ServiceNow — ARX Docs

Overview¶

The ServiceNow connector integrates ARX with the ServiceNow platform via its REST API (Table API, CMDB API, and Service Catalog API). It provides programmatic access to IT service management workflows. It supports 26 operations across eight API families.

Authentication: Basic authentication (username and password) against a ServiceNow instance.
Key capabilities:
Full CRUD lifecycle for incidents, change requests, and problems
CMDB configuration item queries, relationship traversal, and updates
Knowledge base article management
User and group lookups
Attachment queries and uploads
Service catalog browsing and ordering

All operations are policy-evaluated and audit-logged through the ARX BaseConnector framework.

Prerequisites¶

Requirement	Details
ServiceNow Instance	An active ServiceNow instance (e.g., `https://your-instance.service-now.com`)
Username	A ServiceNow user account with REST API access
Password	The password for the service account
Roles	Assign appropriate roles: `itil` for incident/change/problem management, `cmdb_read`/`cmdb_write` for CMDB, `knowledge` for KB articles, `catalog` for service catalog
REST API Access	Ensure the instance has REST API enabled (enabled by default on most instances)

Store credentials in the ARX vault under the key servicenow with fields instance_url, username, and password.

SDK Usage¶

from arxsec import ARXClient

arx = ARXClient()

# Query high-priority open incidents
incidents = await arx.execute(
    connector="servicenow",
    operation="incidents:read",
    params={
        "sysparm_limit": 50,
        "sysparm_query": "priority=1^state!=7",
    },
)

# Create a new incident
new_incident = await arx.execute(
    connector="servicenow",
    operation="incidents:create",
    params={
        "short_description": "Suspicious login activity detected",
        "description": "Multiple failed login attempts from unusual IP range",
        "urgency": "1",
        "impact": "2",
        "category": "Security",
        "assignment_group": "sys_id_of_soc_group",
    },
)

# Query CMDB for affected servers
ci_items = await arx.execute(
    connector="servicenow",
    operation="cmdb:query",
    params={
        "sysparm_limit": 100,
        "sysparm_query": "os_domainLIKEprod^operational_status=1",
    },
)

Operations¶

Incidents (6 operations)¶

Operation ID	Description	Risk	Method
`incidents:read`	Query incidents with optional filters	LOW	GET
`incidents:read_detail`	Get a single incident by sys_id	LOW	GET
`incidents:create`	Create a new incident	MEDIUM	POST
`incidents:update`	Update an existing incident	MEDIUM	PATCH
`incidents:close`	Close an incident (state=7, configurable escalation)	MEDIUM	PATCH
`incidents:delete`	Delete an incident record	HIGH	DELETE

Change Requests (5 operations)¶

Operation ID	Description	Risk	Method
`changes:read`	Query change requests with optional filters	LOW	GET
`changes:read_detail`	Get a single change request by sys_id	LOW	GET
`changes:create`	Create a new change request	MEDIUM	POST
`changes:update`	Update an existing change request	MEDIUM	PATCH
`changes:close`	Close a change request (state=closed)	MEDIUM	PATCH

Problems (3 operations)¶

Operation ID	Description	Risk	Method
`problems:read`	Query problems with optional filters	LOW	GET
`problems:create`	Create a new problem record	MEDIUM	POST
`problems:update`	Update an existing problem record	MEDIUM	PATCH

CMDB (4 operations)¶

Operation ID	Description	Risk	Method
`cmdb:read`	Get a CMDB configuration item instance	LOW	GET
`cmdb:query`	Query CMDB configuration items	LOW	GET
`cmdb:relationships`	Get relationships for a CMDB configuration item	LOW	GET
`cmdb:update`	Update a CMDB configuration item instance	MEDIUM	PATCH

Knowledge Base (2 operations)¶

Operation ID	Description	Risk	Method
`kb:read`	Query knowledge base articles	LOW	GET
`kb:create`	Create a knowledge base article	LOW	POST

Users and Groups (2 operations)¶

Operation ID	Description	Risk	Method
`users:read`	Query ServiceNow users	LOW	GET
`groups:read`	Query ServiceNow user groups	LOW	GET

Attachments (2 operations)¶

Operation ID	Description	Risk	Method
`attachments:read`	Query attachments	LOW	GET
`attachments:upload`	Upload an attachment to a record	MEDIUM	POST

Service Catalog (2 operations)¶

Operation ID	Description	Risk	Method
`catalog:read`	List service catalog items	LOW	GET
`catalog:order`	Order a service catalog item	MEDIUM	POST

Risk Classifications¶

Level	Criteria	Examples
LOW	Read/query operations, knowledge base writes, user and group lookups	`incidents:read`, `changes:read_detail`, `problems:read`, `cmdb:query`, `cmdb:relationships`, `kb:read`, `kb:create`, `users:read`, `groups:read`, `attachments:read`, `catalog:read`
MEDIUM	Create and update operations for incidents, changes, problems, CMDB items; attachment uploads; catalog orders	`incidents:create`, `incidents:update`, `incidents:close`, `changes:create`, `changes:update`, `changes:close`, `problems:create`, `problems:update`, `cmdb:update`, `attachments:upload`, `catalog:order`
HIGH	Delete operations that permanently remove records	`incidents:delete`

Policy Examples¶

Allow SOC agents to create and update incidents but not delete¶

rules:
  - name: "Allow incident management"
    connector: servicenow
    operations:
      - "incidents:read"
      - "incidents:read_detail"
      - "incidents:create"
      - "incidents:update"
      - "incidents:close"
    action: allow

  - name: "Block incident deletion"
    connector: servicenow
    operations:
      - "incidents:delete"
    action: deny
    reason: "Incident deletion is not permitted. Close incidents instead."

Require approval for change request creation¶

rules:
  - name: "Allow change request reads"
    connector: servicenow
    operations:
      - "changes:read"
      - "changes:read_detail"
    action: allow

  - name: "Require approval for change creation"
    connector: servicenow
    operations:
      - "changes:create"
    action: require_approval
    approvers:
      - role: change_manager
    notify:
      - channel: "#change-advisory-board"

  - name: "Allow change updates after approval"
    connector: servicenow
    operations:
      - "changes:update"
      - "changes:close"
    action: allow

Allow CMDB reads for all agents, restrict writes¶

rules:
  - name: "Allow CMDB reads for all"
    connector: servicenow
    operations:
      - "cmdb:read"
      - "cmdb:query"
      - "cmdb:relationships"
    action: allow

  - name: "Restrict CMDB updates to asset management"
    connector: servicenow
    operations:
      - "cmdb:update"
    action: allow
    conditions:
      agent_role: asset_management

  - name: "Deny CMDB updates for all others"
    connector: servicenow
    operations:
      - "cmdb:update"
    action: deny