ServiceNow Integration
BreachSpider can create incidents in your ServiceNow instance directly from findings. This integration is available on Professional tier and above.
Setting Up the Connection
- Navigate to Integrations > Connections > Add Connection.
- Select ServiceNow as the connection type.
- Fill in the connection details:
Instance URL (required): Your ServiceNow instance URL. Example: https://yourcompany.service-now.com.
Authentication: BreachSpider authenticates using a ServiceNow integration user:
- Username: A ServiceNow user with permission to create incidents.
- Password: The user's password.
Best practice: Create a dedicated integration user (e.g., breachspider_integration) with the minimum permissions needed to create and update incidents. Do not use a personal account.
Assignment Group (required): The ServiceNow assignment group for created incidents. Example: "OT Security", "Network Operations", "IT Patching". This must match an existing assignment group in your ServiceNow instance.
Category (optional): The incident category. Example: "Security", "Vulnerability".
- Click Test Connection to verify authentication and incident creation permissions.
- Click Save.
How Incidents Are Created
When a ticket is created with ServiceNow as the destination, BreachSpider creates an incident with:
Short Description: The ticket title. Example: "CVE-2025-32433 - Critical pre-auth RCE in Erlang/OTP SSH"
Description: Full context including CVE ID, BSID, affected asset, environment, scoring data (BCS, CVSS, EPSS), KEV status, exploit maturity, SAGE analysis summary, patch status, and a link to the finding in BreachSpider.
Impact and Urgency: Mapped from the BCS score:
| BCS Range | Impact | Urgency |
|---|---|---|
| 9.0 - 10.0 | 1 - High | 1 - High |
| 7.0 - 8.9 | 2 - Medium | 1 - High |
| 4.0 - 6.9 | 2 - Medium | 2 - Medium |
| 0.1 - 3.9 | 3 - Low | 3 - Low |
Assignment Group: Set from the connection configuration.
Assigned To: Set from the ticket's assignee email if it matches a ServiceNow user.
Category: Set from the connection configuration if specified.
ServiceNow Custom Fields
If your ServiceNow instance has custom fields for vulnerability tracking (e.g., CVE ID, CVSS score), contact support to discuss custom field mapping. The default integration populates the standard incident fields described above.
Multiple Assignment Groups
Create multiple ServiceNow connections with different assignment groups:
- Connection 1: Assignment Group "OT Security" for OT findings
- Connection 2: Assignment Group "IT Patching" for OS findings
- Connection 3: Assignment Group "Network Operations" for NETWORK findings
Reference the appropriate connection in each auto-ticket rule.
State Synchronization
BreachSpider does not currently sync incident state back from ServiceNow. When an incident is resolved in ServiceNow, close the corresponding ticket in BreachSpider to maintain the audit trail.
Troubleshooting
"Authentication failed": Verify the username and password. Ensure the integration user account is active and not locked.
"Assignment group not found": The group name must match exactly as it appears in ServiceNow. Check for trailing spaces or case differences.
"Insufficient permissions": The integration user needs the incident_create role or equivalent permissions to create incidents.
"Connection timeout": Verify the instance URL is correct and accessible from the BreachSpider servers. If your ServiceNow instance is behind a corporate firewall, you may need to allowlist BreachSpider's IP ranges (contact support for the current list).