ServiceNow Integration¶
Faraday's ServiceNow integration allows you to export confirmed vulnerabilities as ServiceNow incidents. Vulnerabilities are sent to ServiceNow's Incident table with configurable category, subcategory, and a Jinja2 template for incident description formatting. Evidence attachments are also supported.
Availability: Commercial feature (requires licensed Faraday instance).
Verified against: Faraday Server v5.19.0 codebase, wiki doc dated 2023-01-26.
Overview¶
| Feature | Details |
|---|---|
| Export vulnerabilities as ServiceNow incidents | Yes |
| Evidence attachment support | Yes |
| Jinja2 template for incident description | Yes |
| Category and subcategory mapping | Yes |
| Credential override at send time | Yes |
| Authentication | ServiceNow instance credentials (URL + user/pass) |
Prerequisites¶
- A running Faraday Server instance (commercial edition)
- A ServiceNow instance with Incident table access
- A ServiceNow user account with permissions to create incidents and add attachments
- Network connectivity between Faraday Server and ServiceNow
Step 1: Configure ServiceNow Settings in Faraday¶
Access Settings¶
- Log in to the Faraday Web UI.
- Click your username at the top-right and select Settings.
- Navigate to Ticketing Tools and select ServiceNow.
Configure Connection¶
| Field | Description | Example |
|---|---|---|
| URL | ServiceNow instance URL | https://your-instance.service-now.com |
Configure Incident Defaults¶
Category and Subcategory¶
Select the incident category and subcategory from the dropdown menus. These values map to ServiceNow's incident classification taxonomy. When vulnerabilities are sent, the incidents will be created with the configured category and subcategory.
For available categories, refer to your ServiceNow instance's Incident category configuration.
Template¶
Select a Jinja2 template for formatting the incident description. Templates define how vulnerability data is rendered as the ServiceNow incident body.
Templates must be placed in:
/home/faraday/.faraday/integrations_templates/
Step 2: Create a Template¶
Simple Template¶
{# Service now integration #}
Name: {{ vuln.name }}
Target: {{ target }}
Hostnames:
{% for hostname in hostnames %}
- {{ hostname }}
{% endfor %}
Severity: {{ severity }}
Comprehensive Template¶
{# This is a Template for Faraday ServiceNow Integration #}
{# Pre-Flight Adjustments #}
{% set issuetracker_config = 'service now' %}
{% set http_size_config = 4096 %}
{% if 'med' in vuln.severity %}
{% set corrected_severity = 'Medium' %}
{% else %}
{% set corrected_severity = vuln.severity %}
{% endif %}
{# Issue template structure #}
{% if 'VulnerabilityWeb' in vuln.type %}
# [{{ corrected_severity | capitalize }}] {{ vuln.name }} - ({{ vuln.path }})
{% else %}
# [{{ corrected_severity | capitalize }}] {{ vuln.name }}
{% endif %}
## Description
{{ vuln.desc }}
#### This issue has been rated as: `{{ corrected_severity | capitalize }}`
Affected Asset: {{ vuln.target }}
{% if vuln.website %}
Affected URL: {{ vuln.website }}{{ vuln.path }}
{% endif %}
{% if vuln.hostnames %}
#### Hostnames
{% for hostname in vuln.hostnames %}
- {{ hostname }}
{% endfor %}
{% endif %}
## Recommendations
{{ vuln.resolution }}
{% for ref in vuln.refs %}
- {{ ref }}
{% endfor %}
{% if vuln.easeofresolution %}
#### Estimated ease of resolution
{{ vuln.easeofresolution | capitalize }}
{% endif %}
### Technical Details
{% if vuln.data %}
#### Proof of Concept
{{ vuln.data }}
{% endif %}
{% if vuln.request %}
#### Request
{{ vuln.request | truncate(http_size_config, False, '...', 0) }}
{% endif %}
{% if vuln.response %}
#### Response
{{ vuln.response | truncate(http_size_config, False, '...', 0) }}
{% endif %}
## Issue [{{ vuln.id }}] {{ vuln.name }} [{{ vuln.status }}]
{% for key, value in vuln.issuetracker_json.items() %}
{% if issuetracker_config in key %}
This issue has already been reported in this platform:
- {{ key | capitalize }}
{% for line in value %}
- Issue: {{ line.url }}
{% endfor %}
{% endif %}
source: created by {{ vuln.owner or "faraday" }} using {{ vuln.tool }} - {{ vuln.external_id }} - {{ vuln.date }}
{% endfor %}
{# end of file #}
Template Configuration Directives¶
| Directive | Value | Purpose |
|---|---|---|
issuetracker_config |
'service now' |
Identifies the integration for issuetracker reference lookups |
http_size_config |
4096 |
Max characters for HTTP request/response fields (truncated with \|truncate()) |
Template Variables¶
The following vulnerability fields are available via the vuln object:
| Variable | Description |
|---|---|
vuln.id |
Faraday vulnerability ID |
vuln.name |
Vulnerability name |
vuln.desc |
Description |
vuln.severity |
Severity level (critical, high, med, low, info) |
vuln.status |
Current status (open, closed, re-opened, risk-accepted) |
vuln.target |
Affected asset/host |
vuln.type |
Vulnerability type (e.g., VulnerabilityWeb) |
vuln.website |
Website URL (web vulns only) |
vuln.path |
URL path (web vulns only) |
vuln.hostnames |
List of associated hostnames |
vuln.resolution |
Recommended remediation |
vuln.refs |
List of references |
vuln.easeofresolution |
Estimated ease of resolution |
vuln.data |
Proof of concept / technical data |
vuln.request |
HTTP request (web vulns only) |
vuln.response |
HTTP response (web vulns only) |
vuln.tool |
Tool that discovered the vulnerability |
vuln.owner |
Vulnerability owner/creator |
vuln.external_id |
External identifier |
vuln.date |
Discovery date |
vuln.issuetracker_json |
Dict of issue tracker references |
Step 3: Export Vulnerabilities to ServiceNow¶
- In the Faraday Web UI, go to Manage > Vulns.
- Select one or more confirmed vulnerabilities.
- Click Tools (context menu) and select ServiceNow.
- A dialog appears with two options:
- Use default data: Uses the URL and credentials saved in Settings.
- Override credentials: Check the override box and enter custom ServiceNow URL and credentials for this export.
- Click OK to send the vulnerabilities.
Sending Evidence¶
Vulnerability evidence (attachments) can be sent to ServiceNow as incident attachments. Requirements:
- Your ServiceNow user must have permissions to add attachments to incidents.
- The attachment size allowed by your ServiceNow instance must be greater than the size of the evidence being sent.
Tracking Exported Vulnerabilities¶
- Add the issuetracker column to the vulnerability table to see links to created ServiceNow incidents.
- Click the link to open the incident directly in ServiceNow.
- The
issuetracker_jsonfield provides structured details (incident URL, ID) and can be used in Executive Reports.
Permissions¶
| Permission Unit | ID | Group | Description |
|---|---|---|---|
service_now |
17 | integrations |
ServiceNow integration CRUD operations |
active_integrations |
19 | integrations |
View/manage active integrations |
integrations_auth |
41 | integrations |
Integration authentication management |
The ticketing.servicenow extra permission controls access to the ServiceNow
ticketing feature in the vulnerability context menu.
Role-Based Access¶
| Role | CREATE | READ | UPDATE | DELETE |
|---|---|---|---|---|
| Admin | Yes | Yes | Yes | Yes |
| Asset Owner | Varies | Varies | Varies | Varies |
| Pentester | Yes | Yes | Yes | Yes |
| Client | Limited | Limited | Limited | Limited |
Data Model¶
Configuration Storage¶
ServiceNow integration settings are stored in the configuration database
table under the key servicenow_integration as a JSON object containing the
ServiceNow URL and related settings.
SELECT key, value FROM configuration WHERE key = 'servicenow_integration';
Vulnerability Fields¶
| Field | Type | Purpose |
|---|---|---|
issuetracker |
Text (JSON) | Stores ServiceNow incident reference |
issuetracker_json |
JSON (API) | Structured incident details for API/reports |
Note: ServiceNow does not have a dedicated UserToken scope (unlike Jira and GitLab). Authentication is handled via the configuration settings rather than scoped tokens.
Troubleshooting¶
| Problem | Possible Cause | Solution |
|---|---|---|
| Cannot connect to ServiceNow | Invalid URL | Verify the ServiceNow URL is correct and accessible from Faraday Server |
| Incidents not created | Permission denied | Ensure the ServiceNow user has permission to create incidents |
| Evidence not attached | File too large | Check ServiceNow's attachment size limit and reduce evidence size |
| Template errors | Invalid Jinja2 syntax | Review template syntax; test with a simple template first |
| Category/subcategory missing | Not configured | Set category and subcategory in the Ticketing Tools settings |
Changelog¶
| Date | Change |
|---|---|
| 2023-01-26 | Original wiki documentation published |
| 2026-02-27 | Updated: verified against v5.19.0 codebase, added permissions model (UNIT_SERVICE_NOW ID 17), data model details, template variable reference, role-based access, expanded troubleshooting, clarified that ServiceNow has no dedicated token scope |
Source References¶
- Wiki source:
repos/faraday-wiki/docs/integration-servicenow.md - Permission definitions:
faraday/server/utils/permissions.py—UNIT_SERVICE_NOW - Extra permissions:
faraday/server/api/base.py(line ~2092) —ticketing.servicenow - Configuration model:
faraday/server/models.py(line ~3641) - Migration (config table):
faraday/migrations/versions/b49d8efbd0c2_add_configuration_table.py - VulnerabilityGeneric model:
faraday/server/models.py(line ~1431) —issuetracker - Vulnerability schema:
faraday/server/api/modules/vulns_base.py(line ~299) —issuetrackerserialization