Skip to main content
Sumo Logic

Set Up a ServiceNow Incident Webhook Connection

This page shows you how to set up a ServiceNow Incident Webhook connection, and create scheduled searches for the connection.

About Webhooks and ServiceNow Incidents

A Webhook is an HTTP callback: an HTTP POST that occurs when something happens.  Webhook connections allow you to send Sumo Logic alerts to third-party applications that accept incoming Webhooks.

An incident is an unplanned interruption that has occurred in your business and this is reported in ServiceNow via an ITSM incident.

A security incident is an unplanned security related interruption that has occurred in your business and this is reported in ServiceNow via a security incident.

Setting up a Webhook connection for ServiceNow

To set up a ServiceNow Incident Webhook connection

  1. Go to Manage Data > Alerts > Connections.
  2. On the Connections page click Add.
  3. Click Webhook.
  4. In the Create Connection dialog, enter the Name of the connection.
  5. (Optional) Enter a Description for the connection.
  6. Enter one of the following based on your whether you want to create ITSM or Security incidents: 
  • To create ServiceNow ITSM Incidents, enter the URL for the ServiceNow Incident endpoint. 



  1. Enter Authorization Header. For more information, see the help page for Webhook connections Example Authorization Header.
  2. For Payload, enter an incident JSON object. The following are example JSONs.
  • For Security Incidents:
"short_description": "Sumo Logic - Search fired",
"caller": "admin",
"comments": "Total number of records returned: {{NumRawResults}}"
  • For ITSM Incidents:
"short_description": "Sumo Logic - Search fired",
"caller_id": "admin",
"comments": "Total number of records returned: {{NumRawResults}}"

For a complete list of fields that can be sent in the payload, see the Webhook payload variables section that follows.

serviceNow webhook configuration.png

  1. Click Save.
  2. After configuring the connection, continue with Testing the connection. and then create a scheduled search to send alerts to this connection.

Testing the connection

After configuring the connection, click Test Connection. If the connection is made, you will see a 201 OK response message.

If the connection is successful, you'll see a security incident being created in ServiceNow. There won't contain any information from the scheduled search, it will just have the text in the payload.

ServiceNow Security Table and ITSM Incident Import Table Fields

To determine the available fields and generate a sample payload for the ServiceNow ITSM Incidents and ServiceNow Security Incidents, see the ServiceNow documentation.

Once you are satisfied with the payload, copy the payload into the Sumo Logic payload field under the Webhook connection.

Webhook payload variables

If needed, you can customize Payloads for each scheduled search. If you’d like to use the default payload, leave this as-is.

See Webhook payload variables on the Set Up Webhook Connections page for more details. 

Example payloads for ServiceNow incidents

Payload with short_description, comments and caller_id:
"short_description": "Sumo Logic - Search fired",
"caller": "admin",
"comments": "The search Top Hosts has been Fired"
Payload for a scheduled search with a variable:
"short_description": "Sumo Logic - Search fired",
"caller": "admin",
"comments": "Total number of records returned: {{NumRawResults}}",
"severity": "3",
"category": "Inquiry"
Payload with additional fields:
"external_url": "{{SearchQueryUrl}}",
"severity": "3",
"short_description": "Sumo Logic - {{SearchName}} fired at {{FireTime}}",
"category": "Unauthorized access",
"subcategory": "Unauthorized login attempts",
"cmdb_ci": "ebc85e764fa0830068fe7bb28110c7c5",
"description": "{{AggregateResultsJson}}",
"affected_user": "admin",
"caller": "admin",
"assignment_group": "dea26263ff0331007a6dffffffffff19",
"vendor_reference": "Sumo Logic",
"work_notes": "{{RawResultsJson}}",
"assigned_vendor": "Okta",
"business_service": "Single Sign-On",
"contact_type": "SIEM",
"comments": "{{TimeRange}} for {{SearchDescription}}",
"source_ip": ""

Incidents for Domain Separation (for both ITSM and Security incidents) 

With domain separation in ServiceNow, you can separate data, processes, and administrative tasks into logically defined domains. To send ITSM or security incidents to the right domain, as part of the Webhook payload, send “company” as part of payload and set it to your customer’s company sysid (32-bit GUID) to ensure the incident is inserted in the proper ServiceNow domain. You will also need to ensure the following:

  1. Business rules are running for your import set as documented here

  2. The company field in the import map is set to reject if the company name doesn’t exist as documented here