Sample ServiceNow integration
This sample integration shows how a customer bidirectionally synced their ServiceNow cases with the Arctic Wolf® Ticket API.
The integration syncs ServiceNow Customer Service Management (CSM) cases and Arctic Wolf tickets in both directions. It regularly pulls ticket updates, creates or updates cases, and sends comments and closures back to Arctic Wolf. The integration includes these features:
- Support for multiple MSP child Arctic Wolf organizations
- Ticket, comment, and work note synchronization
- Priority and status mapping
- Assignment group and user mapping
- Contract and entitlement auto-assignment
- Automatic retry mechanism when actions fail
Tools used
- ServiceNow — Main ticketing tool
ServiceNow ticket integration components
The customer used various ServiceNow features to configure the integration with the Ticket API.
- Script include — The ServiceNow script include configures the main integration logic and API wrapper. It defines the frequency of synchronization, authenticates the API, and maps Arctic Wolf priority values to ServiceNow.
- Scheduled job — The ServiceNow job runs every five minutes and includes tasks such as running the sync ticket action, logging results, and notifying the integration administrator.
- Business rules — After any ticket is updated, the integration runs two business rules, one for closing cases and one for posting comments. For a rule to apply to a case, the case status must be closed and the contact must be Arctic Wolf.
- Dictionary entry — The custom dictionary entry stores mappings between organization IDs and their applicable PODs.
Automation workflow for syncing ServiceNow and Arctic Wolf tickets
The ServiceNow automation syncs tickets between ServiceNow and Arctic Wolf, including inbound and outbound updates with a built-in failure retry mechanism.
Inbound data sync
- Every five minutes, the system runs the scheduled job.
- The automation gets the previous sync results from the system property.
- The automation retries all previous failures and then attempts to sync again.
- The automation queries all accounts with an Arctic Wolf ID, and then parses the organization ID and POD.
- For each organization, the automation calls the Ticket API, fetches tickets updated in the last five minutes, and then filters the results by status and priority.
- For each update, the automation checks to see if a ServiceNow case exists. If the case:
- Exists — The automation updates the title, description, priority, status, hold reason, assignees, and comments as needed.
- Does not exist — The automation creates a case and then maps the ticket fields to case fields, sets an assignment group, finds contracts and entitlements, maps an assignee, converts Markdown comments to HTML work notes, and escalates as needed.
- The automation records all results in the system property, identifying which updates were successful and which failed.
Outbound data sync
- The system runs the two ServiceNow business rules to close cases and post comments.
- The business rules extract details such as close notes and comments.
- The business rules parse the organization ID, POD, and ticket ID.
- The business rules call the Ticket API to close the ticket or post the comments as needed.
Failure retry mechanism
- The system reads the latest sync results and extracts previous failures.
- The system attempts to re-sync failed tickets before processing new updates.
- If the retry succeeds, the item is moved to a successes array.
- If the retry fails again, the item remains in the failures array.
- The mechanism saves the results back to the system property for the next run.
Sample ServiceNow field mappings
These sample field mappings show how a customer mappedServiceNow and Arctic Wolf fields.
Fields for case creation
| Arctic Wolf field | ServiceNow field | Mapping notes |
|---|---|---|
id |
u_external_guid |
Format: {pod}:{ticketId} |
organizationId |
account |
Mapping defined in the ServiceNow dictionary entry |
| N/A | contact_type |
Hard-coded as Arctic Wolf |
title |
short_description |
Direct mapping |
description |
description |
Converted from Markdown to HTML |
priority |
priority |
|
status |
state |
|
assignee.email |
assigned_to |
Only maps if the email belongs to a specific domain |
comments |
work_notes |
Formatted with author and timestamp in HTML |
This customer also had customizations configured for ServiceNow-specific fields such as assignment_group, contract, entitlement, and case categories and types.
Ticket priority
| Arctic Wolf priority | ServiceNow priority |
|---|---|
| Low | 4 |
| Normal | 4 |
| High | 3 |
| Urgent | 1 |
Statuses
| Arctic Wolf status | ServiceNow state | State value | Additional fields |
|---|---|---|---|
| NEW | New | 1 | |
| OPEN | Open | 10 | |
| PENDING | On Hold | 18 | u_hold_reason = Awaiting Client |
| HOLD | On Hold | 18 | u_hold_reason = Awaiting Vendor |
| CLOSED | Resolved | 6 | resolved_by, resolution_code = Resolved - Internal, close_notes |
ServiceNow ticket integration sample outputs and code
Use the sample outputs and code while building your ServiceNow Ticket API integration.
Sync results object
The
syncTickets() method returns a results object stored in system property:
JSON
{
"sync_time": "2024-01-01T12:00:00Z", // Current sync timestamp
"updated_after": "2024-01-01T11:55:00Z", // Looked for tickets updated after this time
"total_ticket_count": 15, // Total tickets processed
"successes": [
{
"pod": "<pod>",
"ticketId": "<ticket_id>",
"organizationId": "<org_id>",
"sync_action": "create", // or "update"
"success": true,
"case_sys_id": "<case_id>"
}
],
"failures": [
{
"pod": "<pod>",
"ticketId": "<ticket_id>",
"organizationId": "<org_id>",
"sync_action": "update",
"success": false,
"case_sys_id": null // or existing case ID
}
]
}Polling logic
JAVASCRIPT
// Get tickets updated in last 5 minutes
pollingIntervalMinutes = 5
currentTime = now()
updatedAfter = currentTime - pollingIntervalMinutes
// For updates: Only add comments newer than last poll
if (isUpdate) {
// Filter comments by createdAt > (lastSyncTime OR currentTime - 5 minutes)
}Error handling
All API methods use try-catch blocks:
JAVASCRIPT
try {
var response = r.execute();
var httpStatus = response.getStatusCode();
return JSON.parse(responseBody);
} catch(ex) {
gs.info("ArcticWolf - {method} - Error: " + ex.message);
return null;
}Sync errors follow this resolution process:
- Each ticket sync is wrapped in an individual try-catch block.
- Failures are recorded in the results object.
- The sync continues even if individual tickets fail.
- Failed tickets are retried on the next run.
All significant operations are tracked in system logs, including API HTTP status codes, pagination progress, error messages, and the sync results summary.