by": {
                "link": "https://dev*****.service-now.com/api/now/table/sys_user/d6c****************ffc",
                "value": "d6c****************ffc"
            },
            "sys_updated_by": "admin",
            "opened_by": {
                "link": "https://dev*****.service-now.com/api/now/table/sys_user/681*******************441",
                "value": "681*******************441"
            },
            "user_input": "",
            "sys_created_on": "2023-02-10 21:40:47",
            "sys_domain": {
                "link": "https://dev*****.service-now.com/api/now/table/sys_user_group/global",
                "value": "global"
            },
            "state": "7",
            "route_reason": "",
            "sys_created_by": "admin",
            "knowledge": "false",
            "order": "",
            "calendar_stc": "25",
            "closed_at": "2023-02-10 21:41:12",
            "cmdb_ci": "",
            "delivery_plan": "",
            "contract": "",
            "impact": "2",
            "active": "false",
            "work_notes_list": "",
            "business_service": "",
            "business_impact": "",
            "priority": "3",
            "sys_domain_path": "/",
            "rfc": "",
            "time_worked": "",
            "expected_start": "",
            "opened_at": "2023-02-10 21:40:47",
            "business_duration": "1970-01-01 00:00:25",
            "group_list": "",
            "work_end": "",
            "caller_id": {
                "link": "https://dev*****.service-now.com/api/now/table/sys_user/d6c****************ffc",
                "value": "d6c****************ffc"
            },
            "reopened_time": "",
            "resolved_at": "2023-02-10 21:41:12",
            "approval_set": "",
            "subcategory": "",
            "work_notes": "",
            "universal_request": "",
            "short_description": "test short desc 0210a",
            "close_code": "Resolved by caller",
            "correlation_display": "",
            "delivery_task": "",
            "work_start": "",
            "assignment_group": {
                "link": "https://dev*****.service-now.com/api/now/table/sys_user_group/0c4*******************461",
                "value": "0c4*******************461"
            },
            "additional_assignee_list": "",
            "business_stc": "25",
            "cause": "",
            "description": "Test description 0210a",
            "origin_id": "",
            "calendar_duration": "1970-01-01 00:00:25",
            "close_notes": "Duplicate Ticket",
            "notify": "1",
            "service_offering": "",
            "sys_class_name": "incident",
            "closed_by": {
                "link": "https://dev*****.service-now.com/api/now/table/sys_user/681*******************441",
                "value": "681*******************441"
            },
            "follow_up": "",
            "parent_incident": "",
            "sys_id": "369*******************f90",
            "contact_type": "",
            "reopened_by": "",
            "incident_state": "7",
            "urgency": "2",
            "problem_id": "",
            "company": "",
            "reassignment_count": "0",
            "activity_due": "",
            "assigned_to": {
                "link": "https://dev*****.service-now.com/api/now/table/sys_user/73a*******************4df",
                "value": "73a*******************4df"
            },
            "severity": "3",
            "comments": "",
            "approval": "not requested",
            "sla_due": "",
            "comments_and_work_notes": "",
            "due_date": "",
            "sys_mod_count": "2",
            "reopen_count": "0",
            "sys_tags": "",
            "escalation": "0",
            "upon_approval": "proceed",
            "correlation_id": "",
            "location": "",
            "category": "network"
        }
    }
]
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
      "TicketSysIDs": ["369*******************f90"],
      "TicketNumbers": ["INC00*****"]
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

result

{'parent': '', 'made_sla': 'true', 'caused_by': '', 'watch_list': '', 'upon_reject': 'cancel', 'sys_updated_on': '2023-02-10 21:41:12', 'child_incidents': '0', 'hold_reason': '', 'origin_table': '', 'task_effective_number': 'INC00*****', 'approval_history': '', 'skills': '', 'number': 'INC00*****', 'resolved_by': {'link': 'https://dev69572.service-now.com/api/now/table/sys_user/d6cb65ef97b82110c4f8337e6253affc ', 'value': 'd6c****************ffc'}, 'sys_updated_by': 'admin', 'opened_by': {'link': 'https://dev69572.service-now.com/api/now/table/sys_user/6816f79cc0a8016401c5a33be04be441 ', 'value': '681*******************441'}, 'user_input': '', 'sys_created_on': '2023-02-10 21:40:47', 'sys_domain': {'link': 'https://dev69572.service-now.com/api/now/table/sys_user_group/global ', 'value': 'global'}, 'state': '7', 'route_reason': '', 'sys_created_by': 'admin', 'knowledge': 'false', 'order': '', 'calendar_stc': '25', 'closed_at': '2023-02-10 21:41:12', 'cmdb_ci': '', 'delivery_plan': '', 'contract': '', 'impact': '2', 'active': 'false', 'work_notes_list': '', 'business_service': '', 'business_impact': '', 'priority': '3', 'sys_domain_path': '/', 'rfc': '', 'time_worked': '', 'expected_start': '', 'opened_at': '2023-02-10 21:40:47', 'business_duration': '1970-01-01 00:00:25', 'group_list': '', 'work_end': '', 'caller_id': {'link': 'https://dev69572.service-now.com/api/now/table/sys_user/d6cb65ef97b82110c4f8337e6253affc ', 'value': 'd6c****************ffc'}, 'reopened_time': '', 'resolved_at': '2023-02-10 21:41:12', 'approval_set': '', 'subcategory': '', 'work_notes': '', 'universal_request': '', 'short_description': 'test short desc 0210a', 'close_code': 'Resolved by caller', 'correlation_display': '', 'delivery_task': '', 'work_start': '', 'assignment_group': {'link': 'https://dev69572.service-now.com/api/now/table/sys_user_group/0c4e7b573b331300ad3cc9bb34efc461 ', 'value': '0c4*******************461'}, 'additional_assignee_list': '', 'business_stc': '25', 'cause': '', 'description': 'Test description 0210a', 'origin_id': '', 'calendar_duration': '1970-01-01 00:00:25', 'close_notes': 'Duplicate Ticket', 'notify': '1', 'service_offering': '', 'sys_class_name': 'incident', 'closed_by': {'link': 'https://dev69572.service-now.com/api/now/table/sys_user/6816f79cc0a8016401c5a33be04be441 ', 'value': '681*******************441'}, 'follow_up': '', 'parent_incident': '', 'sys_id': '369*******************f90', 'contact_type': '', 'reopened_by': '', 'incident_state': '7', 'urgency': '2', 'problem_id': '', 'company': '', 'reassignment_count': '0', 'activity_due': '', 'assigned_to': {'link': 'https://dev69572.service-now.com/api/now/table/sys_user/73ab3f173b331300ad3cc9bb34efc4df ', 'value': '73a*******************4df'}, 'severity': '3', 'comments': '', 'approval': 'not requested', 'sla_due': '', 'comments_and_work_notes': '', 'due_date': '', 'sys_mod_count': '2', 'reopen_count': '0', 'sys_tags': '', 'escalation': '0', 'upon_approval': 'proceed', 'correlation_id': '', 'location': '', 'category': 'network'}

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Close Tickets failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the ServiceNow portal. Refer to the HTTP Status Code Registry for details.

Status Code: 404.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Ticket Sys IDs Not Found.

Error Sample Data

Close Tickets failed.

Status Code: 404.

Message: Ticket Sys IDs Not Found.

Create Record

Creates a record in a specified table in ServiceNow. You can get available column elements from the Get Table Fields command.

READER NOTE

Table Name and Record Data are required parameters to run this command.

  • Run the Query Tables command to obtain Table Names. Table Names can be found in the returned raw data, at the path $.result[*].name.

  • Run the Get Table Fields command to obtain Record Data available fields. Input the desired table name to obtain the table's available fields. See Where can I get available field's system names? from the FAQ section for more information.

Input

Input Parameter

Required/Optional

Description

Example

Table Name

Required

The name of the table to create a record in. Table Name can be obtained using the Query Tables command.

x_******_test_d3_j**_test***

Record Data

Required

The contents of the record data in JSON format. The available fields can be obtained using the Get Table Fields command.

{

"notes": "A new record by Jon***.",

"passwd": "3**4",

"ip_address": "192.168.*.***",

"sys_tags": "",

"host_name": "d3lab_server**"

}

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

CODE
{
    "result": {
        "sys_id": "366********************697",
        "sys_updated_by": "admin",
        "passwd": "3**4",
        "duedate": "",
        "sys_created_on": "2021-07-05 19:46:38",
        "sys_mod_count": "0",
        "sys_updated_on": "2021-07-05 19:46:38",
        "sys_tags": "",
        "sys_created_by": "admin"
    }
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
      "RecordSysID": ["366********************697"]
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

result

{'sys_id': '366********************697', 'sys_updated_by': 'admin', 'passwd': '3**4', 'duedate': '', 'sys_created_on': '2021-07-05 19:46:38', 'sys_mod_count': '0', 'sys_updated_on': '2021-07-05 19:46:38', 'sys_tags': '', 'sys_created_by': 'admin'}

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Create Record failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the ServiceNow portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Invalid Record Data.

Error Sample Data

Create Record failed.

Status Code: 400.

Message: Invalid Record Data.

Create Request

Creates a new request in the sc_request table.

READER NOTE

Input parameter Custom Fields is optional to run this command

Input

Input Parameter

Required/Optional

Description

Example

Short Description

Required

A short description for the new request.

New Request for project D. 512a

Requested For

Optional

The name, email, or Sys ID of the user who raised the request. If this parameter is not defined, requests will be created for the current login user.

Jon***** Wal****

Comments

Optional

The comments for the new request. Comments are visible to all users, fulfillers and requesters.

test comments510

Work Notes

Optional

The work notes for the new request. Work notes are only visible to request fulfillers, and are not shared with requesters.

For VIP

Due Date

Optional

The due date of the new request in UTC time.

2022-06-30 00:00

Custom Fields

Optional

The additional fields in JSON format to input into the request.

{

"assigned_to": "Mic**** Ho****",

"request_state": "requested",

"stage": "requested",

"escalation": "Normal",

"upon_approval": "Proceed to Next Task"

}

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

CODE
{
    "result": {
        "parent": "",
        "delivery_address": "",
        "made_sla": "true",
        "watch_list": "",
        "upon_reject": "Cancel all future Tasks",
        "requested_for": {
            "display_value": "Jon***** Wal****",
            "link": "https://dev*****.service-now.com/api/now/table/sys_user/ea8****************ddb"
        },
        "sys_updated_on": "2022-05-10 17:13:33",
        "task_effective_number": "REQ*******",
        "approval_history": "",
        "skills": "",
        "number": "REQ*******",
        "sys_updated_by": "admin",
        "opened_by": {
            "display_value": "System Administrator",
            "link": "https://dev*****.service-now.com/api/now/table/sys_user/681*******************441"
        },
        "user_input": "",
        "price": "$0.00",
        "sys_created_on": "2022-05-10 17:13:33",
        "sys_domain": {
            "display_value": "global",
            "link": "https://dev*****.service-now.com/api/now/table/sys_user_group/global"
        },
        "state": "Open",
        "route_reason": "",
        "sys_created_by": "admin",
        "knowledge": "false",
        "order": "",
        "calendar_stc": "",
        "special_instructions": "",
        "closed_at": "",
        "cmdb_ci": "",
        "delivery_plan": "",
        "contract": "",
        "impact": "3 - Low",
        "active": "true",
        "work_notes_list": "",
        "business_service": "",
        "priority": "2 - High",
        "sys_domain_path": "/",
        "time_worked": "",
        "expected_start": "",
        "opened_at": "2022-05-10 17:13:33",
        "business_duration": "",
        "group_list": "",
        "work_end": "",
        "approval_set": "2022-05-10 17:13:34",
        "work_notes": "2022-05-10 17:13:34 - System Administrator (Work notes)\nFor VIP!\n\n",
        "universal_request": "",
        "short_description": "",
        "correlation_display": "",
        "delivery_task": "",
        "work_start": "",
        "assignment_group": "",
        "parent_interaction": "",
        "additional_assignee_list": "",
        "description": "",
        "calendar_duration": "",
        "close_notes": "",
        "service_offering": "",
        "sys_class_name": "Request",
        "closed_by": "",
        "follow_up": "",
        "sys_id": "65c*********************0fa",
        "contact_type": null,
        "urgency": "2 - Medium",
        "requested_date": "",
        "company": "",
        "reassignment_count": "0",
        "activity_due": "UNKNOWN",
        "assigned_to": {
            "display_value": "Mic**** Ho****",
            "link": "https://dev*****.service-now.com/api/now/table/sys_user/c47********************ff3"
        },
        "comments": "2022-05-10 17:13:34 - System Administrator (Additional comments)\ntest comments510\n\n2022-05-10 17:13:34 - System Administrator (Additional comments)\nRequest automatically approved for total price <= $1000\n\n",
        "approval": "Approved",
        "sla_due": "UNKNOWN",
        "comments_and_work_notes": "2022-05-10 17:13:34 - System Administrator (Additional comments)\ntest comments510\n\n2022-05-10 17:13:34 - System Administrator (Additional comments)\nRequest automatically approved for total price <= $1000\n\n2022-05-10 17:13:34 - System Administrator (Work notes)\nFor VIP!\n\n",
        "due_date": "2022-05-30 17:00:00",
        "sys_mod_count": "0",
        "sys_tags": "",
        "request_state": "Approved",
        "stage": "Requested",
        "escalation": "Normal",
        "upon_approval": "Proceed to Next Task",
        "correlation_id": "",
        "location": ""
    }
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
      "RequestSysID": ["65c*********************0fa"],
      "RequestNumber": ["REQ*******"]
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

result

{'parent': '', 'delivery_address': '', 'made_sla': 'true', 'watch_list': '', 'upon_reject': 'Cancel all future Tasks', 'requested_for': {'display_value': 'Jon***** Wal****', 'link': 'https://dev*****.service-now.com/api/now/table/sys_user/ea8****************ddb'}, 'sys_updated_on': '2022-05-10 17:13:33', 'task_effective_number': 'REQ*******', 'approval_history': '', 'skills': '', 'number': 'REQ*******', 'sys_updated_by': 'admin', 'opened_by': {'display_value': 'System Administrator', 'link': 'https://dev*****.service-now.com/api/now/table/sys_user/681*******************441'}, 'user_input': '', 'price': '$0.00', 'sys_created_on': '2022-05-10 17:13:33', 'sys_domain': {'display_value': 'global', 'link': 'https://dev*****.service-now.com/api/now/table/sys_user_group/global'}, 'state': 'Open', 'route_reason': '', 'sys_created_by': 'admin', 'knowledge': 'false', 'order': '', 'calendar_stc': '', 'special_instructions': '', 'closed_at': '', 'cmdb_ci': '', 'delivery_plan': '', 'contract': '', 'impact': '3 - Low', 'active': 'true', 'work_notes_list': '', 'business_service': '', 'priority': '2 - High', 'sys_domain_path': '/', 'time_worked': '', 'expected_start': '', 'opened_at': '2022-05-10 17:13:33', 'business_duration': '', 'group_list': '', 'work_end': '', 'approval_set': '2022-05-10 17:13:34', 'work_notes': '2022-05-10 17:13:34 - System Administrator (Work notes)\nFor VIP!\n\n', 'universal_request': '', 'short_description': '', 'correlation_display': '', 'delivery_task': '', 'work_start': '', 'assignment_group': '', 'parent_interaction': '', 'additional_assignee_list': '', 'description': '', 'calendar_duration': '', 'close_notes': '', 'service_offering': '', 'sys_class_name': 'Request', 'closed_by': '', 'follow_up': '', 'sys_id': '65c*********************0fa', 'contact_type': None, 'urgency': '2 - Medium', 'requested_date': '', 'company': '', 'reassignment_count': '0', 'activity_due': 'UNKNOWN', 'assigned_to': {'display_value': 'Mic**** Ho****', 'link': 'https://dev*****.service-now.com/api/now/table/sys_user/c47********************ff3'}, 'comments': '2022-05-10 17:13:34 - System Administrator (Additional comments)\ntest comments510\n\n2022-05-10 17:13:34 - System Administrator (Additional comments)\nRequest automatically approved for total price <= $1000\n\n', 'approval': 'Approved', 'sla_due': 'UNKNOWN', 'comments_and_work_notes': '2022-05-10 17:13:34 - System Administrator (Additional comments)\ntest comments510\n\n2022-05-10 17:13:34 - System Administrator (Additional comments)\nRequest automatically approved for total price <= $1000\n\n2022-05-10 17:13:34 - System Administrator (Work notes)\nFor VIP!\n\n', 'due_date': '2022-05-30 17:00:00', 'sys_mod_count': '0', 'sys_tags': '', 'request_state': 'Approved', 'stage': 'Requested', 'escalation': 'Normal', 'upon_approval': 'Proceed to Next Task', 'correlation_id': '', 'location': ''}

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Create Request failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the ServiceNow portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Invalid Custom Fields.

Error Sample Data

Create Request failed.

Status Code: 400.

Message: Invalid Custom Fields.

Create Requested Item

Creates a new Requested Item in the sc_req_item table.

READER NOTE

Request Sys ID Or Number and Custom Fields are optional parameters to run this command.

  • Run the Get Request command to obtain Request Sys IDs and Numbers. Request Sys IDs can be found in the returned raw data, at the path $.result[*].sys_id; Request Numbers can be found in the returned raw data, at the path $.result[*].number.

  • Run the Get Table Fields command to obtain Custom Fields available fields. See Where can I get available field's system names? from the FAQ section for more information on finding the available field names.

Input

Input Parameter

Required/Optional

Description

Example

Short Description

Required

A short description of the new requested item.

Apple iPhone13 0512a

Comments

Optional

The comments for the new requested item. Comments are visible to all users, fulfillers and requesters.

New req item iphone13

Work Notes

Optional

The work notes for the new requested item. Work notes are only visible to request fulfillers, and are not shared with requesters.

Sensitive info inside

Due Date

Optional

The due date of the new requested item in UTC time.

2022-06-30 00:00

Request Sys ID Or Number

Optional

The Sys ID or request number of the requested item(s). Request Sys ID and request numbers can be obtained using the Get Request command.

REQ*******

Custom Fields

Optional

The additional fields in JSON format to input into the requested item.

{

"urgency": "2"

}

Output

Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

CODE
{
    "result": {
        "parent": "",
        "delivery_address": "",
        "made_sla": "true",
        "watch_list": "",
        "upon_reject": "Cancel all future Tasks",
        "requested_for": {
            "display_value": "Jon***** Wal****",
            "link": "https://dev*****.service-now.com/api/now/table/sys_user/ea8****************ddb"
        },
        "sys_updated_on": "2022-05-10 17:13:33",
        "task_effective_number": "REQ*******",
        "approval_history": "",
        "skills": "",
        "number": "REQ*******",
        "sys_updated_by": "admin",
        "opened_by": {
            "display_value": "System Administrator",
            "link": "https://dev*****.service-now.com/api/now/table/sys_user/681*******************441"
        },
        "user_input": "",
        "price": "$0.00",
        "sys_created_on": "2022-05-10 17:13:33",
        "sys_domain": {
            "display_value": "global",
            "link": "https://dev*****.service-now.com/api/now/table/sys_user_group/global"
        },
        "state": "Open",
        "route_reason": "",
        "sys_created_by": "admin",
        "knowledge": "false",
        "order": "",
        "calendar_stc": "",
        "special_instructions": "",
        "closed_at": "",
        "cmdb_ci": "",
        "delivery_plan": "",
        "contract": "",
        "impact": "3 - Low",
        "active": "true",
        "work_notes_list": "",
        "business_service": "",
        "priority": "2 - High",
        "sys_domain_path": "/",
        "time_worked": "",
        "expected_start": "",
        "opened_at": "2022-05-10 17:13:33",
        "business_duration": "",
        "group_list": "",
        "work_end": "",
        "approval_set": "2022-05-10 17:13:34",
        "work_notes": "2022-05-10 17:13:34 - System Administrator (Work notes)\nFor VIP!\n\n",
        "universal_request": "",
        "short_description": "",
        "correlation_display": "",
        "delivery_task": "",
        "work_start": "",
        "assignment_group": "",
        "parent_interaction": "",
        "additional_assignee_list": "",
        "description": "",
        "calendar_duration": "",
        "close_notes": "",
        "service_offering": "",
        "sys_class_name": "Request",
        "closed_by": "",
        "follow_up": "",
        "sys_id": "65c*********************0fa",
        "contact_type": null,
        "urgency": "2 - Medium",
        "requested_date": "",
        "company": "",
        "reassignment_count": "0",
        "activity_due": "UNKNOWN",
        "assigned_to": {
            "display_value": "Mic**** Ho****",
            "link": "https://dev*****.service-now.com/api/now/table/sys_user/c47********************ff3"
        },
        "comments": "2022-05-10 17:13:34 - System Administrator (Additional comments)\ntest comments510\n\n2022-05-10 17:13:34 - System Administrator (Additional comments)\nRequest automatically approved for total price <= $1000\n\n",
        "approval": "Approved",
        "sla_due": "UNKNOWN",
        "comments_and_work_notes": "2022-05-10 17:13:34 - System Administrator (Additional comments)\ntest comments510\n\n2022-05-10 17:13:34 - System Administrator (Additional comments)\nRequest automatically approved for total price <= $1000\n\n2022-05-10 17:13:34 - System Administrator (Work notes)\nFor VIP!\n\n",
        "due_date": "2022-05-30 17:00:00",
        "sys_mod_count": "0",
        "sys_tags": "",
        "request_state": "Approved",
        "stage": "Requested",
        "escalation": "Normal",
        "upon_approval": "Proceed to Next Task",
        "correlation_id": "",
        "location": ""
    }
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
      "RequestItemSysID": ["65c*********************0fa"],
      "RequestItemNumber": ["REQ*******"]
}
Result

Provides a brief summary of outputs in an HTML formatted table.

parent

made_sla

true

watch_list

sc_catalog

upon_reject

cancel

requested_for

{

"link": "https://dev72644.service-now.com/api/now/v2/table/sys_user/681*******************441",

"value": "681*******************441"

}

sys_updated_on

2021-03-17 23:05:29

task_effective_number

RITM0010041

approval_history

number

RITM0010041

sys_updated_by

admin

opened_by

{

"link": "https://dev72644.service-now.com/api/now/v2/table/sys_user/681*******************441",

"value": "681*******************441"

}

user_input

price

102

sys_created_on

2021-03-17 23:05:29

recurring_frequency

sys_domain

{

"link": "https://dev72644.service-now.com/api/now/v2/table/sys_user_group/global",

"value": "global"

}

context

state

1

route_reason

sys_created_by

admin

knowledge

false

order

closed_at

cmdb_ci

delivery_plan

backordered

true

contract

impact

3

active

true

work_notes_list

business_service

priority

4

sys_domain_path

/

time_worked

expected_start

flow_context

opened_at

2021-03-17 23:05:29

business_duration

group_list

configuration_item

{

"link": "https://dev72644.service-now.com/api/now/v2/table/cmdb_ci/0c4******************7cc",

"value": "0c4******************7cc"

}

work_end

approval_set

work_notes

order_guide

{

"link": "https://dev72644.service-now.com/api/now/v2/table/sc_cat_item_guide/251*********************dd6",

"value": "251*********************dd6"

}

universal_request

request

{

"link": "https://dev72644.service-now.com/api/now/v2/table/sc_request/771********************60b",

"value": "771********************60b"

}

short_description

correlation_display

delivery_task

work_start

assignment_group

additional_assignee_list

description

calendar_duration

close_notes

service_offering

sys_class_name

sc_req_item

closed_by

follow_up

sys_id

9f04e7082fc32010c23c4ae72799b66b

contact_type

urgency

3

company

reassignment_count

0

activity_due

assigned_to

comments

quantity

1

approval

requested

sla_due

comments_and_work_notes

due_date

2021-03-20 19:15:53

sys_mod_count

0

recurring_price

0

sys_tags

billable

false

cat_item

{

"link": "https://dev72644.service-now.com/api/now/v2/table/sc_cat_item/0c5**********************739",

"value": "0c5**********************739"

}

stage

waiting_for_approval

escalation

0

upon_approval

proceed

correlation_id

location

estimated_delivery

2021-03-25 19:16:09

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Create Request Item failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the ServiceNow portal. Refer to the HTTP Status Code Registry for details.

Status Code: 404.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Request ID Not Found.

Error Sample Data

Create Request Item failed.

Status Code: 404.

Message: Request ID Not Found.

Create Security Incident

Creates a security incident based on specified information, and optionally uploads attachment(s) to the security incident.

READER NOTE

Requested By, Assignment Group, Assigned User and Custom Fields are optional parameters to run this command.

  • If you have a user's email or username, you can input it into the Get User Details command to obtain the corresponding Sys IDs. The input Sys IDs for the Requested By and Assigned User parameters can can be found in the returned raw data, at the path $result[*].sys_id.

  • User names and user emails can be found from the ServiceNow user interface. Search for System Security, then navigate to Users and Groups > Users.

  • Run the Get Group Details command to obtain Assignment Groups. Group Names can be found in the returned raw data, at the path $.result[*].name, Group Sys IDs can be found in the raw data, at the path $.result[*].sys_id.

  • Run the Get Table Fields command to obtain Custom Fields available fields. See Where can I get available field's system names? from the FAQ section for more information on finding the available field names

ALERT

Due to recent changes in the ServiceNow API, there are some limitations when using the Assignment Group and Assigned To parameters. The following restrictions apply when using these parameters:

  • You can only use this command to assign users to security incidents in the Security Incident Assignment group:

  1. The user must be part of the Security Incident Assignment group. This can be checked and modified from the ServiceNow user interface.

  2. Both the assignment group and assigned to parameters must be defined in the command.

  • If you wish to assign an incident to a group other than the Security Incident Assignment group, you should follow these steps:

  1. Enter the desired group name in the Assignment Group parameter, and leave the Assigned User parameter empty.

  2. Run the Update Security Incident command to assign the incident to the desired user.

It is not recommended to use the Test Command feature with the Create Security Incident command as it is designed for dynamic input files in Playbooks, Incident Attachments, and Artifact Attachments. There is a simple workaround to test the command:

  1. Navigate to Configuration on the top bar menu.

  1. Click on Utility Commands on the left sidebar menu.

  1. Use the search box to find and select the Create a File from input Text Array command.

  1. Click on the Test tab.

  2. Input the required information for the parameters.

  3. Click on the Test Command button. A D3 File ID will appear in the output data after the file has been successfully created. The D3 File Source of the created file will be Playbook File.

Input

Input Parameter

Required/Optional

Description

Example

Short Description

Required

A short description for the new security incident.

Sec Incident 0511a

Requested By

Optional

The user name, email, or Sys ID of the requesting user. User names, emails and Sys IDs can be obtained using the Get User Details command. If this parameter is not defined, the requests will be created for the current login user. Note: The admin user cannot be the requester unless the login user account is an admin user.

Ja** Erl******

Business Impact

Optional

The impact level of the security incident. If this field is not defined, the default impact level will be set to Low.

High

Priority

Optional

The priority level of the security incident. If this field is not defined, the default priority level will be set to Low.

Moderate

Category

Optional

The category of the security incident. If this field is not defined, the default category will be set to None.

Unpatched Vulnerability

Assignment Group

Optional

The name or Sys ID of the group to assign the security incident to. Group names and Sys IDs can be obtained using the Get Group Details command.

Problem Analyzers

Assigned User

Optional

The user name, email or Sys ID of the user assigned to the security incident. User names, emails and Sys IDs can be obtained using the Get User Details command.

Note: If you input values for both the Assignment Group and Assigned User parameters, ensure that the user is in the group. Otherwise, the error message "Operation Failed" will be returned. You can use the Query Group Members command to check if the user is in the group.

Jon***** Wal****

Description

Optional

A description for the new security incident.

Test description 0511c

Custom Fields

Optional

The additional fields in JSON format to input into the security incident.

{

"comments": "510c These are my comments",

"subcategory": "37"

}

File IDs

Optional

The file paths of the file source.

[

"749"

]

File Source

Optional

The file source of the file to attach. The options for file sources are:

Incident Attachment File: Manually uploaded file from Incident

Playbook File: Output from another Task

Artifact File: Ingested Artifact in an Event

Playbook File

Output

Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

CODE
{
    "result": {
        "parent": "",
        "sla_suspended_reason": null,
        "watch_list": "",
        "upon_reject": "Cancel all future Tasks",
        "sys_updated_on": "2022-05-11 16:54:08",
        "qualification_group": "",
        "expected_end": "",
        "approval_history": "",
        "source_ip": "",
        "skills": "",
        "number": "SIR*******",
        "problem": "",
        "previous_agent": "",
        "state": "Draft",
        "sys_created_by": "admin",
        "template_workflow_invoked": "false",
        "knowledge": "false",
        "order": "",
        "phish_email": "",
        "cmdb_ci": "",
        "delivery_plan": "",
        "contract": "",
        "impact": "2 - Medium",
        "active": "true",
        "work_notes_list": "",
        "priority": "3 - Moderate",
        "sys_domain_path": "/",
        "sla_suspended": "false",
        "business_duration": "",
        "group_list": "",
        "special_access_write": "",
        "dest_ip": "",
        "mitre_platform": "",
        "approval_set": "",
        "risk_change": "Up",
        "malware_url": "",
        "universal_request": "",
        "template": "",
        "short_description": "Sec Incident 0511c",
        "correlation_display": "",
        "delivery_task": "",
        "work_start": "",
        "request_type": null,
        "affected_user": "",
        "other_ioc": "",
        "additional_assignee_list": "",
        "alert_sensor": "",
        "assigned_vendor": "",
        "service_offering": "",
        "sys_class_name": "Security Incident",
        "closed_by": "",
        "follow_up": "",
        "mitre_group": "",
        "sla_suspended_on": "",
        "estimated_end": "",
        "vendor_reference": "",
        "reassignment_count": "0",
        "assigned_to": {
            "display_value": "Jon***** Wal****",
            "link": "https://dev*****.service-now.com/api/now/table/sys_user/ea8****************ddb"
        },
        "request_category": "",
        "requested_due_by": "",
        "mitre_malware": "",
        "sla_suspended_for": "",
        "business_criticality": "3 - Non-critical",
        "sla_due": "UNKNOWN",
        "opened_for": {
            "display_value": "System Administrator",
            "link": "https://dev*****.service-now.com/api/now/table/sys_user/681*******************441"
        },
        "comments_and_work_notes": "2022-05-11 16:54:08 - System Administrator (Additional comments)\n511c These are my comments\n\n2022-05-11 16:54:08 - System Administrator (Automation activity)\nRisk score changed from Empty to 45 due to change in business impact, priority, severity, risk score override\n\n",
        "mitre_technique": "",
        "special_access_read": "",
        "substate": "",
        "escalation": "Normal",
        "upon_approval": "Proceed to Next Task",
        "correlation_id": "",
        "asset": "",
        "mitre_tool": "",
        "spam": "false",
        "referrer_url": "",
        "made_sla": "true",
        "mitre_tactic": "",
        "is_catalog": "false",
        "malware_hash": "",
        "alert_rule": "",
        "task_effective_number": "SIR*******",
        "external_url": "",
        "sys_updated_by": "admin",
        "opened_by": {
            "display_value": "System Administrator",
            "link": "https://dev*****.service-now.com/api/now/table/sys_user/681*******************441"
        },
        "user_input": "",
        "sys_created_on": "2022-05-11 16:54:08",
        "sys_domain": {
            "display_value": "global",
            "link": "https://dev*****.service-now.com/api/now/table/sys_user_group/global"
        },
        "pir": null,
        "route_reason": "",
        "closed_at": "",
        "business_service": "",
        "attack_vector": "",
        "time_worked": "",
        "expected_start": "",
        "opened_at": "2022-05-11 16:54:08",
        "task_created": "false",
        "work_end": "",
        "confidence_score": "",
        "prediction": null,
        "automation_activity": "2022-05-11 16:54:08 - System Administrator (Automation activity)\nRisk score changed from Empty to 45 due to change in business impact, priority, severity, risk score override\n\n",
        "subcategory": "Vulnerable application",
        "work_notes": "",
        "security_tags": "",
        "risk_score_override": "false",
        "initiated_from": "",
        "close_code": null,
        "assignment_group": {
            "display_value": "Problem Analyzers",
            "link": "https://dev*****.service-now.com/api/now/table/sys_user_group/0c4*******************461"
        },
        "description": "Test description 0511c",
        "calendar_duration": "",
        "close_notes": "",
        "pir_respondents": "Jon***** Wal****",
        "sys_id": "7ae**********************09e",
        "contact_type": null,
        "urgency": "3 - Low",
        "secure_notes": "",
        "company": "",
        "new_pir_respondents": "",
        "department": "",
        "activity_due": "UNKNOWN",
        "severity": "2 - Medium",
        "comments": "2022-05-11 16:54:08 - System Administrator (Additional comments)\n511c These are my comments\n\n",
        "risk_score": "45",
        "approval": "Not Yet Requested",
        "due_date": "",
        "sys_mod_count": "0",
        "parent_security_incident": "",
        "sys_tags": "",
        "billable": "false",
        "mitre_data_source": "",
        "caller": "",
        "location": "",
        "risk": "Moderate",
        "category": "Un-patched vulnerability",
        "incident": "",
        "change_request": "",
        "security_incident_self": {
            "display_value": "SIR*******",
            "link": "https://dev*****.service-now.com/api/now/table/sn_si_incident/7ae**********************09e"
        }
    }
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
      "SecurityIncidentSysID": ["7ae**********************09e"],
      "SecurityIncidentNumber": ["SIR*******"]
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

result

{'parent': '', 'sla_suspended_reason': None, 'watch_list': '', 'upon_reject': 'Cancel all future Tasks', 'sys_updated_on': '2022-05-11 16:54:08', 'qualification_group': '', 'expected_end': '', 'approval_history': '', 'source_ip': '', 'skills': '', 'number': 'SIR*******', 'problem': '', 'previous_agent': '', 'state': 'Draft', 'sys_created_by': 'admin', 'template_workflow_invoked': 'false', 'knowledge': 'false', 'order': '', 'phish_email': '', 'cmdb_ci': '', 'delivery_plan': '', 'contract': '', 'impact': '2 - Medium', 'active': 'true', 'work_notes_list': '', 'priority': '3 - Moderate', 'sys_domain_path': '/', 'sla_suspended': 'false', 'business_duration': '', 'group_list': '', 'special_access_write': '', 'dest_ip': '', 'mitre_platform': '', 'approval_set': '', 'risk_change': 'Up', 'malware_url': '', 'universal_request': '', 'template': '', 'short_description': 'Sec Incident 0511c', 'correlation_display': '', 'delivery_task': '', 'work_start': '', 'request_type': None, 'affected_user': '', 'other_ioc': '', 'additional_assignee_list': '', 'alert_sensor': '', 'assigned_vendor': '', 'service_offering': '', 'sys_class_name': 'Security Incident', 'closed_by': '', 'follow_up': '', 'mitre_group': '', 'sla_suspended_on': '', 'estimated_end': '', 'vendor_reference': '', 'reassignment_count': '0', 'assigned_to': {'display_value': 'Jon***** Wal****', 'link': 'https://dev*****.service-now.com/api/now/table/sys_user/ea8****************ddb'}, 'request_category': '', 'requested_due_by': '', 'mitre_malware': '', 'sla_suspended_for': '', 'business_criticality': '3 - Non-critical', 'sla_due': 'UNKNOWN', 'opened_for': {'display_value': 'System Administrator', 'link': 'https://dev*****.service-now.com/api/now/table/sys_user/681*******************441'}, 'comments_and_work_notes': '2022-05-11 16:54:08 - System Administrator (Additional comments)\n511c These are my comments\n\n2022-05-11 16:54:08 - System Administrator (Automation activity)\nRisk score changed from Empty to 45 due to change in business impact, priority, severity, risk score override\n\n', 'mitre_technique': '', 'special_access_read': '', 'substate': '', 'escalation': 'Normal', 'upon_approval': 'Proceed to Next Task', 'correlation_id': '', 'asset': '', 'mitre_tool': '', 'spam': 'false', 'referrer_url': '', 'made_sla': 'true', 'mitre_tactic': '', 'is_catalog': 'false', 'malware_hash': '', 'alert_rule': '', 'task_effective_number': 'SIR*******', 'external_url': '', 'sys_updated_by': 'admin', 'opened_by': {'display_value': 'System Administrator', 'link': 'https://dev*****.service-now.com/api/now/table/sys_user/681*******************441'}, 'user_input': '', 'sys_created_on': '2022-05-11 16:54:08', 'sys_domain': {'display_value': 'global', 'link': 'https://dev*****.service-now.com/api/now/table/sys_user_group/global'}, 'pir': None, 'route_reason': '', 'closed_at': '', 'business_service': '', 'attack_vector': '', 'time_worked': '', 'expected_start': '', 'opened_at': '2022-05-11 16:54:08', 'task_created': 'false', 'work_end': '', 'confidence_score': '', 'prediction': None, 'automation_activity': '2022-05-11 16:54:08 - System Administrator (Automation activity)\nRisk score changed from Empty to 45 due to change in business impact, priority, severity, risk score override\n\n', 'subcategory': 'Vulnerable application', 'work_notes': '', 'security_tags': '', 'risk_score_override': 'false', 'initiated_from': '', 'close_code': None, 'assignment_group': {'display_value': 'Problem Analyzers', 'link': 'https://dev*****.service-now.com/api/now/table/sys_user_group/0c4*******************461'}, 'description': 'Test description 0511c', 'calendar_duration': '', 'close_notes': '', 'pir_respondents': 'Jon***** Wal****', 'sys_id': '7ae**********************09e', 'contact_type': None, 'urgency': '3 - Low', 'secure_notes': '', 'company': '', 'new_pir_respondents': '', 'department': '', 'activity_due': 'UNKNOWN', 'severity': '2 - Medium', 'comments': '2022-05-11 16:54:08 - System Administrator (Additional comments)\n511c These are my comments\n\n', 'risk_score': '45', 'approval': 'Not Yet Requested', 'due_date': '', 'sys_mod_count': '0', 'parent_security_incident': '', 'sys_tags': '', 'billable': 'false', 'mitre_data_source': '', 'caller': '', 'location': '', 'risk': 'Moderate', 'category': 'Un-patched vulnerability', 'incident': '', 'change_request': '', 'security_incident_self': {'display_value': 'SIR*******', 'link': 'https://dev*****.service-now.com/api/now/table/sn_si_incident/7ae**********************09e'}}

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Create Security Incident failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the ServiceNow portal. Refer to the HTTP Status Code Registry for details.

Status Code: 404.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: User Not Exist.

Error Sample Data

Create Security Incident failed.

Status Code: 404.

Message: User Not Exist.

Create Ticket

Creates an incident ticket and optionally upload attachment(s) to the ticket.

READER NOTE

Caller ID, Assignment Group, Assigned User and Custom Fields are optional parameters to run this command.

  • If you have a user's email or username, you can input it into the Get User Details command to obtain the corresponding Sys IDs. The input Sys IDs for the Caller ID and Assigned User parameters can can be found in the returned raw data, at the path $result[*].sys_id.

  • User names and user emails can be found from the ServiceNow user interface. Search for System Security, then navigate to Users and Groups > Users.

  • Run the Get Group Details command to obtain Assignment Groups. Group Names can be found in the returned raw data, at the path $.result[*].name, Group Sys IDs can be found in the raw data, at the path $.result[*].sys_id.

  • Run the Get Table Fields command to obtain Custom Fields available fields. See Where can I get available field's system names? from the FAQ section for more information on finding the available field names.

ALERT

You will need to make sure the Assigned User is in the Assignment Group you entered if you choose to enter values for both the Assignment Group and Assigned User fields. Otherwise, D3 SOAR will return the error of “Operation Failed” error message.

It is recommended to run the Query Group Members command to check whether the user is in the group, if you choose to input values for both fields.

It is not recommended to use the Test Command feature with the Create Ticket command as it is designed for dynamic input files in Playbooks, Incident Attachments, and Artifact Attachments. There is a simple workaround to test the command:

  1. Navigate to Configuration on the top bar menu.

  1. Click on Utility Commands on the left sidebar menu.

  1. Use the search box to find and select the Create a File from input Text Array command.

  1. Click on the Test tab.

  2. Input the required information for the parameters.

  3. Click on the Test Command button. A D3 File ID will appear in the output data after the file has been successfully created. The D3 File Source of the created file will be Playbook File.

Input

Input Parameter

Required/Optional

Description

Example

Short Description

Required

A short description for the new incident ticket.

Test incident creation through REST 0510c

Caller ID

Optional

The user name, user email, or user Sys ID of the caller. User names, user email or user Sys IDs can be obtained using the Get User Details command. If this field is not specified, the caller will be the current login user. Note: The admin user cannot be the caller unless the login user account is an admin user.

Ja** Erl******

Impact

Optional

The impact level of the incident ticket. The default impact level is Low.

Low

Urgency

Optional

The urgency level of the incident. The default urgency level is Low.

Low

Category

Optional

The category of the incident ticket. The default category is Inquiry/Help.

Inquiry/Help

Assignment Group

Optional

The name or Sys ID of the group to assign the incident ticket to. Group names and Sys IDs can be obtained using the Get Group Details command.

Problem Analyzers

Assigned User

Optional

The user name, email or Sys ID of the user assigned to the incident ticket. User names, emails and Sys IDs can be obtained using the Get User Details command.

Note: If you input values for both the Assignment Group and Assigned User parameters, ensure that the user is in the group. Otherwise, the error message "Operation Failed" will be returned. You can use the Query Group Members command to check if the user is in the group.

Jon***** Wal****

Description

Optional

A description for the incident ticket.

Test description 0510c

Custom Fields

Optional

The additional fields in JSON format to input into the incident ticket.

{

"comments": "comment0510c",

"subcategory": "DNS"

}

File IDs

Optional

The file paths of the file source.

[

"278"

]

File Source

Optional

The file source of the file to attach. The options for file sources are:

Incident Attachment File: Manually uploaded file from Incident

Playbook File: Output from another Task

Artifact File: Ingested Artifact in an Event

Playbook File

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

CODE
{
    "result": {
        "parent": "",
        "made_sla": "true",
        "caused_by": "",
        "watch_list": "",
        "upon_reject": "Cancel all future Tasks",
        "sys_updated_on": "2022-05-10 12:20:04",
        "child_incidents": "0",
        "hold_reason": "",
        "task_effective_number": "INC*******",
        "approval_history": "",
        "skills": "",
        "number": "INC*******",
        "resolved_by": "",
        "sys_updated_by": "admin",
        "opened_by": {
            "display_value": "System Administrator",
            "link": "https://dev*****.service-now.com/api/now/v2/table/sys_user/681*******************441"
        },
        "user_input": "",
        "sys_created_on": "2022-05-10 12:20:04",
        "sys_domain": {
            "display_value": "global",
            "link": "https://dev*****.service-now.com/api/now/v2/table/sys_user_group/global"
        },
        "state": "In Progress",
        "route_reason": "",
        "sys_created_by": "admin",
        "knowledge": "false",
        "order": "",
        "calendar_stc": "",
        "closed_at": "",
        "cmdb_ci": "",
        "delivery_plan": "",
        "contract": "",
        "impact": "2 - Medium",
        "active": "true",
        "work_notes_list": "",
        "business_service": "",
        "priority": "2 - High",
        "sys_domain_path": "/",
        "rfc": "",
        "time_worked": "",
        "expected_start": "",
        "opened_at": "2022-05-10 12:20:04",
        "business_duration": "",
        "group_list": "",
        "work_end": "",
        "caller_id": "",
        "reopened_time": "",
        "resolved_at": "",
        "approval_set": "",
        "subcategory": "DNS",
        "work_notes": "",
        "universal_request": "",
        "short_description": "Test incident creation through REST 0510e",
        "close_code": null,
        "correlation_display": "",
        "delivery_task": "",
        "work_start": "",
        "assignment_group": {
            "display_value": "Problem Analyzers",
            "link": "https://dev*****.service-now.com/api/now/v2/table/sys_user_group/0c4*******************461"
        },
        "additional_assignee_list": "",
        "business_stc": "",
        "description": "Test description 0510e",
        "calendar_duration": "",
        "close_notes": "",
        "notify": "Do Not Notify",
        "service_offering": "",
        "sys_class_name": "Incident",
        "closed_by": "",
        "follow_up": "",
        "parent_incident": "",
        "sys_id": "ae9*********************0ac",
        "contact_type": null,
        "reopened_by": "",
        "incident_state": "In Progress",
        "urgency": "1 - High",
        "problem_id": "",
        "company": "",
        "reassignment_count": "0",
        "activity_due": "UNKNOWN",
        "assigned_to": {
            "display_value": "Jon***** Wal****",
            "link": "https://dev*****.service-now.com/api/now/v2/table/sys_user/ea8****************ddb"
        },
        "severity": "3 - Low",
        "comments": "2022-05-10 12:20:04 - System Administrator (Additional comments)\ncomment0510e\n\n",
        "approval": "Not Yet Requested",
        "sla_due": "UNKNOWN",
        "comments_and_work_notes": "2022-05-10 12:20:04 - System Administrator (Additional comments)\ncomment0510e\n\n",
        "due_date": "",
        "sys_mod_count": "0",
        "reopen_count": "0",
        "sys_tags": "",
        "escalation": "Normal",
        "upon_approval": "Proceed to Next Task",
        "correlation_id": "",
        "location": "",
        "category": "Network"
    }
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
      "TicketSysID": ["ae9*********************0ac"],
      "made_sla": ["INC*******"]
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

result

{'parent': '', 'made_sla': 'true', 'caused_by': '', 'watch_list': '', 'upon_reject': 'Cancel all future Tasks', 'sys_updated_on': '2022-05-10 12:20:04', 'child_incidents': '0', 'hold_reason': '', 'task_effective_number': 'INC*******', 'approval_history': '', 'skills': '', 'number': 'INC*******', 'resolved_by': '', 'sys_updated_by': 'admin', 'opened_by': {'display_value': 'System Administrator', 'link': 'https://dev*****.service-now.com/api/now/v2/table/sys_user/681*******************441'}, 'user_input': '', 'sys_created_on': '2022-05-10 12:20:04', 'sys_domain': {'display_value': 'global', 'link': 'https://dev*****.service-now.com/api/now/v2/table/sys_user_group/global'}, 'state': 'In Progress', 'route_reason': '', 'sys_created_by': 'admin', 'knowledge': 'false', 'order': '', 'calendar_stc': '', 'closed_at': '', 'cmdb_ci': '', 'delivery_plan': '', 'contract': '', 'impact': '2 - Medium', 'active': 'true', 'work_notes_list': '', 'business_service': '', 'priority': '2 - High', 'sys_domain_path': '/', 'rfc': '', 'time_worked': '', 'expected_start': '', 'opened_at': '2022-05-10 12:20:04', 'business_duration': '', 'group_list': '', 'work_end': '', 'caller_id': '', 'reopened_time': '', 'resolved_at': '', 'approval_set': '', 'subcategory': 'DNS', 'work_notes': '', 'universal_request': '', 'short_description': 'Test incident creation through REST 0510e', 'close_code': None, 'correlation_display': '', 'delivery_task': '', 'work_start': '', 'assignment_group': {'display_value': 'Problem Analyzers', 'link': 'https://dev*****.service-now.com/api/now/v2/table/sys_user_group/0c4*******************461'}, 'additional_assignee_list': '', 'business_stc': '', 'description': 'Test description 0510e', 'calendar_duration': '', 'close_notes': '', 'notify': 'Do Not Notify', 'service_offering': '', 'sys_class_name': 'Incident', 'closed_by': '', 'follow_up': '', 'parent_incident': '', 'sys_id': 'ae9*********************0ac', 'contact_type': None, 'reopened_by': '', 'incident_state': 'In Progress', 'urgency': '1 - High', 'problem_id': '', 'company': '', 'reassignment_count': '0', 'activity_due': 'UNKNOWN', 'assigned_to': {'display_value': 'Jon***** Wal****', 'link': 'https://dev*****.service-now.com/api/now/v2/table/sys_user/ea8****************ddb'}, 'severity': '3 - Low', 'comments': '2022-05-10 12:20:04 - System Administrator (Additional comments)\ncomment0510e\n\n', 'approval': 'Not Yet Requested', 'sla_due': 'UNKNOWN', 'comments_and_work_notes': '2022-05-10 12:20:04 - System Administrator (Additional comments)\ncomment0510e\n\n', 'due_date': '', 'sys_mod_count': '0', 'reopen_count': '0', 'sys_tags': '', 'escalation': 'Normal', 'upon_approval': 'Proceed to Next Task', 'correlation_id': '', 'location': '', 'category': 'Network'}

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Create Ticket failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the ServiceNow portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Invalid Custom Fields.

Error Sample Data

Create Ticket failed.

Status Code: 400.

Message: Invalid Custom Fields.

Delete Records

Deletes the specified records from a specified table in ServiceNow.

READER NOTE

Table Name and Record Sys IDs are required parameters to run this command.

  • Run the Query Tables command to obtain Table Names. Table Names can be found in the returned raw data, at the path $.result[*].name.

  • Run the Query Records command to obtain Record Sys IDs. Record Sys IDs can be found in the returned raw data, at the path $.result.[*].sys_id.

ALERT

You will need to make sure the Table Name matches the Record Sys IDs. Otherwise, D3 SOAR will return an error.

It is recommended to run the Query Tables command first and choose the table name you want to get the record from. Use that table name as the input value to run the Query Records command to get Record Sys IDs.

When inputting Table Names and Record Sys IDs you get from running other commands ensure these pairs of values match.

Input

Input Parameter

Required/Optional

Description

Example

Table Name

Required

The name of the table to delete records from. Table names can be obtained using the Query Tables command.

x_******_test_d3_j**_test***

Record Sys IDs

Required

The Sys IDs of the records to delete. Record Sys IDs can be obtained using the Query Records command.

[ "366********************697"

]

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

The original ServiceNow API response is empty, D3 added custom fields id and actionResult to help the user get which record has been deleted and whether the deletion is successful.

SAMPLE DATA

CODE
[
    {
        "id": ["366********************697"],
        "actionResult": ["Delete the record successfully"]
    }
]
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

id

actionResult

366********************697

Delete the record successfully

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Delete Records failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the ServiceNow portal. Refer to the HTTP Status Code Registry for details.

Status Code: 404.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Record Not Found.

Error Sample Data

Delete Records failed.

Status Code: 404.

Message: Record Not Found.

Download Ticket Attachments

Downloads attachments of the specified incident ticket.

READER NOTE

Ticket Sys ID is a required parameter to run this command.

  • You should already have your desired Ticket Sys IDs on hand to run this command. If you don’t, you may use the Fetch Event command with defined filters to retrieve the desired Ticket Sys IDs. The Ticket Sys IDs can be found in the raw data, at the path $.result[*].sys_id.

  • If no files exist in the specified ticket, the command will run successfully with no returned results. Please verify your input Ticket Sys ID.

  • Ensure that your input Sys ID belongs to a ticket. To do this, select the Incident Type parameter as "Incident". Note that any other format will not work.

Input

Input Parameter

Required/Optional

Description

Example

Ticket Sys ID

Required

The Sys ID of the incident ticket to download attachment(s) from. Sys IDs can be obtained using the Fetch Event command.

ae9*********************0ac

Output

Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

The original ServiceNow API response does not contain enough information. D3 customizes the raw data by adding “fileId”, “fileName”, “md5”, “sha1” and “sha256” fields to provide more download details.

SAMPLE DATA

CODE
[
    {
        "fileId": "305",
        "fileName": "invoice (2).pdf",
        "md5": "8F8*********************62F",
        "sha1": "E5D***********************F39",
        "sha256": "52D******************************************282"
    }
]
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
      "FileNames": ["bl***ay.png",
                "Screenshot Postman request (1).png"],
      "FileIDs": ["749",
                "750"]          
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

fileId

fileName

md5

sha1

sha256

305

invoice (2).pdf

8F8*********************62F

E5D***********************F39

52D******************************************282

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Download Ticket Attachments failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the ServiceNow portal. Refer to the HTTP Status Code Registry for details.

Status Code: 404.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Ticket Not Found.

Error Sample Data

Download Ticket Attachments failed.

Status Code: 404.

Message: Ticket Not Found.

Fetch Event

Returns incident ticket(s) or Security Incident(s) as Event(s) from the ServiceNow platform based on specified criteria.

Input

Input Parameter

Required/Optional

Description

Example

Start Time

Optional

The start time of the time range to fetch incident tickets/Security Incidents by the specified query time field (created time or updated time), in UTC time.

2022-04-01 00:00

End Time

Optional

The end time of the time range to fetch incident tickets/Security Incidents by the specified query time field (created time or updated time), in UTC time. If not specified, the current time will be the end time.

2022-04-20 00:00

Number of Event(s) Fetched

Optional

The maximum number of the most recent incident tickets to fetch. The default value is 100. Note: If the input limit value is too large, it may affect system performance when returning a large volume of results.

3

Search Condition

Optional

The query conditions to filter the returned results. For information about the query syntax, see Operators available for filters and queries.

Note: If the query field does not exist in the table, all records will be returned. Fields and operators are case-sensitive. Do not leave a space between an operator and a value. For example, for the search condition numberLIKE10004, LIKE is the operator, and 10004 is the value. There should be no space between LIKE and 10004.

severity=3^active=true

Tolerance Scope

Optional

The tolerance scope in minutes of the query to get incident tickets between start and end time to avoid the loss of tickets. The incident tickets will be fetched between {Start Time - Tolerance Scope, End Time}

10

Incident Type

Optional

The incident type of the events to fetch. The available options are Incident and Security Incident. If this parameter is not defined, the default value is Incident.

Security Incident

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

CODE
{
    "result": [
        {
            "parent": "",
            "made_sla": "true",
            "caused_by": "",
            "watch_list": "",
            "upon_reject": "Cancel all future Tasks",
            "sys_updated_on": "2023-01-13 11:12:36",
            "child_incidents": "0",
            "hold_reason": "",
            "origin_table": "",
            "task_effective_number": "INC********",
            "approval_history": "",
            "skills": "",
            "number": "INC********",
            "resolved_by": "",
            "sys_updated_by": "admin",
            "opened_by": {
                "display_value": "System Administrator",
                "link": "https://dev*****.service-now.com/api/now/v2/table/sys_user/681*******************441"
            },
            "user_input": "",
            "sys_created_on": "2023-01-13 11:11:21",
            "sys_domain": {
                "display_value": "global",
                "link": "https://dev*****.service-now.com/api/now/v2/table/sys_user_group/global"
            },
            "state": "New",
            "route_reason": "",
            "sys_created_by": "admin",
            "knowledge": "false",
            "order": "",
            "calendar_stc": "",
            "closed_at": "",
            "cmdb_ci": "",
            "delivery_plan": "",
            "contract": "",
            "impact": "3 - Low",
            "active": "true",
            "work_notes_list": "",
            "business_service": "",
            "business_impact": "",
            "priority": "5 - Planning",
            "sys_domain_path": "/",
            "rfc": {
                "display_value": "CHG00*****",
                "link": "https://dev*****.service-now.com/api/now/v2/table/change_request/432badfa97542110c4f8337e6253afcc"
            },
            "time_worked": "",
            "expected_start": "",
            "opened_at": "2023-01-13 11:10:37",
            "business_duration": "",
            "group_list": "",
            "work_end": "",
            "caller_id": {
                "display_value": "System Administrator",
                "link": "https://dev*****.service-now.com/api/now/v2/table/sys_user/681*******************441"
            },
            "reopened_time": "",
            "resolved_at": "",
            "approval_set": "",
            "subcategory": null,
            "work_notes": "",
            "universal_request": "",
            "short_description": "D3Test with Security Incident",
            "close_code": null,
            "correlation_display": "",
            "delivery_task": "",
            "work_start": "",
            "assignment_group": "",
            "additional_assignee_list": "",
            "business_stc": "",
            "cause": "",
            "description": "",
            "origin_id": "",
            "calendar_duration": "",
            "close_notes": "",
            "notify": "Do Not Notify",
            "service_offering": "",
            "sys_class_name": "Incident",
            "closed_by": "",
            "follow_up": "",
            "parent_incident": "",
            "sys_id": "b5b****************f0d",
            "contact_type": null,
            "reopened_by": "",
            "incident_state": "New",
            "urgency": "3 - Low",
            "problem_id": "",
            "company": "",
            "reassignment_count": "0",
            "activity_due": "UNKNOWN",
            "assigned_to": "",
            "severity": "3 - Low",
            "comments": "",
            "approval": "Not Yet Requested",
            "sla_due": "UNKNOWN",
            "comments_and_work_notes": "",
            "due_date": "",
            "sys_mod_count": "1",
            "reopen_count": "0",
            "sys_tags": "",
            "escalation": "Normal",
            "upon_approval": "Proceed to Next Task",
            "correlation_id": "",
            "location": "",
            "category": "Inquiry / Help",
            "Security_Incidents": [
                {
                    "parent": {
                        "link": "https://dev*****.service-now.com/api/now/table/task/b5b****************f0d",
                        "value": "b5b****************f0d"
                    },
                    "sla_suspended_reason": "",
                    "watch_list": "",
                    "upon_reject": "cancel",
                    "sys_updated_on": "2023-01-14 00:48:15",
                    "qualification_group": "",
                    "expected_end": "",
                    "approval_history": "",
                    "source_ip": "",
                    "skills": "",
                    "number": "SIR00******",
                    "problem": "",
                    "previous_agent": "",
                    "state": "16",
                    "sys_created_by": "admin",
                    "template_workflow_invoked": "false",
                    "knowledge": "false",
                    "order": "",
                    "phish_email": "",
                    "cmdb_ci": "",
                    "delivery_plan": "",
                    "contract": "",
                    "impact": "3",
                    "active": "true",
                    "work_notes_list": "",
                    "priority": "5",
                    "sys_domain_path": "/",
                    "sla_suspended": "false",
                    "business_duration": "",
                    "group_list": "",
                    "special_access_write": "",
                    "dest_ip": "",
                    "mitre_platform": "",
                    "approval_set": "",
                    "risk_change": "up",
                    "malware_url": "",
                    "universal_request": "",
                    "template": "",
                    "short_description": "D3Test with Security Incident",
                    "correlation_display": "",
                    "delivery_task": "",
                    "work_start": "",
                    "request_type": "",
                    "affected_user": "",
                    "other_ioc": "",
                    "additional_assignee_list": "",
                    "alert_sensor": "",
                    "assigned_vendor": "",
                    "service_offering": "",
                    "sys_class_name": "sn_si_incident",
                    "closed_by": "",
                    "follow_up": "",
                    "mitre_group": "",
                    "sla_suspended_on": "",
                    "estimated_end": "",
                    "vendor_reference": "",
                    "reassignment_count": "0",
                    "assigned_to": "",
                    "request_category": "",
                    "requested_due_by": "",
                    "mitre_malware": "",
                    "sla_suspended_for": "",
                    "business_criticality": "2",
                    "sla_due": "",
                    "opened_for": {
                        "link": "https://dev*****.service-now.com/api/now/table/sys_user/681*******************441",
                        "value": "681*******************441"
                    },
                    "comments_and_work_notes": "",
                    "mitre_technique": "",
                    "special_access_read": "",
                    "substate": "",
                    "escalation": "0",
                    "upon_approval": "proceed",
                    "correlation_id": "",
                    "asset": "",
                    "mitre_tool": "",
                    "spam": "false",
                    "referrer_url": "",
                    "made_sla": "true",
                    "mitre_tactic": "",
                    "is_catalog": "false",
                    "malware_hash": "",
                    "alert_rule": "",
                    "task_effective_number": "SIR00******",
                    "external_url": "",
                    "sys_updated_by": "admin",
                    "opened_by": {
                        "link": "https://dev*****.service-now.com/api/now/table/sys_user/681*******************441",
                        "value": "681*******************441"
                    },
                    "user_input": "",
                    "sys_created_on": "2023-01-14 00:48:15",
                    "sys_domain": {
                        "link": "https://dev*****.service-now.com/api/now/table/sys_user_group/global",
                        "value": "global"
                    },
                    "pir": "",
                    "route_reason": "",
                    "closed_at": "",
                    "business_service": "",
                    "attack_vector": "",
                    "time_worked": "",
                    "expected_start": "",
                    "opened_at": "2023-01-14 00:48:15",
                    "task_created": "false",
                    "work_end": "",
                    "confidence_score": "",
                    "prediction": "",
                    "automation_activity": "",
                    "subcategory": "",
                    "work_notes": "",
                    "security_tags": "",
                    "risk_score_override": "false",
                    "initiated_from": {
                        "link": "https://dev*****.service-now.com/api/now/table/task/b5b****************f0d",
                        "value": "b5b****************f0d"
                    },
                    "close_code": "",
                    "assignment_group": {
                        "link": "https://dev*****.service-now.com/api/now/table/sys_user_group/dea**********************f19",
                        "value": "dea**********************f19"
                    },
                    "description": "",
                    "calendar_duration": "",
                    "close_notes": "",
                    "pir_respondents": "",
                    "sys_id": "73f*******************f2a",
                    "contact_type": "",
                    "urgency": "3",
                    "secure_notes": "",
                    "company": "",
                    "new_pir_respondents": "",
                    "department": "",
                    "activity_due": "",
                    "severity": "2",
                    "comments": "",
                    "risk_score": "42",
                    "approval": "not requested",
                    "due_date": "",
                    "sys_mod_count": "0",
                    "parent_security_incident": "",
                    "sys_tags": "",
                    "billable": "false",
                    "mitre_data_source": "",
                    "caller": {
                        "link": "https://dev*****.service-now.com/api/now/table/sys_user/681*******************441",
                        "value": "681*******************441"
                    },
                    "location": "",
                    "risk": "3",
                    "category": "",
                    "incident": "",
                    "change_request": "",
                    "security_incident_self": {
                        "link": "https://dev*****.service-now.com/api/now/table/sn_si_incident/73f*******************f2a",
                        "value": "73f*******************f2a"
                    }
                }
            ]
        }
    ]
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
      "TicketSysIDs": ["b71************************087"],
      "TicketNumbers": ["INC00*****"]  
    
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

result

  • {'parent': '', 'made_sla': 'true', 'caused_by': '', 'watch_list': '', 'upon_reject': 'Cancel all future Tasks', 'sys_updated_on': '2023-01-13 11:12:36', 'child_incidents': '0', 'hold_reason': '', 'origin_table': '', 'task_effective_number': 'INC********', 'approval_history': '', 'skills': '', 'number': 'INC********', 'resolved_by': '', 'sys_updated_by': 'admin', 'opened_by': {'display_value': 'System Administrator', 'link': 'https://dev69572.service-now.com/api/now/v2/table/sys_user/6816f79cc0a8016401c5a33be04be441 '}, 'user_input': '', 'sys_created_on': '2023-01-13 11:11:21', 'sys_domain': {'display_value': 'global', 'link': 'https://dev69572.service-now.com/api/now/v2/table/sys_user_group/global '}, 'state': 'New', 'route_reason': '', 'sys_created_by': 'admin', 'knowledge': 'false', 'order': '', 'calendar_stc': '', 'closed_at': '', 'cmdb_ci': '', 'delivery_plan': '', 'contract': '', 'impact': '3 - Low', 'active': 'true', 'work_notes_list': '', 'business_service': '', 'business_impact': '', 'priority': '5 - Planning', 'sys_domain_path': '/', 'rfc': {'display_value': 'CHG00*****', 'link': 'https://dev69572.service-now.com/api/now/v2/table/change_request/432badfa97542110c4f8337e6253afcc '}, 'time_worked': '', 'expected_start': '', 'opened_at': '2023-01-13 11:10:37', 'business_duration': '', 'group_list': '', 'work_end': '', 'caller_id': {'display_value': 'System Administrator', 'link': 'https://dev69572.service-now.com/api/now/v2/table/sys_user/6816f79cc0a8016401c5a33be04be441 '}, 'reopened_time': '', 'resolved_at': '', 'approval_set': '', 'subcategory': None, 'work_notes': '', 'universal_request': '', 'short_description': 'D3Test with Security Incident', 'close_code': None, 'correlation_display': '', 'delivery_task': '', 'work_start': '', 'assignment_group': '', 'additional_assignee_list': '', 'business_stc': '', 'cause': '', 'description': '', 'origin_id': '', 'calendar_duration': '', 'close_notes': '', 'notify': 'Do Not Notify', 'service_offering': '', 'sys_class_name': 'Incident', 'closed_by': '', 'follow_up': '', 'parent_incident': '', 'sys_id': 'b5b****************f0d', 'contact_type': None, 'reopened_by': '', 'incident_state': 'New', 'urgency': '3 - Low', 'problem_id': '', 'company': '', 'reassignment_count': '0', 'activity_due': 'UNKNOWN', 'assigned_to': '', 'severity': '3 - Low', 'comments': '', 'approval': 'Not Yet Requested', 'sla_due': 'UNKNOWN', 'comments_and_work_notes': '', 'due_date': '', 'sys_mod_count': '1', 'reopen_count': '0', 'sys_tags': '', 'escalation': 'Normal', 'upon_approval': 'Proceed to Next Task', 'correlation_id': '', 'location': '', 'category': 'Inquiry / Help', 'Security_Incidents': [{'parent': {'link': 'https://dev69572.service-now.com/api/now/table/task/b5ba6dba97542110c4f8337e6253af0d ', 'value': 'b5b****************f0d'}, 'sla_suspended_reason': '', 'watch_list': '', 'upon_reject': 'cancel', 'sys_updated_on': '2023-01-14 00:48:15', 'qualification_group': '', 'expected_end': '', 'approval_history': '', 'source_ip': '', 'skills': '', 'number': 'SIR00******', 'problem': '', 'previous_agent': '', 'state': '16', 'sys_created_by': 'admin', 'template_workflow_invoked': 'false', 'knowledge': 'false', 'order': '', 'phish_email': '', 'cmdb_ci': '', 'delivery_plan': '', 'contract': '', 'impact': '3', 'active': 'true', 'work_notes_list': '', 'priority': '5', 'sys_domain_path': '/', 'sla_suspended': 'false', 'business_duration': '', 'group_list': '', 'special_access_write': '', 'dest_ip': '', 'mitre_platform': '', 'approval_set': '', 'risk_change': 'up', 'malware_url': '', 'universal_request': '', 'template': '', 'short_description': 'D3Test with Security Incident', 'correlation_display': '', 'delivery_task': '', 'work_start': '', 'request_type': '', 'affected_user': '', 'other_ioc': '', 'additional_assignee_list': '', 'alert_sensor': '', 'assigned_vendor': '', 'service_offering': '', 'sys_class_name': 'sn_si_incident', 'closed_by': '', 'follow_up': '', 'mitre_group': '', 'sla_suspended_on': '', 'estimated_end': '', 'vendor_reference': '', 'reassignment_count': '0', 'assigned_to': '', 'request_category': '', 'requested_due_by': '', 'mitre_malware': '', 'sla_suspended_for': '', 'business_criticality': '2', 'sla_due': '', 'opened_for': {'link': 'https://dev69572.service-now.com/api/now/table/sys_user/6816f79cc0a8016401c5a33be04be441 ', 'value': '681*******************441'}, 'comments_and_work_notes': '', 'mitre_technique': '', 'special_access_read': '', 'substate': '', 'escalation': '0', 'upon_approval': 'proceed', 'correlation_id': '', 'asset': '', 'mitre_tool': '', 'spam': 'false', 'referrer_url': '', 'made_sla': 'true', 'mitre_tactic': '', 'is_catalog': 'false', 'malware_hash': '', 'alert_rule': '', 'task_effective_number': 'SIR00******', 'external_url': '', 'sys_updated_by': 'admin', 'opened_by': {'link': 'https://dev69572.service-now.com/api/now/table/sys_user/6816f79cc0a8016401c5a33be04be441 ', 'value': '681*******************441'}, 'user_input': '', 'sys_created_on': '2023-01-14 00:48:15', 'sys_domain': {'link': 'https://dev69572.service-now.com/api/now/table/sys_user_group/global ', 'value': 'global'}, 'pir': '', 'route_reason': '', 'closed_at': '', 'business_service': '', 'attack_vector': '', 'time_worked': '', 'expected_start': '', 'opened_at': '2023-01-14 00:48:15', 'task_created': 'false', 'work_end': '', 'confidence_score': '', 'prediction': '', 'automation_activity': '', 'subcategory': '', 'work_notes': '', 'security_tags': '', 'risk_score_override': 'false', 'initiated_from': {'link': 'https://dev69572.service-now.com/api/now/table/task/b5ba6dba97542110c4f8337e6253af0d ', 'value': 'b5b****************f0d'}, 'close_code': '', 'assignment_group': {'link': 'https://dev69572.service-now.com/api/now/table/sys_user_group/dea26263ff0331007a6dffffffffff19 ', 'value': 'dea**********************f19'}, 'description': '', 'calendar_duration': '', 'close_notes': '', 'pir_respondents': '', 'sys_id': '73f*******************f2a', 'contact_type': '', 'urgency': '3', 'secure_notes': '', 'company': '', 'new_pir_respondents': '', 'department': '', 'activity_due': '', 'severity': '2', 'comments': '', 'risk_score': '42', 'approval': 'not requested', 'due_date': '', 'sys_mod_count': '0', 'parent_security_incident': '', 'sys_tags': '', 'billable': 'false', 'mitre_data_source': '', 'caller': {'link': 'https://dev69572.service-now.com/api/now/table/sys_user/6816f79cc0a8016401c5a33be04be441 ', 'value': '681*******************441'}, 'location': '', 'risk': '3', 'category': '', 'incident': '', 'change_request': '', 'security_incident_self': {'link': 'https://dev*****.service-now.com/api/now/table/sn_si_incident/73f*******************f2a', 'value': '73f*******************f2a'}}]}

Fetch Event Field Mapping

Please note that Fetch Event commands require event field mapping. Field mapping plays a key role in the data normalization process part of the event pipeline. Field mapping converts the original data fields from the different providers to the D3 fields which are standardized by the D3 Model. Please refer to Event and Incident Intake Field Mapping for details.

If you require a custom field mapping, click +Add Field to add a custom field mapping. You may also remove built-in field mappings by clicking x. Please note that two underscore characters will automatically prefix the defined Field Name as the System Name for a custom field mapping. Additionally, if an input Field Name contains any spaces, they will automatically be replaced with underscores for the corresponding System Name.

As a system integration, the Servicenow integration has some pre-configured field mappings for default field mapping.

  • Default Event Source

    The Default Event Source is the default set of field mappings that are applied when this fetch event command is executed. For out-of-the-box integrations, you will find a set of field mapping provided by the system. The default event source has a “Main Event JSON Path” (i.e., $.results) that is used to extract a batch of events from the response raw data. Click Edit Main JSON Path to view the “Main Event JSON Path”.

    Frame 54 (4)-20241031-200612.png
    • Main Event JSON Path: $.result
      The Main Event JSON Path determines the root path where the system starts parsing raw response data into D3 event data. The JSON path begins with $, representing the root element. The path is formed by appending a sequence of child elements to $, each separated by a dot (.). Square brackets with nested quotation marks ([‘...’]) should be used to separate child elements in JSON arrays.

      For example, the root node of a JSON Path is result. The child node denoting the Unique Event Key field would be sys_id. Putting it together, the JSON Path expression to extract the Unique Event Key is $.value.sys_id.

The pre-configured field mappings are detailed below:

Field Name

Source Field

Unique Event Key

.sys_id

Start Time

.sys_created_on

Description

.description

IncidentNumber

.number

Event Type

.category

Priority

.priority

Severity

.severity

Urgency

.urgency

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Fetch Event failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the ServiceNow portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: The value for parameter (Top Recent Event Number) is invalid.

Error Sample Data

Fetch Event failed.

Status Code: 400.

Message: The value for parameter (Top Recent Event Number) is invalid.

Get Group Details

Retrieves group details by whole or partial group name.

READER NOTE

If you have an invalid input for the Group Names parameter, D3 SOAR will only return results from valid inputs and ignore invalid ones.

Partial group name means only partial character inputs can be used for search. For example, if your input is “pro”, all groups with names containing such as “Problem”, “Project”, “Approves” will all be returned.

Input

Input Parameter

Required/Optional

Description

Example

Group Names

Optional

The whole or partial name of the group to retrieve details. If this parameter is not defined, the command will return a maximum of 10,000 with all corresponding details.

[

"Problem Analyzers",

"admin"

]

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

CODE
{
    "result": [
        {
            "parent": "",
            "manager": "",
            "roles": "",
            "sys_mod_count": "0",
            "active": "true",
            "description": "Users who can review and approve tasks related to custom application development",
            "source": "",
            "sys_updated_on": "2021-06-28 19:12:44",
            "sys_tags": "",
            "type": "",
            "sys_id": "477**********************225",
            "sys_updated_by": "admin",
            "cost_center": "",
            "default_assignee": "",
            "sys_created_on": "2021-06-28 19:12:44",
            "name": "App Engine Admins",
            "exclude_manager": "false",
            "vendors": "",
            "email": "",
            "include_members": "false",
            "sys_created_by": "admin"
        },
        {
            "parent": "",
            "manager": "",
            "roles": "",
            "sys_mod_count": "1",
            "active": "true",
            "description": "LDAP admins group",
            "source": "",
            "sys_updated_on": "2013-07-26 21:48:47",
            "sys_tags": "",
            "type": "",
            "sys_id": "dc0db135c332010016194ffe5bba8f23",
            "sys_updated_by": "admin",
            "cost_center": "",
            "default_assignee": "",
            "sys_created_on": "2013-07-26 21:12:56",
            "name": "LDAP Admins",
            "exclude_manager": "false",
            "vendors": "",
            "email": "",
            "include_members": "false",
            "sys_created_by": "admin"
        },
        {
            "parent": "",
            "manager": "",
            "roles": "",
            "sys_mod_count": "0",
            "active": "true",
            "description": "Group that works on analyzing and fixing problems.\n\t\t",
            "source": "",
            "sys_updated_on": "2022-01-04 05:11:33",
            "sys_tags": "",
            "type": "",
            "sys_id": "0c4*******************461",
            "sys_updated_by": "admin",
            "cost_center": "",
            "default_assignee": "",
            "sys_created_on": "2022-01-04 05:11:33",
            "name": "Problem Analyzers",
            "exclude_manager": "false",
            "vendors": "",
            "email": "",
            "include_members": "false",
            "sys_created_by": "admin"
        },
        {
            "parent": "",
            "manager": "",
            "roles": "",
            "sys_mod_count": "0",
            "active": "true",
            "description": "Group used for Agent Assist Recommendation admin users",
            "source": "",
            "sys_updated_on": "2019-02-15 00:39:04",
            "sys_tags": "",
            "type": "",
            "sys_id": "c1edeb7ab7232300e64c9489de11a9e3",
            "sys_updated_by": "admin",
            "cost_center": "",
            "default_assignee": "",
            "sys_created_on": "2019-02-15 00:39:04",
            "name": "Recommendation Admin",
            "exclude_manager": "false",
            "vendors": "",
            "email": "",
            "include_members": "false",
            "sys_created_by": "admin"
        }
    ]
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
      "GroupNames": ["App Engine Admins",
                    "Problem Analyzers"],
      "GroupSysIds": ["477**********************225",
                     "0c4*******************461"]  
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

Groups Count

1000

 Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Get Group Details failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the ServiceNow portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Invalid Group Names.

Error Sample Data

Get Group Details failed.

Status Code: 400.

Message: Invalid Group Names.

Get Record Details

Retrieves the details of the specified records in ServiceNow.

READER NOTE

Table Name and Record Sys IDs are required parameters to run this command.

  • Run the Query Tables command to obtain Table Names. Table Names can be found in the returned raw data, at the path $.result[*].name.

  • Run the Query Records command to obtain Record Sys IDs. Record Sys IDs can be found in the raw data, at the path $.result[*].sys_id.

ALERT

You will need to make sure the Table Name matches the Record Sys IDs. Otherwise, D3 SOAR will return an error.

It is recommended to run the Query Tables command first and choose the table name you want to get the record from. Use that table name as the input value to run the Query Records command to get Record Sys IDs.

When inputting Table Names and Record Sys IDs you get from running other commands ensure these pairs of values match.

Input

Input Parameter

Required/Optional

Description

Example

Table Name

Required

The name of the table to retrieve record details. Table names can be obtained using the Query Tables command.

x_******_test_d3_j**_test***

Record Sys IDs

Required

The Sys IDs of the records to retrieve details. Record Sys IDs can be obtained using the Query Records command.

[

"vrcR******************Mfd"

]

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

CODE
[
    {
        "result": {
            "sys_id": "e63********************62c",
            "sys_updated_by": "admin",
            "passwd": "",
            "duedate": "",
            "sys_created_on": "2021-06-21 22:19:51",
            "sys_mod_count": "0",
            "sys_updated_on": "2021-06-21 22:19:51",
            "sys_tags": "",
            "sys_created_by": "admin"
        }
    }
]
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
      "RecordSysIDs": ["366********************697"]
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

result

{'sys_id': 'e63********************62c', 'sys_updated_by': 'admin', 'passwd': '', 'duedate': '', 'sys_created_on': '2021-06-21 22:19:51', 'sys_mod_count': '0', 'sys_updated_on': '2021-06-21 22:19:51', 'sys_tags': '', 'sys_created_by': 'admin'}

 Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Get Record Details failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the ServiceNow portal. Refer to the HTTP Status Code Registry for details.

Status Code: 404.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Record Not FoundI.

Error Sample Data

Get Record Details failed.

Status Code: 404.

Message: Record Not Found.

Get Requested Items

Retrieves specified requested items.

READER NOTE

The parameter Request Item Sys IDs Or Numbers is optional to run this command.

  • Run the Query Request Items command to obtain Request Item Sys IDs or Numbers. Request Item Sys IDs can be found in the raw data, at the path $.result[*].sys_id; Request Item Numbers can be found in the raw data, at the path $.result[*].number.

Input

Input Parameter

Required/Optional

Description

Example

Request Item Sys IDs Or Numbers

Optional

The Sys ID or number of the requested items to retrieve details. Item Sys IDs and numbers can be obtained using the Query Request Items command.

[

"056********************05d",

"RITM00*****"

]

Output

Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

CODE
{
    "result": [
        {
            "parent": "",
            "made_sla": "true",
            "watch_list": "",
            "sc_catalog": "",
            "upon_reject": "cancel",
            "requested_for": {
                "link": "https://dev*****.service-now.com/api/now/table/sys_user/681*******************441",
                "value": "681*******************441"
            },
            "sys_updated_on": "2022-05-11 19:26:23",
            "task_effective_number": "RITM00*****",
            "approval_history": "",
            "skills": "",
            "number": "RITM00*****",
            "sys_updated_by": "admin",
            "opened_by": {
                "link": "https://dev*****.service-now.com/api/now/table/sys_user/681*******************441",
                "value": "681*******************441"
            },
            "user_input": "",
            "price": "102",
            "sys_created_on": "2022-05-09 23:08:56",
            "recurring_frequency": "",
            "sys_domain": {
                "link": "https://dev*****.service-now.com/api/now/table/sys_user_group/global",
                "value": "global"
            },
            "context": "",
            "state": "1",
            "route_reason": "",
            "sys_created_by": "admin",
            "knowledge": "false",
            "order": "",
            "closed_at": "",
            "cmdb_ci": "",
            "delivery_plan": "",
            "backordered": "true",
            "contract": "",
            "impact": "3",
            "active": "true",
            "work_notes_list": "",
            "business_service": "",
            "priority": "4",
            "sys_domain_path": "/",
            "time_worked": "",
            "expected_start": "",
            "flow_context": "",
            "opened_at": "2022-05-09 23:08:56",
            "business_duration": "",
            "group_list": "",
            "configuration_item": {
                "link": "https://dev*****.service-now.com/api/now/table/cmdb_ci/0c4******************7cc",
                "value": "0c4******************7cc"
            },
            "work_end": "",
            "approval_set": "",
            "work_notes": "",
            "order_guide": {
                "link": "https://dev*****.service-now.com/api/now/table/sc_cat_item_guide/251*********************dd6",
                "value": "251*********************dd6"
            },
            "universal_request": "",
            "request": {
                "link": "https://dev*****.service-now.com/api/now/table/sc_request/f7a******************0fc",
                "value": "f7a******************0fc"
            },
            "short_description": "test item update",
            "correlation_display": "",
            "delivery_task": "",
            "work_start": "",
            "assignment_group": "",
            "additional_assignee_list": "",
            "description": "",
            "calendar_duration": "",
            "close_notes": "",
            "service_offering": "",
            "sys_class_name": "sc_req_item",
            "closed_by": "",
            "follow_up": "",
            "sys_id": "056********************05d",
            "contact_type": "",
            "urgency": "3",
            "company": "",
            "reassignment_count": "0",
            "activity_due": "",
            "assigned_to": "",
            "comments": "",
            "quantity": "1",
            "approval": "requested",
            "sla_due": "",
            "comments_and_work_notes": "",
            "due_date": "2022-05-31 00:00:00",
            "sys_mod_count": "2",
            "recurring_price": "0",
            "sys_tags": "",
            "billable": "false",
            "cat_item": {
                "link": "https://dev*****.service-now.com/api/now/table/sc_cat_item/0c5**********************739",
                "value": "0c5**********************739"
            },
            "stage": "waiting_for_approval",
            "escalation": "0",
            "upon_approval": "proceed",
            "correlation_id": "",
            "location": "",
            "estimated_delivery": "2021-03-25 19:16:09"
        }
    ]
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
      "RequestItemSysIDs": ["056********************05d"],
      "RequestItemNumbers": ["RITM00*****"]
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

Request Items Count

1000

 Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Get Request Items failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the ServiceNow portal. Refer to the HTTP Status Code Registry for details.

Status Code: 404.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Name Not Found.

Error Sample Data

Get Request Items failed.

Status Code: 404.

Message: Name Not Found.

Get Request

Retrieves specified requests.

READER NOTE

The parameter Request Sys IDs Or Numbers is optional to run this command.

  • Run the Query Request Items command to obtain Request Item Sys IDs Or Numbers. Request Sys IDs can be found in the raw data, at the path $.result[*].sys_id; Request Numbers can be found in the raw data, at the path $.result[*].number.

Input

Input Parameter

Required/Optional

Description

Example

Request Sys IDs Or Numbers

Optional

The Sys ID or number of the requests to retrieve details. Request Sys IDs and numbers can be obtained using the Query Requests command. If this parameter is not defined, all requests will be returned.

[

"ca7**********************08a",

"REQ00*****"

]

Output

Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

CODE
{
    "result": [
        {
            "parent": "",
            "delivery_address": "",
            "made_sla": "true",
            "watch_list": "",
            "upon_reject": "cancel",
            "requested_for": {
                "link": "https://dev*****.service-now.com/api/now/table/sys_user/ea8****************ddb",
                "value": "ea8****************ddb"
            },
            "sys_updated_on": "2022-05-11 00:20:57",
            "task_effective_number": "REQ00*****",
            "approval_history": "",
            "skills": "",
            "number": "REQ00*****",
            "sys_updated_by": "admin",
            "opened_by": {
                "link": "https://dev*****.service-now.com/api/now/table/sys_user/681*******************441",
                "value": "681*******************441"
            },
            "user_input": "",
            "price": "1199",
            "sys_created_on": "2022-05-11 00:20:57",
            "sys_domain": {
                "link": "https://dev*****.service-now.com/api/now/table/sys_user_group/global",
                "value": "global"
            },
            "state": "1",
            "route_reason": "",
            "sys_created_by": "admin",
            "knowledge": "false",
            "order": "",
            "calendar_stc": "",
            "special_instructions": "",
            "closed_at": "",
            "cmdb_ci": "",
            "delivery_plan": "",
            "contract": "",
            "impact": "3",
            "active": "true",
            "work_notes_list": "",
            "business_service": "",
            "priority": "2",
            "sys_domain_path": "/",
            "time_worked": "",
            "expected_start": "",
            "opened_at": "2022-05-11 00:20:57",
            "business_duration": "",
            "group_list": "",
            "work_end": "",
            "approval_set": "",
            "work_notes": "",
            "universal_request": "",
            "short_description": "",
            "correlation_display": "",
            "delivery_task": "",
            "work_start": "",
            "assignment_group": "",
            "parent_interaction": "",
            "additional_assignee_list": "",
            "description": "",
            "calendar_duration": "",
            "close_notes": "",
            "service_offering": "",
            "sys_class_name": "sc_request",
            "closed_by": "",
            "follow_up": "",
            "sys_id": "ca7**********************08a",
            "contact_type": "",
            "urgency": "2",
            "requested_date": "",
            "company": "",
            "reassignment_count": "0",
            "activity_due": "",
            "assigned_to": {
                "link": "https://dev*****.service-now.com/api/now/table/sys_user/c47********************ff3",
                "value": "c47********************ff3"
            },
            "comments": "",
            "approval": "requested",
            "sla_due": "",
            "comments_and_work_notes": "",
            "due_date": "2022-05-31 00:00:00",
            "sys_mod_count": "0",
            "sys_tags": "",
            "request_state": "requested",
            "stage": "requested",
            "escalation": "0",
            "upon_approval": "proceed",
            "correlation_id": "",
            "location": ""
        }
    ]
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
      "RequestSysIDs": ["ca7**********************08a"],
      "RequestNumbers": ["REQ00*****"]
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

Requests Count

1000

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Get Request failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the ServiceNow portal. Refer to the HTTP Status Code Registry for details.

Status Code: 404.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Name Not Found.

Error Sample Data

Get Request failed.

Status Code: 404.

Message Name Not Found.

Get Security Incidents

Retrieves security incidents based on Security Incident numbers or Security Incident Sys ID(s).

READER NOTE

Input parameter Security Incident Sys IDs Or Numbers is optional to run this command.

  • Run the Query Security Incidents command to obtain Request Item Sys IDs and Numbers. Sys IDs can be found in the raw data, at the path $.result[*].sys_id; Numbers can be found in the raw data, at the path $.result[*].number. Alternatively, you can run the Fetch Event command with the Incident Type parameter set to Incident to obtain the values.

Input

Input Parameter

Required/Optional

Description

Example

Security Incident Sys IDs Or Numbers

Optional

The SYS IDs or numbers of the security incidents to retrieve details. Sys IDs and numbers can be obtained using the Query Security Incidents command.

[

"eb7*****************091",

"SIR00*****"

]

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

CODE
{
    "result": [
        {
            "parent": "",
            "sla_suspended_reason": "",
            "watch_list": "",
            "upon_reject": "cancel",
            "sys_updated_on": "2022-05-10 16:49:20",
            "qualification_group": "",
            "expected_end": "",
            "approval_history": "",
            "source_ip": "",
            "skills": "",
            "number": "SIR00*****",
            "problem": "",
            "previous_agent": "",
            "state": "10",
            "sys_created_by": "admin",
            "template_workflow_invoked": "false",
            "knowledge": "false",
            "order": "",
            "phish_email": "",
            "cmdb_ci": {
                "link": "https://dev*****.service-now.com/api/now/table/cmdb_ci/0c4******************78f",
                "value": "0c4******************78f"
            },
            "delivery_plan": "",
            "contract": "",
            "impact": "1",
            "active": "true",
            "work_notes_list": "",
            "priority": "1",
            "sys_domain_path": "/",
            "sla_suspended": "false",
            "business_duration": "",
            "group_list": "",
            "special_access_write": "",
            "dest_ip": "",
            "mitre_platform": "",
            "approval_set": "",
            "risk_change": "up",
            "malware_url": "",
            "universal_request": "",
            "template": "",
            "short_description": "Update Sec Incident",
            "correlation_display": "",
            "delivery_task": "",
            "work_start": "",
            "request_type": "",
            "affected_user": "",
            "other_ioc": "",
            "additional_assignee_list": "",
            "alert_sensor": "",
            "assigned_vendor": "",
            "service_offering": "",
            "sys_class_name": "sn_si_incident",
            "closed_by": {
                "link": "https://dev*****.service-now.com/api/now/table/sys_user/c97********************233",
                "value": "c97********************233"
            },
            "follow_up": "",
            "mitre_group": "",
            "sla_suspended_on": "",
            "estimated_end": "",
            "vendor_reference": "",
            "reassignment_count": "0",
            "assigned_to": {
                "link": "https://dev*****.service-now.com/api/now/table/sys_user/c97********************233",
                "value": "c97********************233"
            },
            "request_category": "",
            "requested_due_by": "",
            "mitre_malware": "",
            "sla_suspended_for": "",
            "business_criticality": "3",
            "sla_due": "",
            "opened_for": {
                "link": "https://dev*****.service-now.com/api/now/table/sys_user/681*******************441",
                "value": "681*******************441"
            },
            "comments_and_work_notes": "",
            "mitre_technique": "",
            "special_access_read": "",
            "substate": "",
            "escalation": "0",
            "upon_approval": "proceed",
            "correlation_id": "",
            "asset": {
                "link": "https://dev*****.service-now.com/api/now/table/alm_asset/aac*******************d3b",
                "value": "aac*******************d3b"
            },
            "mitre_tool": "",
            "spam": "false",
            "referrer_url": "",
            "made_sla": "true",
            "mitre_tactic": "",
            "is_catalog": "false",
            "malware_hash": "",
            "alert_rule": "",
            "task_effective_number": "SIR00*****",
            "external_url": "",
            "sys_updated_by": "admin",
            "opened_by": {
                "link": "https://dev*****.service-now.com/api/now/table/sys_user/681*******************441",
                "value": "681*******************441"
            },
            "user_input": "",
            "sys_created_on": "2022-05-09 23:09:22",
            "sys_domain": {
                "link": "https://dev*****.service-now.com/api/now/table/sys_user_group/global",
                "value": "global"
            },
            "pir": "",
            "route_reason": "",
            "closed_at": "",
            "business_service": {
                "link": "https://dev*****.service-now.com/api/now/table/cmdb_ci_service/281*******************edc",
                "value": "281*******************edc"
            },
            "attack_vector": "",
            "time_worked": "",
            "expected_start": "",
            "opened_at": "2022-05-09 23:09:22",
            "task_created": "false",
            "work_end": "",
            "confidence_score": "",
            "prediction": "",
            "automation_activity": "",
            "subcategory": "",
            "work_notes": "",
            "security_tags": "",
            "risk_score_override": "false",
            "initiated_from": "",
            "close_code": "",
            "assignment_group": {
                "link": "https://dev*****.service-now.com/api/now/table/sys_user_group/b85*******************60a",
                "value": "b85*******************60a"
            },
            "description": "Create a new security incident",
            "calendar_duration": "",
            "close_notes": "",
            "pir_respondents": "c97********************233",
            "sys_id": "eb7*****************091",
            "contact_type": "email",
            "urgency": "3",
            "secure_notes": "",
            "company": "",
            "new_pir_respondents": "",
            "department": "",
            "activity_due": "",
            "severity": "1",
            "comments": "",
            "risk_score": "75",
            "approval": "not requested",
            "due_date": "",
            "sys_mod_count": "10",
            "parent_security_incident": "",
            "sys_tags": "",
            "billable": "false",
            "mitre_data_source": "",
            "caller": "",
            "location": {
                "link": "https://dev*****.service-now.com/api/now/table/cmn_location/db9********************ee0",
                "value": "db9********************ee0"
            },
            "risk": "3",
            "category": "",
            "incident": "",
            "change_request": "",
            "security_incident_self": {
                "link": "https://dev*****.service-now.com/api/now/table/sn_si_incident/eb7*****************091",
                "value": "eb7*****************091"
            }
        }
    ]
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
      "SecurityIncidentSysIDs": ["9dd******************d021"],
      "SecurityIncidentNumbers": ["SIR00*****"]
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

Security Incidents Count

1000

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Get Security Incident failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the ServiceNow portal. Refer to the HTTP Status Code Registry for details.

Status Code: 404.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Numbers Not Found.

Error Sample Data

Get Security Incident failed.

Status Code: 404.

Message: Numbers Not Found.

Get Sys ID

Retrieves Sys ID based on the number of the Ticket, security Incident, Request or Requested item.

READER NOTE

Number and Table Name are required parameters to run this command.

  • The Number must match the Table Name. Otherwise, nothing will be returned.

  • If the input Table Name is Ticket, you will need a Ticket Number to run this command. If you need a Ticket Number, run the Fetch Event command with the Incident Type parameter set to Incident. The Ticket Number can be in the returned raw data, at the path $.result[*].number. The format is in the form of "INC…".

  • If the input Table Name is Security Incident, you will need a Security Incident Number to run this command. If you need a Security Incident Number, run the Query Security Incidents or Fetch Event command. For the Query Security Incidents command, the Security Incidents Number can be found from the returned raw data, at the path the $.result[*].number. The format is in the form of "SIR…". For the Fetch Event command, run the command with the Incident Type parameter set to Security Incident. The Security Incident Number can be found in the returned raw data, at the path $.result[*].number. The format is in the form of "SIR…".

  • If the input Table Name is Request, you will need a Request Number to run this command. If you need a Request Number, run the Query Requests command. The Request Number can be found from the returned raw data, at the path $.result[*].number. The format is in the form of "REQ…".

  • If the input Table Name is Request Item, you will need a Request Item Number to run this command. If you need a Request Item Number, run the Query Requested Items command. The Request Item Number can be found in the returned raw data, at the path $.result[*].number. The format is in the form "RITM…".

Inputs that are invalid or do not match will result in a successful response with no output data.

Input

Input Parameter

Required/Optional

Description

Example

Number (Ticket, Security Incident, Request, Request Item)

Required

The number of the specified Incident Ticket, Security Incident, Request or Request_Item. Numbers can be obtained from the ServiceNow user interface. Incident Ticket numbers start with INC. Security Incident numbers start with SIR. Request numbers start with REQ. Request_Item numbers start with RITM.

SIR00*****

Table Name

Required

The name of the table to retrieve the Sys ID from.

Security Incident

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

CODE
{
    "result": [
        {
            "parent": "",
            "sla_suspended_reason": "",
            "watch_list": "",
            "upon_reject": "cancel",
            "sys_updated_on": "2022-05-10 16:49:20",
            "qualification_group": "",
            "expected_end": "",
            "approval_history": "",
            "source_ip": "",
            "skills": "",
            "number": "SIR00*****",
            "problem": "",
            "previous_agent": "",
            "state": "10",
            "sys_created_by": "admin",
            "template_workflow_invoked": "false",
            "knowledge": "false",
            "order": "",
            "phish_email": "",
            "cmdb_ci": {
                "link": "https://dev*****.service-now.com/api/now/table/cmdb_ci/0c4******************78f",
                "value": "0c4******************78f"
            },
            "delivery_plan": "",
            "contract": "",
            "impact": "1",
            "active": "true",
            "work_notes_list": "",
            "priority": "1",
            "sys_domain_path": "/",
            "sla_suspended": "false",
            "business_duration": "",
            "group_list": "",
            "special_access_write": "",
            "dest_ip": "",
            "mitre_platform": "",
            "approval_set": "",
            "risk_change": "up",
            "malware_url": "",
            "universal_request": "",
            "template": "",
            "short_description": "Update Sec Incident",
            "correlation_display": "",
            "delivery_task": "",
            "work_start": "",
            "request_type": "",
            "affected_user": "",
            "other_ioc": "",
            "additional_assignee_list": "",
            "alert_sensor": "",
            "assigned_vendor": "",
            "service_offering": "",
            "sys_class_name": "sn_si_incident",
            "closed_by": {
                "link": "https://dev*****.service-now.com/api/now/table/sys_user/c97********************233",
                "value": "c97********************233"
            },
            "follow_up": "",
            "mitre_group": "",
            "sla_suspended_on": "",
            "estimated_end": "",
            "vendor_reference": "",
            "reassignment_count": "0",
            "assigned_to": {
                "link": "https://dev*****.service-now.com/api/now/table/sys_user/c97********************233",
                "value": "c97********************233"
            },
            "request_category": "",
            "requested_due_by": "",
            "mitre_malware": "",
            "sla_suspended_for": "",
            "business_criticality": "3",
            "sla_due": "",
            "opened_for": {
                "link": "https://dev*****.service-now.com/api/now/table/sys_user/681*******************441",
                "value": "681*******************441"
            },
            "comments_and_work_notes": "",
            "mitre_technique": "",
            "special_access_read": "",
            "substate": "",
            "escalation": "0",
            "upon_approval": "proceed",
            "correlation_id": "",
            "asset": {
                "link": "https://dev*****.service-now.com/api/now/table/alm_asset/aac*******************d3b",
                "value": "aac*******************d3b"
            },
            "mitre_tool": "",
            "spam": "false",
            "referrer_url": "",
            "made_sla": "true",
            "mitre_tactic": "",
            "is_catalog": "false",
            "malware_hash": "",
            "alert_rule": "",
            "task_effective_number": "SIR00*****",
            "external_url": "",
            "sys_updated_by": "admin",
            "opened_by": {
                "link": "https://dev*****.service-now.com/api/now/table/sys_user/681*******************441",
                "value": "681*******************441"
            },
            "user_input": "",
            "sys_created_on": "2022-05-09 23:09:22",
            "sys_domain": {
                "link": "https://dev*****.service-now.com/api/now/table/sys_user_group/global",
                "value": "global"
            },
            "pir": "",
            "route_reason": "",
            "closed_at": "",
            "business_service": {
                "link": "https://dev*****.service-now.com/api/now/table/cmdb_ci_service/281*******************edc",
                "value": "281*******************edc"
            },
            "attack_vector": "",
            "time_worked": "",
            "expected_start": "",
            "opened_at": "2022-05-09 23:09:22",
            "task_created": "false",
            "work_end": "",
            "confidence_score": "",
            "prediction": "",
            "automation_activity": "",
            "subcategory": "",
            "work_notes": "",
            "security_tags": "",
            "risk_score_override": "false",
            "initiated_from": "",
            "close_code": "",
            "assignment_group": {
                "link": "https://dev*****.service-now.com/api/now/table/sys_user_group/b85*******************60a",
                "value": "b85*******************60a"
            },
            "description": "Create a new security incident",
            "calendar_duration": "",
            "close_notes": "",
            "pir_respondents": "c97********************233",
            "sys_id": "eb7*****************091",
            "contact_type": "email",
            "urgency": "3",
            "secure_notes": "",
            "company": "",
            "new_pir_respondents": "",
            "department": "",
            "activity_due": "",
            "severity": "1",
            "comments": "",
            "risk_score": "75",
            "approval": "not requested",
            "due_date": "",
            "sys_mod_count": "10",
            "parent_security_incident": "",
            "sys_tags": "",
            "billable": "false",
            "mitre_data_source": "",
            "caller": "",
            "location": {
                "link": "https://dev*****.service-now.com/api/now/table/cmn_location/db9********************ee0",
                "value": "db9********************ee0"
            },
            "risk": "3",
            "category": "",
            "incident": "",
            "change_request": "",
            "security_incident_self": {
                "link": "https://dev*****.service-now.com/api/now/table/sn_si_incident/eb7*****************091",
                "value": "eb7*****************091"
            }
        }
    ]
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
      "SysID": ["eb7*****************091"] 
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

result

  • {'parent': '', 'sla_suspended_reason': '', 'watch_list': '', 'upon_reject': 'cancel', 'sys_updated_on': '2022-05-10 16:49:20', 'qualification_group': '', 'expected_end': '', 'approval_history': '', 'source_ip': '', 'skills': '', 'number': 'SIR00*****', 'problem': '', 'previous_agent': '', 'state': '10', 'sys_created_by': 'admin', 'template_workflow_invoked': 'false', 'knowledge': 'false', 'order': '', 'phish_email': '', 'cmdb_ci': {'link': 'https://dev*****.service-now.com/api/now/table/cmdb_ci/0c4******************78f', 'value': '0c4******************78f'}, 'delivery_plan': '', 'contract': '', 'impact': '1', 'active': 'true', 'work_notes_list': '', 'priority': '1', 'sys_domain_path': '/', 'sla_suspended': 'false', 'business_duration': '', 'group_list': '', 'special_access_write': '', 'dest_ip': '', 'mitre_platform': '', 'approval_set': '', 'risk_change': 'up', 'malware_url': '', 'universal_request': '', 'template': '', 'short_description': 'Update Sec Incident', 'correlation_display': '', 'delivery_task': '', 'work_start': '', 'request_type': '', 'affected_user': '', 'other_ioc': '', 'additional_assignee_list': '', 'alert_sensor': '', 'assigned_vendor': '', 'service_offering': '', 'sys_class_name': 'sn_si_incident', 'closed_by': {'link': 'https://dev*****.service-now.com/api/now/table/sys_user/c97********************233', 'value': 'c97********************233'}, 'follow_up': '', 'mitre_group': '', 'sla_suspended_on': '', 'estimated_end': '', 'vendor_reference': '', 'reassignment_count': '0', 'assigned_to': {'link': 'https://dev*****.service-now.com/api/now/table/sys_user/c97********************233', 'value': 'c97********************233'}, 'request_category': '', 'requested_due_by': '', 'mitre_malware': '', 'sla_suspended_for': '', 'business_criticality': '3', 'sla_due': '', 'opened_for': {'link': 'https://dev*****.service-now.com/api/now/table/sys_user/681*******************441', 'value': '681*******************441'}, 'comments_and_work_notes': '', 'mitre_technique': '', 'special_access_read': '', 'substate': '', 'escalation': '0', 'upon_approval': 'proceed', 'correlation_id': '', 'asset': {'link': 'https://dev*****.service-now.com/api/now/table/alm_asset/aac*******************d3b', 'value': 'aac*******************d3b'}, 'mitre_tool': '', 'spam': 'false', 'referrer_url': '', 'made_sla': 'true', 'mitre_tactic': '', 'is_catalog': 'false', 'malware_hash': '', 'alert_rule': '', 'task_effective_number': 'SIR00*****', 'external_url': '', 'sys_updated_by': 'admin', 'opened_by': {'link': 'https://dev*****.service-now.com/api/now/table/sys_user/681*******************441', 'value': '681*******************441'}, 'user_input': '', 'sys_created_on': '2022-05-09 23:09:22', 'sys_domain': {'link': 'https://dev*****.service-now.com/api/now/table/sys_user_group/global', 'value': 'global'}, 'pir': '', 'route_reason': '', 'closed_at': '', 'business_service': {'link': 'https://dev*****.service-now.com/api/now/table/cmdb_ci_service/281*******************edc', 'value': '281*******************edc'}, 'attack_vector': '', 'time_worked': '', 'expected_start': '', 'opened_at': '2022-05-09 23:09:22', 'task_created': 'false', 'work_end': '', 'confidence_score': '', 'prediction': '', 'automation_activity': '', 'subcategory': '', 'work_notes': '', 'security_tags': '', 'risk_score_override': 'false', 'initiated_from': '', 'close_code': '', 'assignment_group': {'link': 'https://dev*****.service-now.com/api/now/table/sys_user_group/b85*******************60a', 'value': 'b85*******************60a'}, 'description': 'Create a new security incident', 'calendar_duration': '', 'close_notes': '', 'pir_respondents': 'c97********************233', 'sys_id': 'eb7*****************091', 'contact_type': 'email', 'urgency': '3', 'secure_notes': '', 'company': '', 'new_pir_respondents': '', 'department': '', 'activity_due': '', 'severity': '1', 'comments': '', 'risk_score': '75', 'approval': 'not requested', 'due_date': '', 'sys_mod_count': '10', 'parent_security_incident': '', 'sys_tags': '', 'billable': 'false', 'mitre_data_source': '', 'caller': '', 'location': {'link': 'https://dev*****.service-now.com/api/now/table/cmn_location/db9********************ee0', 'value': 'db9********************ee0'}, 'risk': '3', 'category': '', 'incident': '', 'change_request': '', 'security_incident_self': {'link': 'https://dev*****.service-now.com/api/now/table/sn_si_incident/eb7*****************091', 'value': 'eb7*****************091'}}

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Get Sys ID failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the ServiceNow portal. Refer to the HTTP Status Code Registry for details.

Status Code: 403.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: User Not Authenticated.

Error Sample Data

Get Sys ID failed.

Status Code: 403.

Message: User Not Authenticated.

Get Table Fields

Lists all fields of the specified table.

READER NOTE

Table Name is a required parameter to run this command.

  • Run the Query Tables command to obtain Table Name. Table Names can be found in the returned raw data, at the path $.result[*].name.

Input

Input Parameter

Required/Optional

Description

Example

Table Name

Required

The name of the table to list all field information. Table names can be obtained using the Query Tables command.

sn_si_incident

Output

Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

CODE
{
    "result": [
        {
            "calculation": "",
            "dynamic_ref_qual": "",
            "choice_field": "",
            "function_field": "false",
            "sys_updated_on": "2022-05-06 00:10:47",
            "spell_check": "false",
            "reference_cascade_rule": "clear",
            "reference": {
                "link": "https://dev*****.service-now.com/api/now/table/sys_db_object?name=sys_user",
                "value": "sys_user"
            },
            "sys_updated_by": "admin",
            "read_only": "false",
            "sys_created_on": "2022-05-06 00:10:47",
            "array_denormalized": "false",
            "element_reference": "false",
            "sys_name": "Affected user",
            "reference_key": "",
            "reference_qual_condition": "",
            "xml_view": "false",
            "dependent": "",
            "internal_type": {
                "link": "https://dev*****.service-now.com/api/now/table/sys_glide_object?name=reference",
                "value": "reference"
            },
            "sys_created_by": "admin",
            "element": "affected_user",
            "max_length": "32",
            "use_dependent_field": "false",
            "delete_roles": "",
            "active": "true",
            "choice_table": "",
            "foreign_database": "",
            "sys_update_name": "sys_dictionary_sn_si_incident_affected_user",
            "unique": "false",
            "name": "sn_si_incident",
            "dependent_on_field": "",
            "dynamic_creation": "false",
            "primary": "false",
            "sys_policy": "",
            "next_element": "",
            "virtual": "false",
            "widget": "",
            "use_dynamic_default": "false",
            "sizeclass": "",
            "mandatory": "false",
            "sys_class_name": "sys_dictionary",
            "dynamic_default_value": "",
            "sys_id": "583*******************01a",
            "write_roles": "",
            "array": "false",
            "audit": "false",
            "read_roles": "",
            "sys_scope": {
                "link": "https://dev*****.service-now.com/api/now/table/sys_scope/828*********************ff67",
                "value": "828*********************ff67"
            },
            "create_roles": "",
            "dynamic_creation_script": "",
            "defaultsort": "",
            "column_label": "Affected user",
            "comments": "",
            "use_reference_qualifier": "simple",
            "display": "false",
            "reference_floats": "false",
            "sys_mod_count": "0",
            "default_value": "",
            "staged": "false",
            "reference_type": "",
            "sys_package": {
                "link": "https://dev*****.service-now.com/api/now/table/sys_package/828*********************ff67",
                "value": "828*********************ff67"
            },
            "attributes": "encode_utf8=false,readonly_clickthrough=true,ref_contributions=sn_si_show_related_task_records",
            "choice": "0",
            "reference_qual": "",
            "table_reference": "false",
            "text_index": "false",
            "function_definition": ""
        }
    ]
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
      "FieldNames": ["affected_user"], 
      "ColumnLabels": ["Affected user"],
      "SysIDs": ["583*******************01a"]
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

result

  • {'calculation': '', 'dynamic_ref_qual': '', 'choice_field': '', 'function_field': 'false', 'sys_updated_on': '2022-05-06 00:10:47', 'spell_check': 'false', 'reference_cascade_rule': 'clear', 'reference': {'link': 'https://dev*****.service-now.com/api/now/table/sys_db_object?name=sys_user', 'value': 'sys_user'}, 'sys_updated_by': 'admin', 'read_only': 'false', 'sys_created_on': '2022-05-06 00:10:47', 'array_denormalized': 'false', 'element_reference': 'false', 'sys_name': 'Affected user', 'reference_key': '', 'reference_qual_condition': '', 'xml_view': 'false', 'dependent': '', 'internal_type': {'link': 'https://dev*****.service-now.com/api/now/table/sys_glide_object?name=reference', 'value': 'reference'}, 'sys_created_by': 'admin', 'element': 'affected_user', 'max_length': '32', 'use_dependent_field': 'false', 'delete_roles': '', 'active': 'true', 'choice_table': '', 'foreign_database': '', 'sys_update_name': 'sys_dictionary_sn_si_incident_affected_user', 'unique': 'false', 'name': 'sn_si_incident', 'dependent_on_field': '', 'dynamic_creation': 'false', 'primary': 'false', 'sys_policy': '', 'next_element': '', 'virtual': 'false', 'widget': '', 'use_dynamic_default': 'false', 'sizeclass': '', 'mandatory': 'false', 'sys_class_name': 'sys_dictionary', 'dynamic_default_value': '', 'sys_id': '583*******************01a', 'write_roles': '', 'array': 'false', 'audit': 'false', 'read_roles': '', 'sys_scope': {'link': 'https://dev*****.service-now.com/api/now/table/sys_scope/828*********************ff67', 'value': '828*********************ff67'}, 'create_roles': '', 'dynamic_creation_script': '', 'defaultsort': '', 'column_label': 'Affected user', 'comments': '', 'use_reference_qualifier': 'simple', 'display': 'false', 'reference_floats': 'false', 'sys_mod_count': '0', 'default_value': '', 'staged': 'false', 'reference_type': '', 'sys_package': {'link': 'https://dev*****.service-now.com/api/now/table/sys_package/828*********************ff67', 'value': '828*********************ff67'}, 'attributes': 'encode_utf8=false,readonly_clickthrough=true,ref_contributions=sn_si_show_related_task_records', 'choice': '0', 'reference_qual': '', 'table_reference': 'false', 'text_index': 'false', 'function_definition': ''}

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Get Table Fields failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the ServiceNow portal. Refer to the HTTP Status Code Registry for details.

Status Code: 403.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: User Not Authenticated.

Error Sample Data

Get Table Fields failed.

Status Code: 403.

Message: User Not Authenticated.

Get Tickets

Retrieves the specified incident ticket details.

READER NOTE

The parameter Ticket Sys IDs Or Numbers is required to run this command.

  • You should already have your desired Ticket Sys IDs or Numbers on hand to run this command. If you don’t, you may use the Fetch Event command with defined filters to retrieve the desired Ticket Sys IDs or Numbers. The Ticket Sys IDs can be found in the raw data at the path $.result[*].sys_id; Numbers can be found in the the raw data at the path $.result[*].number.

  • Ensure that your input Sys ID belongs to a ticket. To do this, select the Incident Type parameter as "Incident". Note that any other format will not work.

Input

Input Parameter

Required/Optional

Description

Example

Ticket Sys IDs Or Numbers

Required

The Sys ID or number of the incident tickets to retrieve details. Ticket Sys IDs and numbers can be obtained using the Fetch Event command. Note: Incident Ticket numbers start with “INC”.

[

"b71************************087",

"INC000****"

]

Output

Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

CODE
{
    "result": [
        {
            "parent": "",
            "made_sla": "true",
            "caused_by": "",
            "watch_list": "",
            "upon_reject": "cancel",
            "sys_updated_on": "2016-12-14 02:46:44",
            "child_incidents": "0",
            "hold_reason": "",
            "task_effective_number": "INC000****",
            "approval_history": "",
            "skills": "",
            "number": "INC000****",
            "resolved_by": {
                "link": "https://dev*****.service-now.com/api/now/table/sys_user/513********************007",
                "value": "513********************007"
            },
            "sys_updated_by": "employee",
            "opened_by": {
                "link": "https://dev*****.service-now.com/api/now/table/sys_user/681c******************7c7",
                "value": "681c******************7c7"
            },
            "user_input": "",
            "sys_created_on": "2016-12-12 15:19:57",
            "sys_domain": {
                "link": "https://dev*****.service-now.com/api/now/table/sys_user_group/global",
                "value": "global"
            },
            "state": "7",
            "route_reason": "",
            "sys_created_by": "employee",
            "knowledge": "false",
            "order": "",
            "calendar_stc": "102197",
            "closed_at": "2016-12-14 02:46:44",
            "cmdb_ci": {
                "link": "https://dev*****.service-now.com/api/now/table/cmdb_ci/109******************dc7",
                "value": "109******************dc7"
            },
            "delivery_plan": "",
            "contract": "",
            "impact": "2",
            "active": "false",
            "work_notes_list": "",
            "business_service": {
                "link": "https://dev*****.service-now.com/api/now/table/cmdb_ci_service/27d*******************f16",
                "value": "27d*******************f16"
            },
            "priority": "3",
            "sys_domain_path": "/",
            "rfc": "",
            "time_worked": "",
            "expected_start": "",
            "opened_at": "2016-12-12 15:19:57",
            "business_duration": "1970-01-01 08:00:00",
            "group_list": "",
            "work_end": "",
            "caller_id": {
                "link": "https://dev*****.service-now.com/api/now/table/sys_user/681c******************7c7",
                "value": "681c******************7c7"
            },
            "reopened_time": "",
            "resolved_at": "2016-12-13 21:43:14",
            "approval_set": "",
            "subcategory": "email",
            "work_notes": "",
            "universal_request": "",
            "short_description": "Unable to connect to email",
            "close_code": "Solved (Permanently)",
            "correlation_display": "",
            "delivery_task": "",
            "work_start": "",
            "assignment_group": {
                "link": "https://dev*****.service-now.com/api/now/table/sys_user_group/287********************54e",
                "value": "287********************54e"
            },
            "additional_assignee_list": "",
            "business_stc": "28800",
            "description": "I am unable to connect to the email server. It appears to be down.",
            "calendar_duration": "1970-01-02 04:23:17",
            "close_notes": "This incident is resolved.",
            "notify": "1",
            "service_offering": "",
            "sys_class_name": "incident",
            "closed_by": {
                "link": "https://dev*****.service-now.com/api/now/table/sys_user/681c******************7c7",
                "value": "681c******************7c7"
            },
            "follow_up": "",
            "parent_incident": "",
            "sys_id": "1c7************************af3",
            "contact_type": "self-service",
            "reopened_by": "",
            "incident_state": "7",
            "urgency": "2",
            "problem_id": "",
            "company": {
                "link": "https://dev*****.service-now.com/api/now/table/core_company/31b***********************dec",
                "value": "31b***********************dec"
            },
            "reassignment_count": "2",
            "activity_due": "2016-12-13 01:26:36",
            "assigned_to": {
                "link": "https://dev*****.service-now.com/api/now/table/sys_user/513********************007",
                "value": "513********************007"
            },
            "severity": "3",
            "comments": "",
            "approval": "not requested",
            "sla_due": "",
            "comments_and_work_notes": "",
            "due_date": "",
            "sys_mod_count": "15",
            "reopen_count": "0",
            "sys_tags": "",
            "escalation": "0",
            "upon_approval": "proceed",
            "correlation_id": "",
            "location": "",
            "category": "inquiry"
        }
    ]
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
      "TicketSysIDs": ["7ca****************0de"],
      "TicketNumbers": ["INC00*****"] 
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

result

  • {'parent': '', 'made_sla': 'true', 'caused_by': '', 'watch_list': '', 'upon_reject': 'cancel', 'sys_updated_on': '2016-12-14 02:46:44', 'child_incidents': '0', 'hold_reason': '', 'task_effective_number': 'INC000****', 'approval_history': '', 'skills': '', 'number': 'INC000****', 'resolved_by': {'link': 'https://dev*****.service-now.com/api/now/table/sys_user/513********************007', 'value': '513********************007'}, 'sys_updated_by': 'employee', 'opened_by': {'link': 'https://dev*****.service-now.com/api/now/table/sys_user/681c******************7c7', 'value': '681c******************7c7'}, 'user_input': '', 'sys_created_on': '2016-12-12 15:19:57', 'sys_domain': {'link': 'https://dev*****.service-now.com/api/now/table/sys_user_group/global', 'value': 'global'}, 'state': '7', 'route_reason': '', 'sys_created_by': 'employee', 'knowledge': 'false', 'order': '', 'calendar_stc': '102197', 'closed_at': '2016-12-14 02:46:44', 'cmdb_ci': {'link': 'https://dev*****.service-now.com/api/now/table/cmdb_ci/109******************dc7', 'value': '109******************dc7'}, 'delivery_plan': '', 'contract': '', 'impact': '2', 'active': 'false', 'work_notes_list': '', 'business_service': {'link': 'https://dev*****.service-now.com/api/now/table/cmdb_ci_service/27d*******************f16', 'value': '27d*******************f16'}, 'priority': '3', 'sys_domain_path': '/', 'rfc': '', 'time_worked': '', 'expected_start': '', 'opened_at': '2016-12-12 15:19:57', 'business_duration': '1970-01-01 08:00:00', 'group_list': '', 'work_end': '', 'caller_id': {'link': 'https://dev*****.service-now.com/api/now/table/sys_user/681c******************7c7', 'value': '681c******************7c7'}, 'reopened_time': '', 'resolved_at': '2016-12-13 21:43:14', 'approval_set': '', 'subcategory': 'email', 'work_notes': '', 'universal_request': '', 'short_description': 'Unable to connect to email', 'close_code': 'Solved (Permanently)', 'correlation_display': '', 'delivery_task': '', 'work_start': '', 'assignment_group': {'link': 'https://dev*****.service-now.com/api/now/table/sys_user_group/287********************54e', 'value': '287********************54e'}, 'additional_assignee_list': '', 'business_stc': '28800', 'description': 'I am unable to connect to the email server. It appears to be down.', 'calendar_duration': '1970-01-02 04:23:17', 'close_notes': 'This incident is resolved.', 'notify': '1', 'service_offering': '', 'sys_class_name': 'incident', 'closed_by': {'link': 'https://dev*****.service-now.com/api/now/table/sys_user/681c******************7c7', 'value': '681c******************7c7'}, 'follow_up': '', 'parent_incident': '', 'sys_id': '1c7************************af3', 'contact_type': 'self-service', 'reopened_by': '', 'incident_state': '7', 'urgency': '2', 'problem_id': '', 'company': {'link': 'https://dev*****.service-now.com/api/now/table/core_company/31b***********************dec', 'value': '31b***********************dec'}, 'reassignment_count': '2', 'activity_due': '2016-12-13 01:26:36', 'assigned_to': {'link': 'https://dev*****.service-now.com/api/now/table/sys_user/513********************007', 'value': '513********************007'}, 'severity': '3', 'comments': '', 'approval': 'not requested', 'sla_due': '', 'comments_and_work_notes': '', 'due_date': '', 'sys_mod_count': '15', 'reopen_count': '0', 'sys_tags': '', 'escalation': '0', 'upon_approval': 'proceed', 'correlation_id': '', 'location': '', 'category': 'inquiry'}

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Get Tickets failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the ServiceNow portal. Refer to the HTTP Status Code Registry for details.

Status Code: 403.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: User Not Authenticated.

Error Sample Data

Get Tickets failed.

Status Code: 403.

Message: User Not Authenticated.

Get User Details

Retrieves user details by username or email address.

READER NOTE

The parameter User Names or Emails is required to run this command.

  • User Names and Emails can be found on the ServiceNow user interface. In ServiceNow, search for System Security, then navigate to Users and Groups > Users.

Input

Input Parameter

Required/Optional

Description

Example

User Names or Emails

Required

The username or email of the users to retrieve user details. Note: Both whole and partial usernames are acceptable for input.

[

"jona****",

"mi*****"

]

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

CODE
{
    "result": [
        {
            "calendar_integration": "1",
            "country": "",
            "last_position_update": "",
            "user_password": "T7Baz6B14T",
            "last_login_time": "",
            "source": "",
            "sys_updated_on": "2022-03-09 19:24:20",
            "building": "",
            "web_service_access_only": "false",
            "notification": "2",
            "enable_multifactor_authn": "false",
            "sys_updated_by": "developer.program@snc",
            "sso_source": "",
            "sys_created_on": "2012-02-18 03:04:52",
            "agent_status": "",
            "sys_domain": {
                "link": "https://dev*****.service-now.com/api/now/table/sys_user_group/global",
                "value": "global"
            },
            "state": "",
            "vip": "false",
            "sys_created_by": "admin",
            "longitude": "",
            "zip": "",
            "home_phone": "",
            "time_format": "",
            "last_login": "",
            "default_perspective": "",
            "geolocation_tracked": "false",
            "active": "true",
            "sys_domain_path": "/",
            "cost_center": {
                "link": "https://dev*****.service-now.com/api/now/table/cmn_cost_center/d9d0a971c0a80a641c20b13d99a48576",
                "value": "d9d0a971c0a80a641c20b13d99a48576"
            },
            "phone": "",
            "name": "Jon***** Wal****",
            "employee_number": "",
            "password_needs_reset": "false",
            "gender": "Male",
            "city": "",
            "failed_attempts": "",
            "user_name": "jona****.waldall",
            "latitude": "",
            "roles": "",
            "title": "",
            "sys_class_name": "sys_user",
            "sys_id": "ea8****************ddb",
            "internal_integration_user": "false",
            "ldap_server": "",
            "mobile_phone": "",
            "street": "",
            "company": {
                "link": "https://dev*****.service-now.com/api/now/table/core_company/a66b1fb03710200044e0bfc8bcbe5d08",
                "value": "a66b1fb03710200044e0bfc8bcbe5d08"
            },
            "department": {
                "link": "https://dev*****.service-now.com/api/now/table/cmn_department/221f79b7c6112284005d646b76ab978c",
                "value": "221f79b7c6112284005d646b76ab978c"
            },
            "first_name": "jona****",
            "email": "jona****.wald***@example.com",
            "introduction": "",
            "preferred_language": "",
            "manager": "",
            "business_criticality": "3",
            "locked_out": "false",
            "sys_mod_count": "4",
            "last_name": "Waldall",
            "photo": "",
            "avatar": "",
            "middle_name": "",
            "sys_tags": "",
            "time_zone": "",
            "schedule": "",
            "on_schedule": "",
            "date_format": "",
            "location": {
                "link": "https://dev*****.service-now.com/api/now/table/cmn_location/8225b668ac1d55eb679878e192fca315",
                "value": "8225b668ac1d55eb679878e192fca315"
            }
        }
    ]
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
      "UserNames": ["Jon***** Wal****",
                   "Mic**** Ho****"],
      "UserSysIDs": ["ea8****************ddb",
                    "c47********************ff3"],
      "Emails": ["jona****.wald***@example.com",
                "mi*****.hoe***@example.com"]               
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

result

  • {'calendar_integration': '1', 'country': '', 'last_position_update': '', 'user_password': 'T7***T', 'last_login_time': '', 'source': '', 'sys_updated_on': '2022-03-09 19:24:20', 'building': '', 'web_service_access_only': 'false', 'notification': '2', 'enable_multifactor_authn': 'false', 'sys_updated_by': 'developer.program@snc', 'sso_source': '', 'sys_created_on': '2012-02-18 03:04:52', 'agent_status': '', 'sys_domain': {'link': 'https://dev*****.service-now.com/api/now/table/sys_user_group/global', 'value': 'global'}, 'state': '', 'vip': 'false', 'sys_created_by': 'admin', 'longitude': '', 'zip': '', 'home_phone': '', 'time_format': '', 'last_login': '', 'default_perspective': '', 'geolocation_tracked': 'false', 'active': 'true', 'sys_domain_path': '/', 'cost_center': {'link': 'https://dev*****.service-now.com/api/now/table/cmn_cost_center/d9***8576', 'value': 'd***a48576'}, 'phone': '', 'name': 'Jon***** Wal****', 'employee_number': '', 'password_needs_reset': 'false', 'gender': 'Male', 'city': '', 'failed_attempts': '', 'user_name': 'jona****.waldall', 'latitude': '', 'roles': '', 'title': '', 'sys_class_name': 'sys_user', 'sys_id': 'ea8****************ddb', 'internal_integration_user': 'false', 'ldap_server': '', 'mobile_phone': '', 'street': '', 'company': {'link': 'https://dev*****.service-now.com/api/now/table/core_company/a66b1fb03710200044e0bfc8bcbe5d08', 'value': 'a66b1fb03710200044e0bfc8bcbe5d08'}, 'department': {'link': 'https://dev*****.service-now.com/api/now/table/cmn_department/221f79b7c6112284005d646b76ab978c', 'value': '221f79b7c6112284005d646b76ab978c'}, 'first_name': 'jona****', 'email': 'jona****.wald***@example.com', 'introduction': '', 'preferred_language': '', 'manager': '', 'business_criticality': '3', 'locked_out': 'false', 'sys_mod_count': '4', 'last_name': 'Waldall', 'photo': '', 'avatar': '', 'middle_name': '', 'sys_tags': '', 'time_zone': '', 'schedule': '', 'on_schedule': '', 'date_format': '', 'location': {'link': 'https://dev*****.service-now.com/api/now/table/cmn_location/8225b668ac1d55eb679878e192fca315', 'value': '8225b668ac1d55eb679878e192fca315'}}

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Get User Details failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the ServiceNow portal. Refer to the Service HTTP Status Code Registry for details.

Status Code: 404.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: User Name Not Found.

Error Sample Data

Get User Details failed.

Status Code: 404.

Message: User Name Not Found.

Query Group Members

Retrieves member information of the specific group(s) based on query conditions.

READER NOTE

Group Name and Query are optional parameters to run this command.

  • Run the Get Group Details command to obtain Group Names. Group Names can be found in the returned raw data at the path $.result[*].name.

  • If you need to find a user Sys_ID for the Query parameter, run the Get User Details command.

A partial group name allows for search results to be generated using only a portion of the group name. For example, if the search term is "pro", all groups with names containing "pro" (such as "Problem", "Project", or "Approves") will be returned.

Input

Input Parameter

Required/Optional

Description

Example

Group Name

Optional

The whole or partial name of the group to retrieve member details. If this field is not defined, the command will return users from all groups. Group Name can be obtained using the Get Group Details command.

Problem Analyzers

Query

Optional

The query to filter results. For more information about the query syntax, see Operators available for filters and queries.

Note: Avoid placing a space between an operator and its value. For example, instead of "user LIKE jona****", use "user LIKEjona****". Use operator "LIKE" with user names, and use operator "=" with user Sys_IDs. User Sys_IDs can be obtained using the Get User Details command.

user =ea8****************ddb

Limit

Optional

The maximum number of group members to return. The default value is 100. Note: If the input limit value is too large, it may affect system performance when returning a large volume of results. Set a suitable limit value to prevent this issue from occurring.

5

Output

Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

CODE
{
    "result": [
        {
            "sys_id": "ce5********************0c8",
            "sys_updated_by": "admin",
            "sys_created_on": "2022-05-10 18:44:00",
            "sys_mod_count": "0",
            "sys_updated_on": "2022-05-10 18:44:00",
            "sys_tags": "",
            "user": {
                "link": "https://dev*****.service-now.com/api/now/table/sys_user/ea8****************ddb",
                "value": "ea8****************ddb"
            },
            "sys_created_by": "admin",
            "group": {
                "link": "https://dev*****.service-now.com/api/now/table/sys_user_group/0c4*******************461",
                "value": "0c4*******************461"
            }
        }
    ]
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
      "UserSysIDs": ["ea8****************ddb"],
      "GroupSysIDs": ["0c4*******************461"]
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

result

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Create Request failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the ServiceNow portal. Refer to the HTTP Status Code Registry for details.

Status Code: 403.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: You must have a valid Support account to call this API.

Error Sample Data

Create Request failed.

Status Code: 403.

Message: You must have a valid Support account to call this API.

Query Records

Retrieves the records with a specified query from the table in ServiceNow.

READER NOTE

Table Name is a required parameter to run this command.

  • Run the Query Tables command to obtain Table Name. Table Names can be found in the returned raw data, at the path $.result[*].name.

Input

Input Parameter

Required/Optional

Description

Example

Table Name

Required

The name of the table to query records. Table names can be obtained using the Query Tables command.

x_******_test_d3_j**_test***

Query

Required

The query to retrieve records. For more information about the query syntax, see Operators available for filters and queries. If the input query field does not exist in the specified table, all records will be returned.

Note: Fields and operators are case-sensitive. Avoid placing a space between an operator and its value. For example, instead of "number LIKE 10004", use "numberLIKE10004" (LIKE is the operator, 10004 is the value).

name=mi*****^numberLIKE10004

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

CODE
{
    "result": [
        {
            "address": "700, * ****** **, surrey",
            "birth_date": "1975-12-01 00:00:00",
            "sys_mod_count": "0",
            "sys_updated_on": "2021-07-05 21:28:31",
            "sys_tags": "",
            "number": "",
            "sys_id": "03b***************644",
            "sys_updated_by": "admin",
            "sys_created_on": "2021-07-05 21:28:31",
            "name": "mi*****",
            "id": "10004",
            "email": "example@example.com",
            "sys_created_by": "admin"
        }
    ]
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
      "RecordSysIDs": ["366********************697"] 
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

result

  • {'address': '700, * ****** **, surrey', 'birth_date': '1975-12-01 00:00:00', 'sys_mod_count': '0', 'sys_updated_on': '2021-07-05 21:28:31', 'sys_tags': '', 'number': '', 'sys_id': '03b***************644', 'sys_updated_by': 'admin', 'sys_created_on': '2021-07-05 21:28:31', 'name': 'mi*****', 'id': '10004', 'email': 'example@example.com', 'sys_created_by': 'admin'}

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Query Records Failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the ServiceNow portal. Refer to the HTTP Status Code Registry for details.

Status Code: 404.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Table Name Not Found.

Error Sample Data

Query Records Failed.

Status Code: 404.

Message: Table Name Not Found.

Query Requested Items

Retrieves Requested Item(s) from the Requested Item table based on the query condition.

Input

Input Parameter

Required/Optional

Description

Example

Query

Optional

The query to retrieve requested items. For more information about the query syntax, see Operators available for filters and queries. If the input query field does not exist in the specified table, all records will be returned.

Note: Fields and operators are case-sensitive. Avoid placing a space between an operator and its value. For example, instead of "number LIKE 10004", use "numberLIKE10004" (LIKE is the operator, 10004 is the value).

numberLIKERITM00***** ^priority<=4

Limit

Optional

The maximum number of requested items to return. The default value is 100. Note: If the input limit value is too large, it may affect system performance when returning a large volume of results. Set a suitable limit value to prevent this issue from occurring.

5

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

CODE
{
    "result": [
        {
            "parent": "",
            "made_sla": "true",
            "watch_list": "",
            "sc_catalog": "",
            "upon_reject": "cancel",
            "requested_for": {
                "link": "https://dev*****.service-now.com/api/now/table/sys_user/681*******************441",
                "value": "681*******************441"
            },
            "sys_updated_on": "2022-05-05 20:06:27",
            "task_effective_number": "RITM00*****",
            "approval_history": "",
            "skills": "",
            "number": "RITM00*****",
            "sys_updated_by": "D3*****",
            "opened_by": {
                "link": "https://dev*****.service-now.com/api/now/table/sys_user/0be*****************0a3",
                "value": "0be*****************0a3"
            },
            "user_input": "",
            "price": "102",
            "sys_created_on": "2022-05-05 20:06:27",
            "recurring_frequency": "",
            "sys_domain": {
                "link": "https://dev*****.service-now.com/api/now/table/sys_user_group/global",
                "value": "global"
            },
            "context": "",
            "state": "1",
            "route_reason": "",
            "sys_created_by": "D3*****",
            "knowledge": "false",
            "order": "",
            "closed_at": "",
            "cmdb_ci": "",
            "delivery_plan": "",
            "backordered": "true",
            "contract": "",
            "impact": "3",
            "active": "true",
            "work_notes_list": "",
            "business_service": "",
            "priority": "4",
            "sys_domain_path": "/",
            "time_worked": "",
            "expected_start": "",
            "flow_context": "",
            "opened_at": "2022-05-05 20:06:27",
            "business_duration": "",
            "group_list": "",
            "configuration_item": {
                "link": "https://dev*****.service-now.com/api/now/table/cmdb_ci/0c4******************7cc",
                "value": "0c4******************7cc"
            },
            "work_end": "",
            "approval_set": "",
            "work_notes": "",
            "order_guide": {
                "link": "https://dev*****.service-now.com/api/now/table/sc_cat_item_guide/251*********************dd6",
                "value": "251*********************dd6"
            },
            "universal_request": "",
            "request": {
                "link": "https://dev*****.service-now.com/api/now/table/sc_request/771********************60b",
                "value": "771********************60b"
            },
            "short_description": "",
            "correlation_display": "",
            "delivery_task": "",
            "work_start": "",
            "assignment_group": "",
            "additional_assignee_list": "",
            "description": "",
            "calendar_duration": "",
            "close_notes": "",
            "service_offering": "",
            "sys_class_name": "sc_req_item",
            "closed_by": "",
            "follow_up": "",
            "sys_id": "014*********************090",
            "contact_type": "",
            "urgency": "3",
            "company": "",
            "reassignment_count": "0",
            "activity_due": "",
            "assigned_to": "",
            "comments": "",
            "quantity": "1",
            "approval": "not requested",
            "sla_due": "",
            "comments_and_work_notes": "",
            "due_date": "2021-03-20 19:15:53",
            "sys_mod_count": "0",
            "recurring_price": "0",
            "sys_tags": "",
            "billable": "false",
            "cat_item": {
                "link": "https://dev*****.service-now.com/api/now/table/sc_cat_item/0c5**********************739",
                "value": "0c5**********************739"
            },
            "stage": "waiting_for_approval",
            "escalation": "0",
            "upon_approval": "proceed",
            "correlation_id": "",
            "location": "",
            "estimated_delivery": "2021-03-25 19:16:09"
        }
    ]
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
      "RequestItemSysIDs": ["014*********************090"] 
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

result

  • {'parent': '', 'made_sla': 'true', 'watch_list': '', 'sc_catalog': '', 'upon_reject': 'cancel', 'requested_for': {'link': 'https://dev*****.service-now.com/api/now/table/sys_user/681*******************441', 'value': '681*******************441'}, 'sys_updated_on': '2022-05-05 20:06:27', 'task_effective_number': 'RITM00*****', 'approval_history': '', 'skills': '', 'number': 'RITM00*****', 'sys_updated_by': 'D3*****', 'opened_by': {'link': 'https://dev*****.service-now.com/api/now/table/sys_user/0be*****************0a3', 'value': '0be*****************0a3'}, 'user_input': '', 'price': '102', 'sys_created_on': '2022-05-05 20:06:27', 'recurring_frequency': '', 'sys_domain': {'link': 'https://dev*****.service-now.com/api/now/table/sys_user_group/global', 'value': 'global'}, 'context': '', 'state': '1', 'route_reason': '', 'sys_created_by': 'D3*****', 'knowledge': 'false', 'order': '', 'closed_at': '', 'cmdb_ci': '', 'delivery_plan': '', 'backordered': 'true', 'contract': '', 'impact': '3', 'active': 'true', 'work_notes_list': '', 'business_service': '', 'priority': '4', 'sys_domain_path': '/', 'time_worked': '', 'expected_start': '', 'flow_context': '', 'opened_at': '2022-05-05 20:06:27', 'business_duration': '', 'group_list': '', 'configuration_item': {'link': 'https://dev*****.service-now.com/api/now/table/cmdb_ci/0c4******************7cc', 'value': '0c4******************7cc'}, 'work_end': '', 'approval_set': '', 'work_notes': '', 'order_guide': {'link': 'https://dev*****.service-now.com/api/now/table/sc_cat_item_guide/251*********************dd6', 'value': '251*********************dd6'}, 'universal_request': '', 'request': {'link': 'https://dev*****.service-now.com/api/now/table/sc_request/771********************60b', 'value': '771********************60b'}, 'short_description': '', 'correlation_display': '', 'delivery_task': '', 'work_start': '', 'assignment_group': '', 'additional_assignee_list': '', 'description': '', 'calendar_duration': '', 'close_notes': '', 'service_offering': '', 'sys_class_name': 'sc_req_item', 'closed_by': '', 'follow_up': '', 'sys_id': '014*********************090', 'contact_type': '', 'urgency': '3', 'company': '', 'reassignment_count': '0', 'activity_due': '', 'assigned_to': '', 'comments': '', 'quantity': '1', 'approval': 'not requested', 'sla_due': '', 'comments_and_work_notes': '', 'due_date': '2021-03-20 19:15:53', 'sys_mod_count': '0', 'recurring_price': '0', 'sys_tags': '', 'billable': 'false', 'cat_item': {'link': 'https://dev*****.service-now.com/api/now/table/sc_cat_item/0c5**********************739', 'value': '0c5**********************739'}, 'stage': 'waiting_for_approval', 'escalation': '0', 'upon_approval': 'proceed', 'correlation_id': '', 'location': '', 'estimated_delivery': '2021-03-25 19:16:09'}

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Query Request Items failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the ServiceNow portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Invalid Query.

Error Sample Data

Query Request Items failed.

Status Code: 400.

Message: Invalid Query.

Query Requests

Retrieves request(s) from the sc_request table based on the query condition.

Input

Input Parameter

Required/Optional

Description

Example

Query

Optional

The query to filter results. For more information about the query syntax, see Operators available for filters and queries. If the input query field does not exist in the specified table, all records will be returned.

Note: Avoid placing a space between an operator and its value. For example, instead of "number LIKE REQ001000", use "numberLIKEREQ001000" (LIKE is the operator, REQ001000 is the value).

numberLIKEREQ00100^priority<=3

Limit

Optional

The maximum number of requests to return. The default value is 100. Note: If the input limit value is too large, it may affect system performance when returning a large volume of results. Set a suitable limit value to prevent this issue from occurring.

5

Output

Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

CODE
{
    "result": [
        {
            "parent": "",
            "delivery_address": "",
            "made_sla": "true",
            "watch_list": "",
            "upon_reject": "cancel",
            "requested_for": {
                "link": "https://dev*****.service-now.com/api/now/table/sys_user/681*******************441",
                "value": "681*******************441"
            },
            "sys_updated_on": "2022-05-09 21:50:42",
            "task_effective_number": "REQ00*****",
            "approval_history": "",
            "skills": "",
            "number": "REQ00*****",
            "sys_updated_by": "admin",
            "opened_by": {
                "link": "https://dev*****.service-now.com/api/now/table/sys_user/681*******************441",
                "value": "681*******************441"
            },
            "user_input": "",
            "price": "0",
            "sys_created_on": "2022-05-06 21:41:49",
            "sys_domain": {
                "link": "https://dev*****.service-now.com/api/now/table/sys_user_group/global",
                "value": "global"
            },
            "state": "1",
            "route_reason": "",
            "sys_created_by": "admin",
            "knowledge": "false",
            "order": "",
            "calendar_stc": "",
            "special_instructions": "Short description demo",
            "closed_at": "",
            "cmdb_ci": "",
            "delivery_plan": "",
            "contract": "",
            "impact": "3",
            "active": "true",
            "work_notes_list": "",
            "business_service": "",
            "priority": "4",
            "sys_domain_path": "/",
            "time_worked": "",
            "expected_start": "",
            "opened_at": "2022-05-06 21:41:49",
            "business_duration": "",
            "group_list": "",
            "work_end": "",
            "approval_set": "",
            "work_notes": "",
            "universal_request": "",
            "short_description": "Short description demo",
            "correlation_display": "",
            "delivery_task": "",
            "work_start": "",
            "assignment_group": "",
            "parent_interaction": "",
            "additional_assignee_list": "",
            "description": "Description demo",
            "calendar_duration": "",
            "close_notes": "",
            "service_offering": "",
            "sys_class_name": "sc_request",
            "closed_by": "",
            "follow_up": "",
            "sys_id": "f7a******************0fc",
            "contact_type": "",
            "urgency": "3",
            "requested_date": "",
            "company": "",
            "reassignment_count": "0",
            "activity_due": "",
            "assigned_to": "",
            "comments": "",
            "approval": "requested",
            "sla_due": "",
            "comments_and_work_notes": "",
            "due_date": "2021-03-10 20:08:06",
            "sys_mod_count": "2",
            "sys_tags": "",
            "request_state": "requested",
            "stage": "requested",
            "escalation": "0",
            "upon_approval": "proceed",
            "correlation_id": "",
            "location": ""
        }
    ]
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
      "RequestSysIDs": ["f7a******************0fc"] 
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

result

  • {'parent': '', 'delivery_address': '', 'made_sla': 'true', 'watch_list': '', 'upon_reject': 'cancel', 'requested_for': {'link': 'https://dev*****.service-now.com/api/now/table/sys_user/681*******************441', 'value': '681*******************441'}, 'sys_updated_on': '2022-05-09 21:50:42', 'task_effective_number': 'REQ00*****', 'approval_history': '', 'skills': '', 'number': 'REQ00*****', 'sys_updated_by': 'admin', 'opened_by': {'link': 'https://dev*****.service-now.com/api/now/table/sys_user/681*******************441', 'value': '681*******************441'}, 'user_input': '', 'price': '0', 'sys_created_on': '2022-05-06 21:41:49', 'sys_domain': {'link': 'https://dev*****.service-now.com/api/now/table/sys_user_group/global', 'value': 'global'}, 'state': '1', 'route_reason': '', 'sys_created_by': 'admin', 'knowledge': 'false', 'order': '', 'calendar_stc': '', 'special_instructions': 'Short description demo', 'closed_at': '', 'cmdb_ci': '', 'delivery_plan': '', 'contract': '', 'impact': '3', 'active': 'true', 'work_notes_list': '', 'business_service': '', 'priority': '4', 'sys_domain_path': '/', 'time_worked': '', 'expected_start': '', 'opened_at': '2022-05-06 21:41:49', 'business_duration': '', 'group_list': '', 'work_end': '', 'approval_set': '', 'work_notes': '', 'universal_request': '', 'short_description': 'Short description demo', 'correlation_display': '', 'delivery_task': '', 'work_start': '', 'assignment_group': '', 'parent_interaction': '', 'additional_assignee_list': '', 'description': 'Description demo', 'calendar_duration': '', 'close_notes': '', 'service_offering': '', 'sys_class_name': 'sc_request', 'closed_by': '', 'follow_up': '', 'sys_id': 'f7a******************0fc', 'contact_type': '', 'urgency': '3', 'requested_date': '', 'company': '', 'reassignment_count': '0', 'activity_due': '', 'assigned_to': '', 'comments': '', 'approval': 'requested', 'sla_due': '', 'comments_and_work_notes': '', 'due_date': '2021-03-10 20:08:06', 'sys_mod_count': '2', 'sys_tags': '', 'request_state': 'requested', 'stage': 'requested', 'escalation': '0', 'upon_approval': 'proceed', 'correlation_id': '', 'location': ''}

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Create Requests failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the ServiceNow portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Invalid Query.

Error Sample Data

Create Requests failed.

Status Code: 400.

Message: Invalid Query.

Query Security Incidents

Retrieves security incidents based on the query condition.

Input

Input Parameter

Required/Optional

Description

Example

Query

Optional

The query to filter results. For more information about the query syntax, see Operators available for filters and queries.

Note: Avoid placing a space between an operator and its value. For example, instead of "number LIKE SIR00*****", use "numberLIKESIR00*****" (LIKE is the operator, SIR00***** is the value).

priority <=2 ^ numberLIKESIR00100

Limit

Optional

The maximum number of security incidents to return. The default value is 100. Note: If the input limit value is too large, it may affect system performance when returning a large volume of results. Set a suitable limit value to prevent this issue from occurring.

3

Output

Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

CODE
{
    "result": [
        {
            "parent": "",
            "sla_suspended_reason": "",
            "watch_list": "",
            "upon_reject": "cancel",
            "sys_updated_on": "2022-05-10 16:49:20",
            "qualification_group": "",
            "expected_end": "",
            "approval_history": "",
            "source_ip": "",
            "skills": "",
            "number": "SIR00*****",
            "problem": "",
            "previous_agent": "",
            "state": "10",
            "sys_created_by": "admin",
            "template_workflow_invoked": "false",
            "knowledge": "false",
            "order": "",
            "phish_email": "",
            "cmdb_ci": {
                "link": "https://dev*****.service-now.com/api/now/table/cmdb_ci/0c4******************78f",
                "value": "0c4******************78f"
            },
            "delivery_plan": "",
            "contract": "",
            "impact": "1",
            "active": "true",
            "work_notes_list": "",
            "priority": "1",
            "sys_domain_path": "/",
            "sla_suspended": "false",
            "business_duration": "",
            "group_list": "",
            "special_access_write": "",
            "dest_ip": "",
            "mitre_platform": "",
            "approval_set": "",
            "risk_change": "up",
            "malware_url": "",
            "universal_request": "",
            "template": "",
            "short_description": "Update Sec Incident",
            "correlation_display": "",
            "delivery_task": "",
            "work_start": "",
            "request_type": "",
            "affected_user": "",
            "other_ioc": "",
            "additional_assignee_list": "",
            "alert_sensor": "",
            "assigned_vendor": "",
            "service_offering": "",
            "sys_class_name": "sn_si_incident",
            "closed_by": {
                "link": "https://dev*****.service-now.com/api/now/table/sys_user/c97********************233",
                "value": "c97********************233"
            },
            "follow_up": "",
            "mitre_group": "",
            "sla_suspended_on": "",
            "estimated_end": "",
            "vendor_reference": "",
            "reassignment_count": "0",
            "assigned_to": {
                "link": "https://dev*****.service-now.com/api/now/table/sys_user/c97********************233",
                "value": "c97********************233"
            },
            "request_category": "",
            "requested_due_by": "",
            "mitre_malware": "",
            "sla_suspended_for": "",
            "business_criticality": "3",
            "sla_due": "",
            "opened_for": {
                "link": "https://dev*****.service-now.com/api/now/table/sys_user/681*******************441",
                "value": "681*******************441"
            },
            "comments_and_work_notes": "",
            "mitre_technique": "",
            "special_access_read": "",
            "substate": "",
            "escalation": "0",
            "upon_approval": "proceed",
            "correlation_id": "",
            "asset": {
                "link": "https://dev*****.service-now.com/api/now/table/alm_asset/aac*******************d3b",
                "value": "aac*******************d3b"
            },
            "mitre_tool": "",
            "spam": "false",
            "referrer_url": "",
            "made_sla": "true",
            "mitre_tactic": "",
            "is_catalog": "false",
            "malware_hash": "",
            "alert_rule": "",
            "task_effective_number": "SIR00*****",
            "external_url": "",
            "sys_updated_by": "admin",
            "opened_by": {
                "link": "https://dev*****.service-now.com/api/now/table/sys_user/681*******************441",
                "value": "681*******************441"
            },
            "user_input": "",
            "sys_created_on": "2022-05-09 23:09:22",
            "sys_domain": {
                "link": "https://dev*****.service-now.com/api/now/table/sys_user_group/global",
                "value": "global"
            },
            "pir": "",
            "route_reason": "",
            "closed_at": "",
            "business_service": {
                "link": "https://dev*****.service-now.com/api/now/table/cmdb_ci_service/281*******************edc",
                "value": "281*******************edc"
            },
            "attack_vector": "",
            "time_worked": "",
            "expected_start": "",
            "opened_at": "2022-05-09 23:09:22",
            "task_created": "false",
            "work_end": "",
            "confidence_score": "",
            "prediction": "",
            "automation_activity": "",
            "subcategory": "",
            "work_notes": "",
            "security_tags": "",
            "risk_score_override": "false",
            "initiated_from": "",
            "close_code": "",
            "assignment_group": {
                "link": "https://dev*****.service-now.com/api/now/table/sys_user_group/b85*******************60a",
                "value": "b85*******************60a"
            },
            "description": "Create a new security incident",
            "calendar_duration": "",
            "close_notes": "",
            "pir_respondents": "c97********************233",
            "sys_id": "eb7*****************091",
            "contact_type": "email",
            "urgency": "3",
            "secure_notes": "",
            "company": "",
            "new_pir_respondents": "",
            "department": "",
            "activity_due": "",
            "severity": "1",
            "comments": "",
            "risk_score": "75",
            "approval": "not requested",
            "due_date": "",
            "sys_mod_count": "10",
            "parent_security_incident": "",
            "sys_tags": "",
            "billable": "false",
            "mitre_data_source": "",
            "caller": "",
            "location": {
                "link": "https://dev*****.service-now.com/api/now/table/cmn_location/db9********************ee0",
                "value": "db9********************ee0"
            },
            "risk": "3",
            "category": "",
            "incident": "",
            "change_request": "",
            "security_incident_self": {
                "link": "https://dev*****.service-now.com/api/now/table/sn_si_incident/eb7*****************091",
                "value": "eb7*****************091"
            }
        }
    ]
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
      "SecurityIncidentSysIDs": ["9dd******************d021"],
      "SecurityIncidentNumbers": ["SIR00*****"] 
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

result

  • {'parent': '', 'sla_suspended_reason': '', 'watch_list': '', 'upon_reject': 'cancel', 'sys_updated_on': '2022-05-10 16:49:20', 'qualification_group': '', 'expected_end': '', 'approval_history': '', 'source_ip': '', 'skills': '', 'number': 'SIR00*****', 'problem': '', 'previous_agent': '', 'state': '10', 'sys_created_by': 'admin', 'template_workflow_invoked': 'false', 'knowledge': 'false', 'order': '', 'phish_email': '', 'cmdb_ci': {'link': 'https://dev*****.service-now.com/api/now/table/cmdb_ci/0c4******************78f', 'value': '0c4******************78f'}, 'delivery_plan': '', 'contract': '', 'impact': '1', 'active': 'true', 'work_notes_list': '', 'priority': '1', 'sys_domain_path': '/', 'sla_suspended': 'false', 'business_duration': '', 'group_list': '', 'special_access_write': '', 'dest_ip': '', 'mitre_platform': '', 'approval_set': '', 'risk_change': 'up', 'malware_url': '', 'universal_request': '', 'template': '', 'short_description': 'Update Sec Incident', 'correlation_display': '', 'delivery_task': '', 'work_start': '', 'request_type': '', 'affected_user': '', 'other_ioc': '', 'additional_assignee_list': '', 'alert_sensor': '', 'assigned_vendor': '', 'service_offering': '', 'sys_class_name': 'sn_si_incident', 'closed_by': {'link': 'https://dev*****.service-now.com/api/now/table/sys_user/c97********************233', 'value': 'c97********************233'}, 'follow_up': '', 'mitre_group': '', 'sla_suspended_on': '', 'estimated_end': '', 'vendor_reference': '', 'reassignment_count': '0', 'assigned_to': {'link': 'https://dev*****.service-now.com/api/now/table/sys_user/c97********************233', 'value': 'c97********************233'}, 'request_category': '', 'requested_due_by': '', 'mitre_malware': '', 'sla_suspended_for': '', 'business_criticality': '3', 'sla_due': '', 'opened_for': {'link': 'https://dev*****.service-now.com/api/now/table/sys_user/681*******************441', 'value': '681*******************441'}, 'comments_and_work_notes': '', 'mitre_technique': '', 'special_access_read': '', 'substate': '', 'escalation': '0', 'upon_approval': 'proceed', 'correlation_id': '', 'asset': {'link': 'https://dev*****.service-now.com/api/now/table/alm_asset/aac*******************d3b', 'value': 'aac*******************d3b'}, 'mitre_tool': '', 'spam': 'false', 'referrer_url': '', 'made_sla': 'true', 'mitre_tactic': '', 'is_catalog': 'false', 'malware_hash': '', 'alert_rule': '', 'task_effective_number': 'SIR00*****', 'external_url': '', 'sys_updated_by': 'admin', 'opened_by': {'link': 'https://dev*****.service-now.com/api/now/table/sys_user/681*******************441', 'value': '681*******************441'}, 'user_input': '', 'sys_created_on': '2022-05-09 23:09:22', 'sys_domain': {'link': 'https://dev*****.service-now.com/api/now/table/sys_user_group/global', 'value': 'global'}, 'pir': '', 'route_reason': '', 'closed_at': '', 'business_service': {'link': 'https://dev*****.service-now.com/api/now/table/cmdb_ci_service/281*******************edc', 'value': '281*******************edc'}, 'attack_vector': '', 'time_worked': '', 'expected_start': '', 'opened_at': '2022-05-09 23:09:22', 'task_created': 'false', 'work_end': '', 'confidence_score': '', 'prediction': '', 'automation_activity': '', 'subcategory': '', 'work_notes': '', 'security_tags': '', 'risk_score_override': 'false', 'initiated_from': '', 'close_code': '', 'assignment_group': {'link': 'https://dev*****.service-now.com/api/now/table/sys_user_group/b85*******************60a', 'value': 'b85*******************60a'}, 'description': 'Create a new security incident', 'calendar_duration': '', 'close_notes': '', 'pir_respondents': 'c97********************233', 'sys_id': 'eb7*****************091', 'contact_type': 'email', 'urgency': '3', 'secure_notes': '', 'company': '', 'new_pir_respondents': '', 'department': '', 'activity_due': '', 'severity': '1', 'comments': '', 'risk_score': '75', 'approval': 'not requested', 'due_date': '', 'sys_mod_count': '10', 'parent_security_incident': '', 'sys_tags': '', 'billable': 'false', 'mitre_data_source': '', 'caller': '', 'location': {'link': 'https://dev*****.service-now.com/api/now/table/cmn_location/db9********************ee0', 'value': 'db9********************ee0'}, 'risk': '3', 'category': '', 'incident': '', 'change_request': '', 'security_incident_self': {'link': 'https://dev*****.service-now.com/api/now/table/sn_si_incident/eb7*****************091', 'value': 'eb7*****************091'}}

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Query Security Incidents failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the ServiceNow portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Invalid Query.

Error Sample Data

Query Security Incidents failed.

Status Code: 400.

Message: Invalid Query.

Query Server Info

Queries server info by server IP address or server name.

READER NOTE

The parameter Server Names or IPs is required to run this command.

  • You should already have your desired Server Names or IPs on hand to run this command. If you don’t, you may use the Fetch Event command with defined filters to retrieve the desired Server Names or IPs. They will be listed if the records have related information.

Input

Input Parameter

Required/Optional

Description

Example

Server Names or IPs

Required

The server ID’s IP addresses or server names to query. Server Names or IPs can be obtained using the Fetch Event command.

[

"192.168.***.***",

"je**c"

]

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

CODE
{
    "result": [
        {
            "attested_date": "",
            "skip_sync": "false",
            "operational_status": "Operational",
            "sys_updated_on": "2022-05-06 14:22:32",
            "attestation_score": "",
            "discovery_source": null,
            "first_discovered": "",
            "sys_updated_by": "admin",
            "due_in": null,
            "sys_created_on": "2022-05-06 14:22:32",
            "sys_domain": {
                "display_value": "global",
                "link": "https://dev*****.service-now.com/api/now/table/sys_user_group/global"
            },
            "install_date": "",
            "gl_account": "",
            "invoice_number": "",
            "sys_created_by": "admin",
            "warranty_expiration": "",
            "asset_tag": "",
            "fqdn": "",
            "change_control": "",
            "owned_by": "",
            "checked_out": "",
            "sys_domain_path": "/",
            "business_unit": "",
            "delivery_date": "",
            "maintenance_schedule": "",
            "install_status": "Installed",
            "cost_center": "",
            "attested_by": "",
            "supported_by": "",
            "dns_domain": "",
            "name": "je**c",
            "assigned": "",
            "life_cycle_stage": "",
            "purchase_date": "",
            "subcategory": "",
            "short_description": "",
            "u_primary_service": {
                "display_value": "INC00*****",
                "link": "https://dev*****.service-now.com/api/now/table/incident/b71************************087"
            },
            "assignment_group": "",
            "managed_by": "",
            "managed_by_group": "",
            "can_print": "false",
            "last_discovered": "",
            "sys_class_name": "Configuration Item",
            "manufacturer": "",
            "sys_id": "1d4********************0be",
            "po_number": "",
            "checked_in": "",
            "sys_class_path": "/!!",
            "life_cycle_stage_status": "",
            "mac_address": "",
            "vendor": "",
            "company": "",
            "justification": "",
            "model_number": "",
            "department": "",
            "assigned_to": "",
            "start_date": "",
            "comments": "",
            "cost": "",
            "u_environment": "env_na",
            "sys_mod_count": "0",
            "monitor": "false",
            "serial_number": "",
            "ip_address": "",
            "model_id": "",
            "duplicate_of": "",
            "sys_tags": "",
            "cost_cc": "USD",
            "order_date": "",
            "schedule": "",
            "support_group": "",
            "environment": null,
            "due": "",
            "attested": "false",
            "correlation_id": "",
            "unverified": "false",
            "attributes": "",
            "location": "",
            "asset": "",
            "category": "",
            "fault_count": "0",
            "lease_id": ""
        },
        {
            "attested_date": "",
            "skip_sync": "false",
            "operational_status": "Operational",
            "sys_updated_on": "2022-05-05 13:15:52",
            "attestation_score": "",
            "discovery_source": null,
            "first_discovered": "",
            "sys_updated_by": "admin",
            "due_in": null,
            "sys_created_on": "2016-01-06 09:02:04",
            "sys_domain": {
                "display_value": "global",
                "link": "https://dev*****.service-now.com/api/now/table/sys_user_group/global"
            },
            "install_date": "",
            "gl_account": "",
            "invoice_number": "",
            "sys_created_by": "glide.maint",
            "warranty_expiration": "",
            "asset_tag": "",
            "fqdn": "",
            "change_control": "",
            "owned_by": "",
            "checked_out": "",
            "sys_domain_path": "/",
            "business_unit": "",
            "delivery_date": "",
            "maintenance_schedule": "",
            "install_status": "Installed",
            "cost_center": "",
            "attested_by": "",
            "supported_by": "",
            "dns_domain": "",
            "name": "Storage-D3",
            "assigned": "",
            "life_cycle_stage": "",
            "purchase_date": "",
            "subcategory": "",
            "short_description": "",
            "u_primary_service": "",
            "assignment_group": "",
            "managed_by": "",
            "managed_by_group": "",
            "can_print": "false",
            "last_discovered": "",
            "sys_class_name": "Windows Cluster Node",
            "manufacturer": "",
            "sys_id": "b4e**********************119",
            "po_number": "",
            "checked_in": "",
            "sys_class_path": "/!!/!+/!#",
            "life_cycle_stage_status": "",
            "mac_address": "",
            "vendor": "",
            "company": "",
            "justification": "",
            "model_number": "",
            "department": "",
            "assigned_to": "",
            "start_date": "",
            "comments": "",
            "cost": "",
            "u_environment": "",
            "sys_mod_count": "3",
            "monitor": "false",
            "serial_number": "",
            "ip_address": "192.168.***.***",
            "model_id": {
                "display_value": "",
                "link": "https://dev*****.service-now.com/api/now/table/cmdb_model/5d08f2197f301200bee45f19befa916e"
            },
            "duplicate_of": "",
            "sys_tags": "",
            "cost_cc": "USD",
            "order_date": "",
            "schedule": "",
            "support_group": "",
            "environment": null,
            "due": "",
            "attested": "false",
            "correlation_id": "",
            "unverified": "false",
            "attributes": "",
            "location": "",
            "asset": "",
            "category": "",
            "fault_count": "0",
            "lease_id": ""
        }
    ]
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
      "ServerNames": ["je**c", "Storage-D3"],
      "IPAddresses": ["192.168.***.***"] 
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

result

  • {'attested_date': '', 'skip_sync': 'false', 'operational_status': 'Operational', 'sys_updated_on': '2022-05-06 14:22:32', 'attestation_score': '', 'discovery_source': None, 'first_discovered': '', 'sys_updated_by': 'admin', 'due_in': None, 'sys_created_on': '2022-05-06 14:22:32', 'sys_domain': {'display_value': 'global', 'link': 'https://dev*****.service-now.com/api/now/table/sys_user_group/global'}, 'install_date': '', 'gl_account': '', 'invoice_number': '', 'sys_created_by': 'admin', 'warranty_expiration': '', 'asset_tag': '', 'fqdn': '', 'change_control': '', 'owned_by': '', 'checked_out': '', 'sys_domain_path': '/', 'business_unit': '', 'delivery_date': '', 'maintenance_schedule': '', 'install_status': 'Installed', 'cost_center': '', 'attested_by': '', 'supported_by': '', 'dns_domain': '', 'name': 'je**c', 'assigned': '', 'life_cycle_stage': '', 'purchase_date': '', 'subcategory': '', 'short_description': '', 'u_primary_service': {'display_value': 'INC00*****', 'link': 'https://dev*****.service-now.com/api/now/table/incident/b71************************087'}, 'assignment_group': '', 'managed_by': '', 'managed_by_group': '', 'can_print': 'false', 'last_discovered': '', 'sys_class_name': 'Configuration Item', 'manufacturer': '', 'sys_id': '1d4********************0be', 'po_number': '', 'checked_in': '', 'sys_class_path': '/!!', 'life_cycle_stage_status': '', 'mac_address': '', 'vendor': '', 'company': '', 'justification': '', 'model_number': '', 'department': '', 'assigned_to': '', 'start_date': '', 'comments': '', 'cost': '', 'u_environment': 'env_na', 'sys_mod_count': '0', 'monitor': 'false', 'serial_number': '', 'ip_address': '', 'model_id': '', 'duplicate_of': '', 'sys_tags': '', 'cost_cc': 'USD', 'order_date': '', 'schedule': '', 'support_group': '', 'environment': None, 'due': '', 'attested': 'false', 'correlation_id': '', 'unverified': 'false', 'attributes': '', 'location': '', 'asset': '', 'category': '', 'fault_count': '0', 'lease_id': ''}

  • {'attested_date': '', 'skip_sync': 'false', 'operational_status': 'Operational', 'sys_updated_on': '2022-05-05 13:15:52', 'attestation_score': '', 'discovery_source': None, 'first_discovered': '', 'sys_updated_by': 'admin', 'due_in': None, 'sys_created_on': '2016-01-06 09:02:04', 'sys_domain': {'display_value': 'global', 'link': 'https://dev*****.service-now.com/api/now/table/sys_user_group/global'}, 'install_date': '', 'gl_account': '', 'invoice_number': '', 'sys_created_by': 'glide.maint', 'warranty_expiration': '', 'asset_tag': '', 'fqdn': '', 'change_control': '', 'owned_by': '', 'checked_out': '', 'sys_domain_path': '/', 'business_unit': '', 'delivery_date': '', 'maintenance_schedule': '', 'install_status': 'Installed', 'cost_center': '', 'attested_by': '', 'supported_by': '', 'dns_domain': '', 'name': 'Storage-D3', 'assigned': '', 'life_cycle_stage': '', 'purchase_date': '', 'subcategory': '', 'short_description': '', 'u_primary_service': '', 'assignment_group': '', 'managed_by': '', 'managed_by_group': '', 'can_print': 'false', 'last_discovered': '', 'sys_class_name': 'Windows Cluster Node', 'manufacturer': '', 'sys_id': 'b4e**********************119', 'po_number': '', 'checked_in': '', 'sys_class_path': '/!!/!+/!#', 'life_cycle_stage_status': '', 'mac_address': '', 'vendor': '', 'company': '', 'justification': '', 'model_number': '', 'department': '', 'assigned_to': '', 'start_date': '', 'comments': '', 'cost': '', 'u_environment': '', 'sys_mod_count': '3', 'monitor': 'false', 'serial_number': '', 'ip_address': '192.168.***.***', 'model_id': {'display_value': '', 'link': 'https://dev*****.service-now.com/api/now/table/cmdb_model/5d08f2197f301200bee45f19befa916e'}, 'duplicate_of': '', 'sys_tags': '', 'cost_cc': 'USD', 'order_date': '', 'schedule': '', 'support_group': '', 'environment': None, 'due': '', 'attested': 'false', 'correlation_id': '', 'unverified': 'false', 'attributes': '', 'location': '', 'asset': '', 'category': '', 'fault_count': '0', 'lease_id': ''}

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Query Server Info failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the ServiceNow portal. Refer to the HTTP Status Code Registry for details.

Status Code: 404.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Server Name Not Found.

Error Sample Data

Query Server Info failed.

Status Code: 404.

Message: Server Name Not Found.

Query Tables

Retrieves table information based on the query conditions.

Input

Input Parameter

Required/Optional

Description

Example

Query

Optional

The query to filter results. For more information about the query syntax, see Operators available for filter and queries.

Note: Avoid placing a space between an operator and its value. For example, instead of "sys_created_by = system", use "sys_created_by=system" (= is the operator, system is the value). When an invalid field name is specified in a query, the instance will only use the valid part of the query and return the corresponding rows. The behavior of returning no rows on an invalid query can be controlled by setting the property "glide.invalid_query.returns_no_rows" to true using the Update Records command on the "sys_properties" table.

sys_created_by=system^labelLIKEApplication Model

Limit

Optional

The maximum number of tables to return. The default value is 100. Note: If the input limit value is too large, it may affect system performance when returning a large volume of results. Set a suitable limit value to prevent this issue from occurring.

5

Output

Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

CODE
{
    "result": [
        {
            "create_access": "true",
            "alter_access": "true",
            "access": "",
            "live_feed_enabled": "false",
            "sys_updated_on": "2022-01-05 08:28:10",
            "sys_class_name": "sys_db_object",
            "is_extendable": "false",
            "sys_id": "12a*********************5f6",
            "user_role": "",
            "create_access_controls": "false",
            "delete_access": "false",
            "sys_updated_by": "system",
            "sys_class_path": "",
            "sys_created_on": "2022-01-05 08:28:10",
            "caller_access": "",
            "client_scripts_access": "true",
            "extension_model": "",
            "actions_access": "true",
            "sys_name": "CMDB Application Product Model",
            "sys_scope": {
                "link": "https://dev*****.service-now.com/api/now/table/sys_scope/global",
                "value": "global"
            },
            "sys_created_by": "system",
            "sys_class_code": "",
            "read_access": "true",
            "super_class": {
                "link": "https://dev*****.service-now.com/api/now/table/sys_db_object/c6a**********************549",
                "value": "c6a**********************549"
            },
            "sys_mod_count": "0",
            "ws_access": "true",
            "label": "Application Model",
            "update_access": "true",
            "sys_package": {
                "link": "https://dev*****.service-now.com/api/now/table/sys_package/8aa********************506",
                "value": "8aa********************506"
            },
            "sys_update_name": "sys_db_object_12a*********************5f6",
            "scriptable_table": "false",
            "configuration_access": "false",
            "name": "cmdb_application_product_model",
            "number_ref": "",
            "sys_policy": ""
        }
    ]
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
      "TableNames": ["cmdb_application_product_model"],
      "TableSysIDs": ["12a*********************5f6"]
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

result

  • {'create_access': 'true', 'alter_access': 'true', 'access': '', 'live_feed_enabled': 'false', 'sys_updated_on': '2022-01-05 08:28:10', 'sys_class_name': 'sys_db_object', 'is_extendable': 'false', 'sys_id': '12a*********************5f6', 'user_role': '', 'create_access_controls': 'false', 'delete_access': 'false', 'sys_updated_by': 'system', 'sys_class_path': '', 'sys_created_on': '2022-01-05 08:28:10', 'caller_access': '', 'client_scripts_access': 'true', 'extension_model': '', 'actions_access': 'true', 'sys_name': 'CMDB Application Product Model', 'sys_scope': {'link': 'https://dev*****.service-now.com/api/now/table/sys_scope/global', 'value': 'global'}, 'sys_created_by': 'system', 'sys_class_code': '', 'read_access': 'true', 'super_class': {'link': 'https://dev*****.service-now.com/api/now/table/sys_db_object/c6a**********************549', 'value': 'c6a**********************549'}, 'sys_mod_count': '0', 'ws_access': 'true', 'label': 'Application Model', 'update_access': 'true', 'sys_package': {'link': 'https://dev*****.service-now.com/api/now/table/sys_package/8aa********************506', 'value': '8aa********************506'}, 'sys_update_name': 'sys_db_object_12a*********************5f6', 'scriptable_table': 'false', 'configuration_access': 'false', 'name': 'cmdb_application_product_model', 'number_ref': '', 'sys_policy': ''}

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Query Tables failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the ServiceNow portal. Refer to the HTTP Status Code Registry for details.

Status Code: 403.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Invalid Query.

Error Sample Data

Query Tables failed.

Status Code: 403.

Message: Invalid Query.

Update Records

Updates the records in a specified table in ServiceNow.

READER NOTE

Table Name, Record Sys IDs and Record Data are required parameters to run this command.

  • Run the Query Tables command to obtain Table Name. Table Names can be found in the returned raw data, at the path $.result[*].name.

  • Run the Query Records command to obtain Record Sys IDs. Query Records can be found in the returned raw data, at the path $.result[*].sys_id.

  • Run the Get Table Fields command to obtain Record Data available fields. Input the desired table name to obtain the table's available fields. See Where can I get available field's system names? from the FAQ section for more information.

It is recommended to make a copy of your original record data and make changes to the desired fields, as the new record data will replace the old one.

ALERT

You will need to make sure the Table Name matches the Record Sys IDs. Otherwise, D3 SOAR will return an error.

It is recommended to run the Query Tables command first and choose the table name you want to get the record from. Use that table name as the input value to run the Query Records command to get Record Sys IDs.

When inputting Table Names and Record Sys IDs you get from running other commands ensure these pairs of values match.

Input

Input Parameter

Required/Optional

Description

Example

Table Name

Required

The name of the table to update records. Table names can be obtained using the Query Tables command.

x_******_test_d3_j**_test***

Record Sys IDs

Required

The Sys IDs of the records to update. Record Sys IDs can be obtained using the Query Records command.

[

"366********************697"

]

Record Data

Required

The updated JSON-formatted record data.

{

"notes": "A test work note by Jone***."

}

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

CODE
[
    {
        "result": {
            "sys_id": "e63********************62c",
            "sys_updated_by": "admin",
            "passwd": "",
            "duedate": "",
            "sys_created_on": "2021-06-21 22:19:51",
            "sys_mod_count": "0",
            "sys_updated_on": "2021-06-21 22:19:51",
            "sys_tags": "",
            "sys_created_by": "admin"
        }
    }
]
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
      "RecordSysIDs": ["366********************697"] 
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

result

{'sys_id': 'e63********************62c', 'sys_updated_by': 'admin', 'passwd': '', 'duedate': '', 'sys_created_on': '2021-06-21 22:19:51', 'sys_mod_count': '0', 'sys_updated_on': '2021-06-21 22:19:51', 'sys_tags': '', 'sys_created_by': 'admin'}

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Update Records failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the ServiceNow portal. Refer to the HTTP Status Code Registry for details.

Status Code: 404.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Table Not Found.

Error Sample Data

Update Records failed.

Status Code: 404.

Message: Table Not Found.

Update Requested Items

Updates field information of the specified Requested Item(s).

READER NOTE

The parameter Request Item Sys IDs is required to run this command.

  • Run the Query Requested Items command to obtain Request Item Sys IDs. The Request Item Sys IDs can be found in the returned raw data, at the path $.result[*].sys_id.

Request Sys ID Or Number and Custom Fields are optional parameters to run this command.

  • Run the Query Request Items command to obtain Request Item Sys IDs or Numbers. Request Item Sys IDs can be found in the raw data, at the path $.result[*].sys_id; Request Item Numbers can be found in the raw data, at the path $.result[*].number.

  • Run the Get Table Fields command to obtain Custom Fields available fields. See Where can I get available field's system names? from the FAQ section for more information.

Input

Input Parameter

Required/Optional

Description

Example

Request Item Sys IDs

Required

The Sys ID of the requested items to update. Sys IDs can be obtained using the Query Requested Items command.

[

"056********************05d"

]

Short Description

Optional

A short description of the updated requested item.

Apple iPhone13 0512a

Comments

Optional

The comments for the updated requested items. Comments are visible to all users, fulfillers and requesters.

New req item iphone13

Work Notes

Optional

The work notes for the updated requested item. Work notes are only visible to request fulfillers, and are not shared with requesters.

Sensitive info inside

Due Date

Optional

The due date of the updated requested item in UTC time.

2022-06-30 00:00

Request Sys ID Or Number

Optional

The request Sys ID or number of the requested items. Request Sys IDs and numbers can be obtained using the Query Requests command.

REQ*******

Custom Fields

Optional

The additional fields in JSON format to update for the requested item.

{

"urgency": "2"

}

Output

Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

CODE
[
    {
        "result": {
            "parent": "",
            "made_sla": "true",
            "watch_list": "",
            "sc_catalog": "",
            "upon_reject": "Cancel all future Tasks",
            "requested_for": {
                "display_value": "System Administrator",
                "link": "https://dev*****.service-now.com/api/now/table/sys_user/681*******************441"
            },
            "sys_updated_on": "2022-05-11 12:26:23",
            "task_effective_number": "RITM00*****",
            "approval_history": "",
            "skills": "",
            "number": "RITM00*****",
            "sys_updated_by": "admin",
            "opened_by": {
                "display_value": "System Administrator",
                "link": "https://dev*****.service-now.com/api/now/table/sys_user/681*******************441"
            },
            "user_input": "",
            "price": "$102.00",
            "sys_created_on": "2022-05-09 16:08:56",
            "recurring_frequency": null,
            "sys_domain": {
                "display_value": "global",
                "link": "https://dev*****.service-now.com/api/now/table/sys_user_group/global"
            },
            "context": "",
            "state": "Open",
            "route_reason": "",
            "sys_created_by": "admin",
            "knowledge": "false",
            "order": "",
            "closed_at": "",
            "cmdb_ci": "",
            "delivery_plan": "",
            "backordered": "true",
            "contract": "",
            "impact": "3 - Low",
            "active": "true",
            "work_notes_list": "",
            "business_service": "",
            "priority": "4 - Low",
            "sys_domain_path": "/",
            "time_worked": "",
            "expected_start": "",
            "flow_context": "",
            "opened_at": "2022-05-09 16:08:56",
            "business_duration": "",
            "group_list": "",
            "configuration_item": {
                "display_value": "DP00***",
                "link": "https://dev*****.service-now.com/api/now/table/cmdb_ci/0c4******************7cc"
            },
            "work_end": "",
            "approval_set": "",
            "work_notes": "",
            "order_guide": {
                "display_value": "Request Developer Project Equipment",
                "link": "https://dev*****.service-now.com/api/now/table/sc_cat_item_guide/251*********************dd6"
            },
            "universal_request": "",
            "request": {
                "display_value": "REQ00*****",
                "link": "https://dev*****.service-now.com/api/now/table/sc_request/f7a******************0fc"
            },
            "short_description": "test item update",
            "correlation_display": "",
            "delivery_task": "",
            "work_start": "",
            "assignment_group": "",
            "additional_assignee_list": "",
            "description": "",
            "calendar_duration": "",
            "close_notes": "",
            "service_offering": "",
            "sys_class_name": "Requested Item",
            "closed_by": "",
            "follow_up": "",
            "sys_id": "056********************05d",
            "contact_type": null,
            "urgency": "3 - Low",
            "company": "",
            "reassignment_count": "0",
            "activity_due": "UNKNOWN",
            "assigned_to": "",
            "comments": "",
            "quantity": "1",
            "approval": "Requested",
            "sla_due": "UNKNOWN",
            "comments_and_work_notes": "",
            "due_date": "2022-05-30 17:00:00",
            "sys_mod_count": "2",
            "recurring_price": "$0.00",
            "sys_tags": "",
            "billable": "false",
            "cat_item": {
                "display_value": "Cisco Jabber 10.5",
                "link": "https://dev*****.service-now.com/api/now/table/sc_cat_item/0c5**********************739"
            },
            "stage": "Waiting for Approval",
            "escalation": "Normal",
            "upon_approval": "Proceed to Next Task",
            "correlation_id": "",
            "location": "",
            "estimated_delivery": "2021-03-25 12:16:09"
        }
    }
]
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
      "RequestItemSysIDs": ["056********************05d"],
      "RequestItemNumbers": ["RITM00*****"] 
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

result

{'parent': '', 'made_sla': 'true', 'watch_list': '', 'sc_catalog': '', 'upon_reject': 'Cancel all future Tasks', 'requested_for': {'display_value': 'System Administrator', 'link': 'https://dev*****.service-now.com/api/now/table/sys_user/681*******************441'}, 'sys_updated_on': '2022-05-11 12:26:23', 'task_effective_number': 'RITM00*****', 'approval_history': '', 'skills': '', 'number': 'RITM00*****', 'sys_updated_by': 'admin', 'opened_by': {'display_value': 'System Administrator', 'link': 'https://dev*****.service-now.com/api/now/table/sys_user/681*******************441'}, 'user_input': '', 'price': '$102.00', 'sys_created_on': '2022-05-09 16:08:56', 'recurring_frequency': None, 'sys_domain': {'display_value': 'global', 'link': 'https://dev*****.service-now.com/api/now/table/sys_user_group/global'}, 'context': '', 'state': 'Open', 'route_reason': '', 'sys_created_by': 'admin', 'knowledge': 'false', 'order': '', 'closed_at': '', 'cmdb_ci': '', 'delivery_plan': '', 'backordered': 'true', 'contract': '', 'impact': '3 - Low', 'active': 'true', 'work_notes_list': '', 'business_service': '', 'priority': '4 - Low', 'sys_domain_path': '/', 'time_worked': '', 'expected_start': '', 'flow_context': '', 'opened_at': '2022-05-09 16:08:56', 'business_duration': '', 'group_list': '', 'configuration_item': {'display_value': 'DP00***', 'link': 'https://dev*****.service-now.com/api/now/table/cmdb_ci/0c4******************7cc'}, 'work_end': '', 'approval_set': '', 'work_notes': '', 'order_guide': {'display_value': 'Request Developer Project Equipment', 'link': 'https://dev*****.service-now.com/api/now/table/sc_cat_item_guide/251*********************dd6'}, 'universal_request': '', 'request': {'display_value': 'REQ00*****', 'link': 'https://dev*****.service-now.com/api/now/table/sc_request/f7a******************0fc'}, 'short_description': 'test item update', 'correlation_display': '', 'delivery_task': '', 'work_start': '', 'assignment_group': '', 'additional_assignee_list': '', 'description': '', 'calendar_duration': '', 'close_notes': '', 'service_offering': '', 'sys_class_name': 'Requested Item', 'closed_by': '', 'follow_up': '', 'sys_id': '056********************05d', 'contact_type': None, 'urgency': '3 - Low', 'company': '', 'reassignment_count': '0', 'activity_due': 'UNKNOWN', 'assigned_to': '', 'comments': '', 'quantity': '1', 'approval': 'Requested', 'sla_due': 'UNKNOWN', 'comments_and_work_notes': '', 'due_date': '2022-05-30 17:00:00', 'sys_mod_count': '2', 'recurring_price': '$0.00', 'sys_tags': '', 'billable': 'false', 'cat_item': {'display_value': 'Cisco Jabber 10.5', 'link': 'https://dev*****.service-now.com/api/now/table/sc_cat_item/0c5**********************739'}, 'stage': 'Waiting for Approval', 'escalation': 'Normal', 'upon_approval': 'Proceed to Next Task', 'correlation_id': '', 'location': '', 'estimated_delivery': '2021-03-25 12:16:09'}

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Update Request Items failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the ServiceNow portal. Refer to the HTTP Status Code Registry for details.

Status Code: 404.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Request Not Found.

Error Sample Data

Update Request Items failed.

Status Code: 404.

Message: Request Not Found.

Update Requests

Updates field information of request(s) based on the Request Sys ID(s). You can obtain the Request Sys ID using the Query Requests command.

READER NOTE

The parameter Request Sys IDs is Required to run this command.

  • Run the Query Requests command to obtain Request Sys IDs. Request Sys IDs will be returned under $.result[*].sys_id, and Request Numbers will be returned in Raw Data $.result[*].number.

  • Run the Query Request Items command to obtain Request Sys IDs or Numbers. Request Sys IDs can be found in the raw data, at the path $.result[*].sys_id; Request Numbers can be found in the raw data, at the path $.result[*].number.

Input parameter Custom Fields is optional to run this command.

Input

Input Parameter

Required/Optional

Description

Example

Request Sys IDs

Required

The Sys ID(s) of the request(s) to update. Sys IDs can be obtained using the Query Requests command.

[ "f7a******************0fc" ]

Short Description

Optional

A short description for the updated request(s).

New Request for project D. 512a

Requested For

Optional

The name, email, or Sys ID of the updated user who raised the request. If this parameter is not defined, requests will be created for the current login user.

Jon***** Wal****

Comments

Optional

The comments for the updated request(s). Comments are visible to all users, fulfillers and requesters.

test comments510

Work Notes

Optional

The work notes for the updated requests. Work notes are only visible to request fulfillers, and are not shared with requesters.

For VIP

Due Date

Optional

The due date of the updated request in UTC time.

2023-01-09 00:00

Custom Fields

Optional

The additional fields in JSON format to input into the updated requests.

{

"assigned_to": "Mic**** Ho****",

"request_state": "requested",

"stage": "requested",

"escalation": "Normal",

"upon_approval": "Proceed to Next Task"

}

Output

Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

CODE
[
    {
        "result": {
            "parent": "",
            "delivery_address": "",
            "made_sla": "true",
            "watch_list": "",
            "upon_reject": "cancel",
            "requested_for": {
                "link": "https://dev*****.service-now.com/api/now/table/sys_user/681*******************441",
                "value": "681*******************441"
            },
            "sys_updated_on": "2022-05-10 23:35:46",
            "task_effective_number": "REQ00*****",
            "approval_history": "",
            "skills": "",
            "number": "REQ00*****",
            "sys_updated_by": "admin",
            "opened_by": {
                "link": "https://dev*****.service-now.com/api/now/table/sys_user/681*******************441",
                "value": "681*******************441"
            },
            "user_input": "",
            "price": "0",
            "sys_created_on": "2022-05-06 21:41:49",
            "sys_domain": {
                "link": "https://dev*****.service-now.com/api/now/table/sys_user_group/global",
                "value": "global"
            },
            "state": "1",
            "route_reason": "",
            "sys_created_by": "admin",
            "knowledge": "false",
            "order": "",
            "calendar_stc": "",
            "special_instructions": "Short description demo",
            "closed_at": "",
            "cmdb_ci": "",
            "delivery_plan": "",
            "contract": "",
            "impact": "3",
            "active": "true",
            "work_notes_list": "",
            "business_service": "",
            "priority": "4",
            "sys_domain_path": "/",
            "time_worked": "",
            "expected_start": "",
            "opened_at": "2022-05-06 21:41:49",
            "business_duration": "",
            "group_list": "",
            "work_end": "",
            "approval_set": "",
            "work_notes": "",
            "universal_request": "",
            "short_description": "Short description demo",
            "correlation_display": "",
            "delivery_task": "",
            "work_start": "",
            "assignment_group": "",
            "parent_interaction": "",
            "additional_assignee_list": "",
            "description": "Description demo",
            "calendar_duration": "",
            "close_notes": "",
            "service_offering": "",
            "sys_class_name": "sc_request",
            "closed_by": "",
            "follow_up": "",
            "sys_id": "f7a******************0fc",
            "contact_type": "",
            "urgency": "3",
            "requested_date": "",
            "company": "",
            "reassignment_count": "0",
            "activity_due": "",
            "assigned_to": "",
            "comments": "",
            "approval": "requested",
            "sla_due": "",
            "comments_and_work_notes": "",
            "due_date": "2021-03-10 20:08:06",
            "sys_mod_count": "4",
            "sys_tags": "",
            "request_state": "requested",
            "stage": "requested",
            "escalation": "0",
            "upon_approval": "proceed",
            "correlation_id": "",
            "location": ""
        }
    }
]
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
      "RequestSysIDs": ["f7a******************0fc"] 
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

result

{'parent': '', 'delivery_address': '', 'made_sla': 'true', 'watch_list': '', 'upon_reject': 'cancel', 'requested_for': {'link': 'https://dev*****.service-now.com/api/now/table/sys_user/681*******************441', 'value': '681*******************441'}, 'sys_updated_on': '2022-05-10 23:35:46', 'task_effective_number': 'REQ00*****', 'approval_history': '', 'skills': '', 'number': 'REQ00*****', 'sys_updated_by': 'admin', 'opened_by': {'link': 'https://dev*****.service-now.com/api/now/table/sys_user/681*******************441', 'value': '681*******************441'}, 'user_input': '', 'price': '0', 'sys_created_on': '2022-05-06 21:41:49', 'sys_domain': {'link': 'https://dev*****.service-now.com/api/now/table/sys_user_group/global', 'value': 'global'}, 'state': '1', 'route_reason': '', 'sys_created_by': 'admin', 'knowledge': 'false', 'order': '', 'calendar_stc': '', 'special_instructions': 'Short description demo', 'closed_at': '', 'cmdb_ci': '', 'delivery_plan': '', 'contract': '', 'impact': '3', 'active': 'true', 'work_notes_list': '', 'business_service': '', 'priority': '4', 'sys_domain_path': '/', 'time_worked': '', 'expected_start': '', 'opened_at': '2022-05-06 21:41:49', 'business_duration': '', 'group_list': '', 'work_end': '', 'approval_set': '', 'work_notes': '', 'universal_request': '', 'short_description': 'Short description demo', 'correlation_display': '', 'delivery_task': '', 'work_start': '', 'assignment_group': '', 'parent_interaction': '', 'additional_assignee_list': '', 'description': 'Description demo', 'calendar_duration': '', 'close_notes': '', 'service_offering': '', 'sys_class_name': 'sc_request', 'closed_by': '', 'follow_up': '', 'sys_id': 'f7a******************0fc', 'contact_type': '', 'urgency': '3', 'requested_date': '', 'company': '', 'reassignment_count': '0', 'activity_due': '', 'assigned_to': '', 'comments': '', 'approval': 'requested', 'sla_due': '', 'comments_and_work_notes': '', 'due_date': '2021-03-10 20:08:06', 'sys_mod_count': '4', 'sys_tags': '', 'request_state': 'requested', 'stage': 'requested', 'escalation': '0', 'upon_approval': 'proceed', 'correlation_id': '', 'location': ''}

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Update Request failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the ServiceNow portal. Refer to the HTTP Status Code Registry for details.

Status Code: 404.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Request Not Found.

Error Sample Data

Update Request failed.

Status Code: 404.

Message: Request Not Found.

Update Security Incidents

Updates field information of the specified security Incidents.

READER NOTE

Sys IDs, Requested By, Assignment Group, Assigned User and Custom Fields are optional parameters to run this command.

  • Run the Query Security Incidents or Fetch Event command to obtain Sys IDs. For Query Security Incidents command, Sys IDs can be found in the returned raw data, at the path $.result[*].sys_id. For Fetch Event command, select the Incident Type parameter as "Security Incident". The Ticket Sys IDs can be found in the returned raw data, at the path $.result[*].sys_id.

  • If you have a user's email or username, you can input it into the Get User Details command to obtain the corresponding Sys IDs. The input Sys IDs for the Requested By and Assigned User parameters can can be found in the returned raw data, at the path $result[*].sys_id.

  • User names and user emails can be found from the ServiceNow user interface. Search for System Security, then navigate to Users and Groups > Users.

  • Run the Get Group Details command to obtain Assignment Groups. Group Names can be found in the returned raw data, at the path $.result[*].name, Group Sys IDs can be found in the raw data, at the path $.result[*].sys_id.

  • Run the Get Table Fields command to obtain Custom Fields available fields. See Where can I get available field's system names? from the FAQ section for more information.

It is not recommended to use the Test Command feature with the Update Security Incidents command as it is designed for dynamic input files in Playbooks, Incident Attachments, and Artifact Attachments. There is a simple workaround to test the command:

  1. Navigate to Configuration on the top bar menu.

  1. Click on Utility Commands on the left sidebar menu.

  1. Use the search box to find and select the Create a File from input Text Array command.

  1. Click on the Test tab.

  2. Input the required information for the parameters.

  3. Click on the Test Command button. A D3 File ID will appear in the output data after the file has been successfully created. The D3 File Source of the created file will be Playbook File.

Input

Input Parameter

Required/Optional

Description

Example

Sys IDs

Optional

The Sys IDs or numbers of the security incidents to update. Sys IDs can be obtained using the Query Security Incidents command.

[ "eb7*****************091" ]

Short Description

Optional

A short description for the updated security incidents.

Sec Incident 0511a

Requested By

Optional

The user name, email, or Sys ID of the requesting user. User names, emails and Sys IDs can be obtained using the Get User Details command. If this parameter is not defined, the requests will be created for the current login user. Note: The admin user cannot be the requester. If your login user account is admin, this parameter should be left empty.

Ja** Erl******

Business Impact

Optional

The impact level of the updated security incidents.

Medium

Priority

Optional

The priority level of the updated security incidents. If this field is not defined, the default priority level will be set to Low.

Moderate

Category

Optional

The category of the updated security incidents.

Unpatched Vulnerability

Assignment Group

Optional

The name or Sys ID of the group to assign the updated security incidents to. Group names and Sys IDs can be obtained using the Get Group Details command.

Problem Analyzers

Assigned User

Optional

The user name, email or Sys ID of the user assigned to the updated security incidents. User names, emails and Sys IDs can be obtained using the Get User Details command.

Note: If you input values for both the Assignment Group and Assigned User parameters, ensure that the user is in the group. Otherwise, the error message "Operation Failed" will be returned. You can use the Query Group Members command to check if the user is in the group.

Jon***** Wal****

Description

Optional

A description for the updated security incident.

Test description 0511c

Custom Fields

Optional

The additional fields in JSON format to input into the updated security incidents.

{

"comments": "510c These are my comments", "subcategory": "37"

}

File IDs

Optional

The file paths of the file source.

[

"749"

]

File Source

Optional

The file source of the file to attach. The options for file sources are:

Incident Attachment File: Manually uploaded file from Incident

Playbook File: Output from another Task

Artifact File: Ingested Artifact in an Event

Playbook File

Output

Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

CODE
[
    {
        "result": {
            "parent": "",
            "sla_suspended_reason": "",
            "watch_list": "",
            "upon_reject": "cancel",
            "sys_updated_on": "2022-05-10 16:46:02",
            "qualification_group": "",
            "expected_end": "",
            "approval_history": "",
            "source_ip": "",
            "skills": "",
            "number": "SIR00*****",
            "problem": "",
            "previous_agent": "",
            "state": "10",
            "sys_created_by": "admin",
            "template_workflow_invoked": "false",
            "knowledge": "false",
            "order": "",
            "phish_email": "",
            "cmdb_ci": {
                "link": "https://dev*****.service-now.com/api/now/table/cmdb_ci/0c4******************78f",
                "value": "0c4******************78f"
            },
            "delivery_plan": "",
            "contract": "",
            "impact": "1",
            "active": "true",
            "work_notes_list": "",
            "priority": "1",
            "sys_domain_path": "/",
            "sla_suspended": "false",
            "business_duration": "",
            "group_list": "",
            "special_access_write": "",
            "dest_ip": "",
            "mitre_platform": "",
            "approval_set": "",
            "risk_change": "up",
            "malware_url": "",
            "universal_request": "",
            "template": "",
            "short_description": "Update Sec Incident",
            "correlation_display": "",
            "delivery_task": "",
            "work_start": "",
            "request_type": "",
            "affected_user": "",
            "other_ioc": "",
            "additional_assignee_list": "",
            "alert_sensor": "",
            "assigned_vendor": "",
            "service_offering": "",
            "sys_class_name": "sn_si_incident",
            "closed_by": {
                "link": "https://dev*****.service-now.com/api/now/table/sys_user/c97********************233",
                "value": "c97********************233"
            },
            "follow_up": "",
            "mitre_group": "",
            "sla_suspended_on": "",
            "estimated_end": "",
            "vendor_reference": "",
            "reassignment_count": "0",
            "assigned_to": {
                "link": "https://dev*****.service-now.com/api/now/table/sys_user/c97********************233",
                "value": "c97********************233"
            },
            "request_category": "",
            "requested_due_by": "",
            "mitre_malware": "",
            "sla_suspended_for": "",
            "business_criticality": "3",
            "sla_due": "",
            "opened_for": {
                "link": "https://dev*****.service-now.com/api/now/table/sys_user/681*******************441",
                "value": "681*******************441"
            },
            "comments_and_work_notes": "",
            "mitre_technique": "",
            "special_access_read": "",
            "substate": "",
            "escalation": "0",
            "upon_approval": "proceed",
            "correlation_id": "",
            "asset": {
                "link": "https://dev*****.service-now.com/api/now/table/alm_asset/aac*******************d3b",
                "value": "aac*******************d3b"
            },
            "mitre_tool": "",
            "spam": "false",
            "referrer_url": "",
            "made_sla": "true",
            "mitre_tactic": "",
            "is_catalog": "false",
            "malware_hash": "",
            "alert_rule": "",
            "task_effective_number": "SIR00*****",
            "external_url": "",
            "sys_updated_by": "admin",
            "opened_by": {
                "link": "https://dev*****.service-now.com/api/now/table/sys_user/681*******************441",
                "value": "681*******************441"
            },
            "user_input": "",
            "sys_created_on": "2022-05-09 23:09:22",
            "sys_domain": {
                "link": "https://dev*****.service-now.com/api/now/table/sys_user_group/global",
                "value": "global"
            },
            "pir": "",
            "route_reason": "",
            "closed_at": "",
            "business_service": {
                "link": "https://dev*****.service-now.com/api/now/table/cmdb_ci_service/281*******************edc",
                "value": "281*******************edc"
            },
            "attack_vector": "",
            "time_worked": "",
            "expected_start": "",
            "opened_at": "2022-05-09 23:09:22",
            "task_created": "false",
            "work_end": "",
            "confidence_score": "",
            "prediction": "",
            "automation_activity": "",
            "subcategory": "",
            "work_notes": "",
            "security_tags": "",
            "risk_score_override": "false",
            "initiated_from": "",
            "close_code": "",
            "assignment_group": {
                "link": "https://dev*****.service-now.com/api/now/table/sys_user_group/b85*******************60a",
                "value": "b85*******************60a"
            },
            "description": "Create a new security incident",
            "calendar_duration": "",
            "close_notes": "",
            "pir_respondents": "c97********************233",
            "sys_id": "eb7*****************091",
            "contact_type": "email",
            "urgency": "3",
            "secure_notes": "",
            "company": "",
            "new_pir_respondents": "",
            "department": "",
            "activity_due": "",
            "severity": "1",
            "comments": "",
            "risk_score": "75",
            "approval": "not requested",
            "due_date": "",
            "sys_mod_count": "9",
            "parent_security_incident": "",
            "sys_tags": "",
            "billable": "false",
            "mitre_data_source": "",
            "caller": "",
            "location": {
                "link": "https://dev*****.service-now.com/api/now/table/cmn_location/db9********************ee0",
                "value": "db9********************ee0"
            },
            "risk": "3",
            "category": "",
            "incident": "",
            "change_request": "",
            "security_incident_self": {
                "link": "https://dev*****.service-now.com/api/now/table/sn_si_incident/eb7*****************091",
                "value": "eb7*****************091"
            }
        }
    }
]
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
      "SecurityIncidentSysIDs": ["eb7*****************091"],
      "SecurityIncidentNumbers": ["SIR00*****"] 
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

result

{'parent': '', 'sla_suspended_reason': '', 'watch_list': '', 'upon_reject': 'cancel', 'sys_updated_on': '2022-05-10 16:46:02', 'qualification_group': '', 'expected_end': '', 'approval_history': '', 'source_ip': '', 'skills': '', 'number': 'SIR00*****', 'problem': '', 'previous_agent': '', 'state': '10', 'sys_created_by': 'admin', 'template_workflow_invoked': 'false', 'knowledge': 'false', 'order': '', 'phish_email': '', 'cmdb_ci': {'link': 'https://dev*****.service-now.com/api/now/table/cmdb_ci/0c4******************78f', 'value': '0c4******************78f'}, 'delivery_plan': '', 'contract': '', 'impact': '1', 'active': 'true', 'work_notes_list': '', 'priority': '1', 'sys_domain_path': '/', 'sla_suspended': 'false', 'business_duration': '', 'group_list': '', 'special_access_write': '', 'dest_ip': '', 'mitre_platform': '', 'approval_set': '', 'risk_change': 'up', 'malware_url': '', 'universal_request': '', 'template': '', 'short_description': 'Update Sec Incident', 'correlation_display': '', 'delivery_task': '', 'work_start': '', 'request_type': '', 'affected_user': '', 'other_ioc': '', 'additional_assignee_list': '', 'alert_sensor': '', 'assigned_vendor': '', 'service_offering': '', 'sys_class_name': 'sn_si_incident', 'closed_by': {'link': 'https://dev*****.service-now.com/api/now/table/sys_user/c97********************233', 'value': 'c97********************233'}, 'follow_up': '', 'mitre_group': '', 'sla_suspended_on': '', 'estimated_end': '', 'vendor_reference': '', 'reassignment_count': '0', 'assigned_to': {'link': 'https://dev*****.service-now.com/api/now/table/sys_user/c97********************233', 'value': 'c97********************233'}, 'request_category': '', 'requested_due_by': '', 'mitre_malware': '', 'sla_suspended_for': '', 'business_criticality': '3', 'sla_due': '', 'opened_for': {'link': 'https://dev*****.service-now.com/api/now/table/sys_user/681*******************441', 'value': '681*******************441'}, 'comments_and_work_notes': '', 'mitre_technique': '', 'special_access_read': '', 'substate': '', 'escalation': '0', 'upon_approval': 'proceed', 'correlation_id': '', 'asset': {'link': 'https://dev*****.service-now.com/api/now/table/alm_asset/aac*******************d3b', 'value': 'aac*******************d3b'}, 'mitre_tool': '', 'spam': 'false', 'referrer_url': '', 'made_sla': 'true', 'mitre_tactic': '', 'is_catalog': 'false', 'malware_hash': '', 'alert_rule': '', 'task_effective_number': 'SIR00*****', 'external_url': '', 'sys_updated_by': 'admin', 'opened_by': {'link': 'https://dev*****.service-now.com/api/now/table/sys_user/681*******************441', 'value': '681*******************441'}, 'user_input': '', 'sys_created_on': '2022-05-09 23:09:22', 'sys_domain': {'link': 'https://dev*****.service-now.com/api/now/table/sys_user_group/global', 'value': 'global'}, 'pir': '', 'route_reason': '', 'closed_at': '', 'business_service': {'link': 'https://dev*****.service-now.com/api/now/table/cmdb_ci_service/281*******************edc', 'value': '281*******************edc'}, 'attack_vector': '', 'time_worked': '', 'expected_start': '', 'opened_at': '2022-05-09 23:09:22', 'task_created': 'false', 'work_end': '', 'confidence_score': '', 'prediction': '', 'automation_activity': '', 'subcategory': '', 'work_notes': '', 'security_tags': '', 'risk_score_override': 'false', 'initiated_from': '', 'close_code': '', 'assignment_group': {'link': 'https://dev*****.service-now.com/api/now/table/sys_user_group/b85*******************60a', 'value': 'b85*******************60a'}, 'description': 'Create a new security incident', 'calendar_duration': '', 'close_notes': '', 'pir_respondents': 'c97********************233', 'sys_id': 'eb7*****************091', 'contact_type': 'email', 'urgency': '3', 'secure_notes': '', 'company': '', 'new_pir_respondents': '', 'department': '', 'activity_due': '', 'severity': '1', 'comments': '', 'risk_score': '75', 'approval': 'not requested', 'due_date': '', 'sys_mod_count': '9', 'parent_security_incident': '', 'sys_tags': '', 'billable': 'false', 'mitre_data_source': '', 'caller': '', 'location': {'link': 'https://dev*****.service-now.com/api/now/table/cmn_location/db9********************ee0', 'value': 'db9********************ee0'}, 'risk': '3', 'category': '', 'incident': '', 'change_request': '', 'security_incident_self': {'link': 'https://dev*****.service-now.com/api/now/table/sn_si_incident/eb7*****************091', 'value': 'eb7*****************091'}}

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Update Security Incident failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the ServiceNow portal. Refer to the HTTP Status Code Registry for details.

Status Code: 404.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Security Incident Not Found.

Error Sample Data

Update Security Incident failed.

Status Code: 404.

Message: Security Incident Not Found.

Update Tickets

Updates field information of incident(s) based on the incident ticket Sys ID(s).

READER NOTE

The parameter Ticket Sys IDs is Required to run this command.

  • You should already have your desired Ticket Sys IDs on hand to run this command. If you don’t, you may use the Fetch Event command with defined filters to retrieve the desired Ticket Sys IDs. The Ticket Sys IDs can be found in the raw data at the path $.result[*].sys_id.

  • Ensure that your input Sys ID belongs to a ticket. To do this, select the Incident Type parameter as "Incident". Note that any other format will not work.

Caller ID, Assignment Group, Assigned User and Custom Fields are optional parameters to run this command.

  • If you have a user's email or username, you can input it into the Get User Details command to obtain the corresponding Sys IDs. The input Sys IDs for the Caller ID and Assigned User parameters can can be found in the returned raw data, at the path $result[*].sys_id.

  • User names and user emails can be found from the ServiceNow user interface. Search for System Security, then navigate to Users and Groups > Users.

  • Run the Get Group Details command to obtain Assignment Groups. Group Names can be found in the returned raw data, at the path $.result[*].name, Group Sys IDs can be found in the raw data, at the path $.result[*].sys_id.

  • Run the Get Table Fields command to obtain Custom Fields available fields. See Where can I get available field's system names? from the FAQ section for more information.

ALERT

You will need to make sure the Assigned User is in the Assignment Group you entered if you choose to enter values for both the Assignment Group and Assigned User fields. Otherwise, D3 SOAR will return the error of “Operation Failed” error message.

It is recommended to run the Query Group Members command to check whether the user is in the group, if you choose to input values for both fields.

Input

Input Parameter

Required/Optional

Description

Example

Ticket Sys IDs

Required

The Sys ID(s) of the incident ticket(s) to update. Ticket Sys IDs can be obtained using the Fetch Event command.

[

"57e********************ed02f"

]

Short Description

Optional

A short description for the updated incident ticket(s).

Update incident through REST 0510c

Caller ID

Optional

The user name, user email, or user Sys ID of the caller. User names, user email or user Sys IDs can be obtained using the Get User Details command. If this field is not specified, the caller will be the current login user. Note: The admin user cannot be the caller. If your login user account is admin, this parameter should be left empty.

Ja** Erl******

Impact

Optional

The impact level of the updated incident ticket(s).

Low

Urgency

Optional

The urgency level of the updated incident ticket(s).

Low

Category

Optional

The category of the updated incident ticket.

Inquiry/Help

Assignment Group

Optional

The name or Sys ID of the group to assign the updated incident ticket(s) to. Group names and Sys IDs can be obtained using the Get Group Details command.

Problem Analyzers

Assigned User

Optional

The user name, email or Sys ID of the user assigned to the updated incident ticket(s). User names, emails and Sys IDs can be obtained using the Get User Details command.

Note: If you input values for both the Assignment Group and Assigned User parameters, ensure that the user is in the group. Otherwise, the error message "Operation Failed" will be returned. You can use the Query Group Members command to check if the user is in the group.

Jon***** Wal****

Description

Optional

A description for the updated incident ticket(s).

Test description 0510c

Custom Fields

Optional

The additional fields in JSON format to input into the updated incident ticket(s).

{

"work_notes": "A test work note by Jon on 20220510."

}

Output

Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

CODE
[
    {
        "result": {
            "parent": "",
            "made_sla": "true",
            "caused_by": "",
            "watch_list": "",
            "upon_reject": "Cancel all future Tasks",
            "sys_updated_on": "2022-05-10 17:31:49",
            "child_incidents": "0",
            "hold_reason": "",
            "task_effective_number": "INC0****2",
            "approval_history": "",
            "skills": "",
            "number": "INC****42",
            "resolved_by": "",
            "sys_updated_by": "admin",
            "opened_by": {
                "display_value": "",
                "link": "https://dev*****.service-now.com/api/now/table/sys_user/964186cb2f860110dc62d4a72799b6a8"
            },
            "user_input": "",
            "sys_created_on": "2022-05-10 15:38:06",
            "sys_domain": {
                "display_value": "global",
                "link": "https://dev*****.service-now.com/api/now/table/sys_user_group/global"
            },
            "state": "New",
            "route_reason": "",
            "sys_created_by": "D3API",
            "knowledge": "false",
            "order": "",
            "calendar_stc": "",
            "closed_at": "",
            "cmdb_ci": "",
            "delivery_plan": "",
            "contract": "",
            "impact": "3 - Low",
            "active": "true",
            "work_notes_list": "",
            "business_service": "",
            "priority": "5 - Planning",
            "sys_domain_path": "/",
            "rfc": "",
            "time_worked": "",
            "expected_start": "",
            "opened_at": "2022-05-10 15:38:06",
            "business_duration": "",
            "group_list": "",
            "work_end": "",
            "caller_id": "",
            "reopened_time": "",
            "resolved_at": "",
            "approval_set": "",
            "subcategory": null,
            "work_notes": "2022-05-10 17:31:50 - System Administrator (Work notes)\nA test work note by Jon on 20220510.\n\n",
            "universal_request": "",
            "short_description": "AAA1",
            "close_code": null,
            "correlation_display": "",
            "delivery_task": "",
            "work_start": "",
            "assignment_group": "",
            "additional_assignee_list": "",
            "business_stc": "",
            "description": "",
            "calendar_duration": "",
            "close_notes": "",
            "notify": "Do Not Notify",
            "service_offering": "",
            "sys_class_name": "Incident",
            "closed_by": "",
            "follow_up": "",
            "parent_incident": "",
            "sys_id": "57e********************ed02f",
            "contact_type": null,
            "reopened_by": "",
            "incident_state": "New",
            "urgency": "3 - Low",
            "problem_id": "",
            "company": "",
            "reassignment_count": "0",
            "activity_due": "UNKNOWN",
            "assigned_to": "",
            "severity": "3 - Low",
            "comments": "",
            "approval": "Not Yet Requested",
            "sla_due": "UNKNOWN",
            "comments_and_work_notes": "2022-05-10 17:31:50 - System Administrator (Work notes)\nA test work note by Jon on 20220510.\n\n",
            "due_date": "",
            "sys_mod_count": "1",
            "reopen_count": "0",
            "sys_tags": "",
            "escalation": "Normal",
            "upon_approval": "Proceed to Next Task",
            "correlation_id": "",
            "location": "",
            "category": "Software"
        }
    }
]
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
      "TicketSysIDs": ["57e********************ed02f"],
      "TicketNumbers": ["INC***42"] 
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

result

{'parent': '', 'made_sla': 'true', 'caused_by': '', 'watch_list': '', 'upon_reject': 'Cancel all future Tasks', 'sys_updated_on': '2022-05-10 17:31:49', 'child_incidents': '0', 'hold_reason': '', 'task_effective_number': 'INC***', 'approval_history': '', 'skills': '', 'number': 'INC***2', 'resolved_by': '', 'sys_updated_by': 'admin', 'opened_by': {'display_value': '', 'link': 'https://dev*****.service-now.com/api/now/table/sys_user/964186cb2f860110dc62d4a72799b6a8'}, 'user_input': '', 'sys_created_on': '2022-05-10 15:38:06', 'sys_domain': {'display_value': 'global', 'link': 'https://dev*****.service-now.com/api/now/table/sys_user_group/global'}, 'state': 'New', 'route_reason': '', 'sys_created_by': 'D3API', 'knowledge': 'false', 'order': '', 'calendar_stc': '', 'closed_at': '', 'cmdb_ci': '', 'delivery_plan': '', 'contract': '', 'impact': '3 - Low', 'active': 'true', 'work_notes_list': '', 'business_service': '', 'priority': '5 - Planning', 'sys_domain_path': '/', 'rfc': '', 'time_worked': '', 'expected_start': '', 'opened_at': '2022-05-10 15:38:06', 'business_duration': '', 'group_list': '', 'work_end': '', 'caller_id': '', 'reopened_time': '', 'resolved_at': '', 'approval_set': '', 'subcategory': None, 'work_notes': '2022-05-10 17:31:50 - System Administrator (Work notes)\nA test work note by Jon on 20220510.\n\n', 'universal_request': '', 'short_description': 'AAA1', 'close_code': None, 'correlation_display': '', 'delivery_task': '', 'work_start': '', 'assignment_group': '', 'additional_assignee_list': '', 'business_stc': '', 'description': '', 'calendar_duration': '', 'close_notes': '', 'notify': 'Do Not Notify', 'service_offering': '', 'sys_class_name': 'Incident', 'closed_by': '', 'follow_up': '', 'parent_incident': '', 'sys_id': '57e********************ed02f', 'contact_type': None, 'reopened_by': '', 'incident_state': 'New', 'urgency': '3 - Low', 'problem_id': '', 'company': '', 'reassignment_count': '0', 'activity_due': 'UNKNOWN', 'assigned_to': '', 'severity': '3 - Low', 'comments': '', 'approval': 'Not Yet Requested', 'sla_due': 'UNKNOWN', 'comments_and_work_notes': '2022-05-10 17:31:50 - System Administrator (Work notes)\nA test work note by Jon on 20220510.\n\n', 'due_date': '', 'sys_mod_count': '1', 'reopen_count': '0', 'sys_tags': '', 'escalation': 'Normal', 'upon_approval': 'Proceed to Next Task', 'correlation_id': '', 'location': '', 'category': 'Software'}

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Update Ticket failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the ServiceNow portal. Refer to the HTTP Status Code Registry for details.

Status Code: 404.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Ticket Not Found.

Error Sample Data

Update Ticket failed.

Status Code: 404.

Message: Ticket Not Found.

Test Connection

Allows you to perform a health check on an integration connection. You can schedule a periodic health check by selecting Connection Health Check when editing an integration connection. Note: If the connector uses the authentication type of OAuth2.0 Authorization Code, then you need to enable Connection Health Check to prevent the refresh token from expiring.

Input

N/A

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

SAMPLE DATA

CODE
Successful

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Test Connection failed. Failed to check the connector.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the ServiceNow portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Failed to establish a new connection.

Error Sample Data

Test Connection failed. Failed to check the connector.

Status Code: 400.

Message: Failed to establish a new connection.

FAQ

How do I check a connection’s login user?

Answer: 

  • For connections using Basic Authentication, you can see the username of the login user you have configured for the connection in the corresponding configuration page.

  • For connections using OAuth2.0 Code authentication, you can view the login user by clicking Get Authorization > Choose your login account from the connection’s configuration page.The logged in will appear on the top right of the authorization approval page.

Where can I get the available fields’ system names?

You may find input parameters named Custom Fields in the Create Ticket, Update Tickets, Create Request, Update Requests, Create Requested Item, Update Requested Items, Create Security Incident and Update Security Incidents commands. You may also find input parameters named Record Data in the Create Record and Update Records commands.

The Custom Fields or Record Data input parameters allow you to specify other fields (not in the input parameters) that you want to enter into a ticket, request, request item, security incident and record data. You will need to input the field system name into the input parameters. There are two options available to view the system names: view them from the ServiceNow platform or use the Get Table Fields command in D3 SOAR.

Please refer to the table below for the corresponding table names and command names.

D3 SOAR Command Name

Category

Input Parameter

Table Name Search Input

Get Table Fields Command Input Value for Table Name*

Create Ticket and Update Tickets

Ticket

Custom Fields

incident

  1. Incident

  2. sc_task

Create Request and Update Requests

Request

Custom Fields

sc_request

  1. sc_reques

  2. sc_task

Create Requested Item and Update Requested Items

Requested Item

Custom Fields

sc_req_item

  1. sc_req_item

  2. sc_task

Create Security Incident and Update Security Incidents

Security Incident

Custom Fields

sn_si_incident

  1. sn_si_incident

  2. sm_order

*

(1) If two input values are listed, run the command with each value separately to obtain all field system names.

(2) For Record-related commands (i.e. Create Record and Update Records), the available field system names can be found from the table defined in the Table Name parameter in the ServiceNow platform.

Here’s an example for searching the pair of display name and system name for Ticket (can be used in Create Ticket and Update Ticket commands). 

Option 1: View the Field System Names from the ServiceNow platform. Refer to the table above for the appropriate ServiceNow Table Name to search for.

  1. Select All from the top navigation bar. Type System Definition into the filter search bar and select Tables.

  2. Using the Tables search bar, search for the Incident table and press Enter.

  3. Select the Incident table.

  4. Search for your desired field (e.g. Caller).

  5. Click the field name to check field details, the desired system name is displayed as the Column name (Column label: field display name; Column name: field system name).

Option 2: Run the Get Table Fields command

You can choose to run Get Table Fields in D3 SOAR to obtain the custom field system names. Refer to the table above for the appropriate Table Name values to use.

  1. Log in to D3 SOAR.

  2. Find the ServiceNow integration.

    Frame 51 (5)-20241031-200245.png

a. Navigate to Configuration on the top header menu.

b. Click on the Integration icon on the left sidebar.

c. Type ServiceNow in the search box to find the integration, then click it to select it.

  1. Find the Get Table Fields command.

    Frame 52 (5)-20241031-200413.png

  2. Run the command twice, using “Incident” and “Task” for the input value for the Table Name parameter separately for each instance. You will get the field Display Name with the corresponding System Name from the returned Key Fields.

    Frame 53 (6)-20241031-200503.png

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.