ServiceNow
Overview
Visualize and analyze ServiceNow resources, including incidents, change requests, problems, and tasks. Monitor visibility, governance, and automate workflows for better management of IT service management (ITSM) processes. Track issue resolutions, improve operational efficiency, and ensure compliance by identifying risks and vulnerabilities in service operations. Optimize workflows and enhance the quality of service delivery.
Configurations
| Configuration | Description |
|---|---|
| Blueprint Account Name | A human-readable name for your account that will be used to identify this account across the application. |
| Servicenow Username | The username you use to log in to your ServiceNow instance. This should have the necessary permissions to access the required data. |
| Servicenow Password | The password for the above username. |
| Servicenow Workspace Name | The name of the workspace within ServiceNow from which you want to crawl data. This is usually the name of the project or environment you're focusing on. (i.e. dev-test-env) |
| Data Crawl Frequency | The frequency at which Kscope will crawl your ServiceNow instance to retrieve and update data. |
Permissions
ServiceNow Data
users:readuser_groups:readaccounts:read
CMDB Data
cmdb_items:read
Incidents Data
incidents:read
Remediation
change_requests:writeincidents:write
Permission Details
| Permission | Role | Why it's needed |
|---|---|---|
users:read | user_admin | Read user information |
user_groups:read | user_admin | Read user group information |
accounts:read | user_admin | Read account information |
cmdb_items:read | cmdb_read | Read CMDB configuration items |
incidents:read | incident_manager | Read incident records |
change_requests:write | change_manager, itil, admin | Create change requests for remediation tickets |
incidents:write | itil, incident_manager | Create incident records for compliance/AML-SAR investigations |
For more information on ServiceNow permissions, you can refer to:
Remediation
The ServiceNow blueprint supports automated remediation — Kscope can create either a change request (for infrastructure remediation approvals) or an incident (for compliance / AML-SAR investigations) directly from insights.
Actions
| Action | Target table | Use case |
|---|---|---|
change_request.create | change_request | Infrastructure or configuration remediation that requires CAB approval. |
incident.create | incident | Compliance or AML/SAR investigation records. Use category=compliance, subcategory=aml_sar so FinCrime operations can filter them out of the standard incident queue. |
When the action argument is omitted, the remediator defaults to change_request.create to preserve backwards compatibility.
Fields
| Field | Applies to | Description |
|---|---|---|
| Action | both | change_request.create or incident.create |
| Short Description | both | Brief title of the record |
| Description | both | Detailed description or runbook body |
| Category | both | Record category. change_request defaults to Other; for incident use inquiry or compliance. |
| Subcategory | incident.create only | For a SAR investigation, pass aml_sar. |
| Priority | both | 1 = Critical, 2 = High, 3 = Moderate, 4 = Low, 5 = Planning (default: 3) |
| Type | change_request.create only | normal, standard, or emergency (default: normal) |
| Risk | change_request.create only | high, moderate, or low |
| Impact | both | 1 = High, 2 = Medium, 3 = Low |
| Urgency | incident.create only | 1 = High, 2 = Medium, 3 = Low |
| Assignment Group | both | sys_id or name of the assignment group |
| Assigned To | both | sys_id or username of the assigned user |
| Caller ID | incident.create only | sys_id of the user that opened the incident |
| State | both | Initial record state |
| Custom Fields | both | Additional fields as a JSON string |
| Attachment Filename | incident.create only | Filename for an optional attachment uploaded to the new incident |
| Attachment Content | incident.create only | Raw file body. When present, uploaded against the incident after it is created. Plain UTF-8 for text; base64 when paired with attachmentEncoding. |
| Attachment Content Type | incident.create only | MIME type of the attachment (default: text/markdown) |
| Attachment Encoding | incident.create only | How attachmentContent is encoded on the wire. Leave empty for plain text (e.g. markdown). Set to base64 when attaching binary files such as PDFs — the remediator decodes before uploading. |
note
Remediation requires the appropriate write permission: change_requests:write for change requests, incidents:write for incidents. See the Permissions section.
Schema Model
| Resources | Source Entity | Normalized Entity | Description |
|---|---|---|---|
| ServiceNow User | servicenow.workspace.User | User | A user within the ServiceNow workspace. |
| ServiceNow User Group | servicenow.workspace.UserGroup | UserGroup | A group of users in the ServiceNow workspace. |
| ServiceNow Workspace | servicenow.workspace.Workspace | Workspace | A workspace within ServiceNow. |
| ServiceNow SysDomain | servicenow.workspace.SysDomain | SysDomain | A system domain in the ServiceNow environment. |
| ServiceNow CMDB Item | servicenow.workspace.CMDBItem | CMDBItem | A configuration item in the ServiceNow CMDB. |
| ServiceNow Attribute | servicenow.workspace.Attribute | Attribute | An attribute of a record in ServiceNow. |
| ServiceNow ReferenceField | servicenow.workspace.ReferenceField | ReferenceField | A reference field within ServiceNow. |
| ServiceNow Incident | servicenow.workspace.Incident | Incident | An incident record in the ServiceNow system. |
| ServiceNow Account | servicenow.workspace.Account | Account | An account within the ServiceNow workspace. |