Skip to main content

ServiceNow Integration

The Infracast ServiceNow integration connects to your ServiceNow instance to:

  • Sync discovered assets to the ServiceNow CMDB as Configuration Items (CIs)
  • Create incidents from Infracast findings
  • Sync POA&M items to ServiceNow GRC (Build 34+)

Prerequisites

  • ServiceNow instance (Tokyo release or later recommended)
  • A ServiceNow service account with the following roles:
    • cmdb_admin or asset — for CMDB CI creation/update
    • incident_manager or itil — for incident creation
    • sn_grc_analyst — for GRC/POA&M sync (optional)
  • Network connectivity from Infracast to your ServiceNow instance (HTTPS/443)

Creating a ServiceNow Service Account

  1. Log into ServiceNow as an administrator
  2. Navigate to User Administration → Users → New
  3. Fill in: First name, Last name, User ID (e.g., infracast-svc), Email
  4. Set a strong password and uncheck Password needs reset
  5. Go to the Roles tab and add:
    • asset (for CMDB)
    • itil (for incidents)
    • sn_grc_analyst (for GRC, if applicable)
  6. Submit
tip

Use a non-interactive service account for Infracast. This ensures the account's password doesn't expire under your standard user password policy. Set the account's Password expiration policy to Never or use OAuth token authentication.

Configuring the Integration

Navigate to Settings → Integrations → Add Integration → ServiceNow:

FieldDescription
Instance URLYour ServiceNow instance URL, e.g., https://yourcompany.service-now.com
UsernameServiceNow service account username
PasswordService account password
CMDB Sync EnabledToggle to push discovered assets as CIs
CI Class MappingMap Infracast asset types to ServiceNow CI classes (see below)
Incident Creation EnabledToggle to auto-create incidents from findings
Incident Assignment GroupServiceNow group to assign new incidents to
Minimum SeverityMinimum finding severity to create an incident (e.g., High)
POA&M Sync EnabledToggle for GRC POA&M sync (requires Build 34+)

CMDB Sync

When CMDB sync is enabled, Infracast pushes discovered assets to ServiceNow's CMDB on each discovery run. The default CI class mappings are:

Infracast Asset TypeServiceNow CI Class
aws.ec2.instancecmdb_ci_vm_instance
azure.vmcmdb_ci_vm_instance
kubernetes nodecmdb_ci_kubernetes_node
windows.servercmdb_ci_win_server
cisco.devicecmdb_ci_netgear
vmware.vmcmdb_ci_vmware_instance

Custom mappings can be added in the integration configuration UI.

CMDB CI fields populated:

  • Name, IP address, MAC address
  • Operating system and version
  • Manufacturer, model
  • Last discovered date (updated on each sync)
  • Infracast node ID (stored in the correlation_id field for deduplication)

Incident Creation

When finding-based incident creation is enabled, Infracast creates a ServiceNow incident for each new finding that meets the configured severity threshold.

Incident fields populated:

  • Short description: [Infracast] {Finding title} on {Asset name}
  • Description: Full finding details, affected asset, remediation guidance
  • Category: Security
  • Impact / Urgency: Derived from finding severity (Critical → Impact 1, High → Impact 2, etc.)
  • Assignment group: As configured
  • CMDB CI: Linked to the affected CI if it exists in the CMDB

Infracast tracks the ServiceNow incident number to avoid creating duplicates for the same finding.

GRC / POA&M Sync (Build 34+)

info

GRC integration requires Infracast Build 34 or later and the ServiceNow GRC module (sn_grc).

POA&M items created in Infracast are synced to ServiceNow GRC as Risk Statements or Issues (configurable). The sync is bidirectional — status updates made in ServiceNow are reflected in Infracast.

Synced fields:

  • Title, description, due date
  • Assigned user/team
  • Status (Open → In Progress → Resolved mapping)
  • Linked findings

Troubleshooting

401 Unauthorized or 403 Forbidden

Symptom: Test connection fails with auth error

Checks:

  1. Verify username/password are correct
  2. Confirm the user account is active and not locked out: User Administration → Users → [account]
  3. Verify the account has the required roles

CMDB CIs not appearing after sync

Symptom: Sync completes but CIs are not visible in ServiceNow

Checks:

  1. Check the sync logs in Settings → Integrations → [integration] → Logs
  2. Verify the service account has cmdb_admin or asset role
  3. Check if a ServiceNow transform map or Discovery source restriction is filtering out the CIs

Duplicate incidents being created

Symptom: Multiple ServiceNow incidents exist for the same Infracast finding

Cause: This can occur if the Infracast database was reset or the integration was re-created.

Fix: The integration uses the finding's unique ID as a correlation key. Re-link existing incidents by setting the correlation_id field on them to the Infracast finding ID. Contact support if the issue persists.

POA&M sync not working (Build 34)

Symptom: POA&M items are not appearing in ServiceNow GRC

Checks:

  1. Confirm you are running Infracast Build 34 or later: Settings → About
  2. Verify the GRC module is installed in ServiceNow: sn_grc plugin
  3. Confirm the service account has the sn_grc_analyst role