# ServiceNow Integration

### Steps to Integrate

#### **Step 1: Create a Trigger for ServiceNow**

* Visit the **Webhooks** page in AIR,
* Click the "**+ New Webhook**" button in the upper right corner,
* Provide a self-explanatory name (examples: RDP Brute Force Trigger, Phishing Detected Trigger, etc.),
* Select "**ServiceNow: Generic ServiceNOW Webhook Parser**" as the parser for this webhook,
* Select an **Acquisition Profile** when ServiceNow activates this webhook,
* Select the **Ignore** option or leave with its default value (defaults to 24 hours for recurrent alerts for a single endpoint),
* Provide other settings such as **Evidence Repository**, **CPU Limit**, **Compression & Encryption** to use or let AIR configure them automatically based on the matching policy,
* Click the "**Save**" button,
* Hover your mouse over the link below the Webhook name and double-click to copy.

#### **Step 2: Creating the Integration Settings in ServiceNow**

* Open the Business Rules under the System Definitions and click **New**,
* Give your new Business Rule a descriptive name, choose the table you want it to trigger on, and check the **Advanced** box.
* Under the option: **When**, choose **after.** You can use various conditions and filtering functions accordingly.
* Click the **Advanced** Tab and paste the following script. **Change the 5th line** \<insert webhook URL> with the webhook link you copied in **Step 1**.
* ```javascript
  (function executeRule(current, previous /*null when async*/) {
      try {
          var r = new sn_ws.RESTMessageV2();
  	// paste related webhook url below
          var airwebhookurl = "<insert webhook URL>";
          //defining the hostname of endpoint or ip
          var endpointIP = current.getValue("hostname");     

          r.setRequestHeader("Content-Type","application/json");
          r.setHttpMethod("post");
          r.setStringParameter("baseUrl",airwebhookurl);

          var obj = {
              "endpoint": endpointIP
          };
  		
          var body = JSON.stringify(obj);
          r.setRequestBody(body);

          var response = r.execute();
          var httpStatus = response.getStatusCode();
          if(httpStatus==200) {
              gs.info("Webhook target HTTP status response: " + httpStatus);
              return httpStatus;
          } else {
              gs.log(response.getErrorCode()+"---"+response.getErrorMessage());
              return httpStatus;
          }

      } catch (ex) {
          var message = ex.message;
  		gs.error("Error message: " + message);
      }

      gs.info("Webhook target HTTP status response: " + httpStatus);

  })(current, previous);
  ```
* Click **Submit** on the top right.

#### **Step 3: Testing the business rule.**

Once you have set up the webhook, you can test the business rule based on the triggering conditions. Check the response body for the data being sent from ServiceNow.