This parser extracts security event data from ServiceNow JSON logs, mapping relevant fields to the UDM. It handles various event types like logins and permission changes, populating principal/target user information, IP addresses, and metadata like vendor and product details.
Before you begin
Ensure that you have the following prerequisites:
Google SecOps instance.
Privileged access to ServiceNow Security.
Set up feeds
To configure a feed, follow these steps:
Go toSIEM Settings>Feeds.
ClickAdd New Feed.
On the next page, clickConfigure a single feed.
In theFeed namefield, enter a name for the feed; for example,ServiceNow Security Logs.
SelectWebhookas theSource type.
SelectServiceNow Securityas theLog type.
ClickNext.
Optional: Specify values for the following input parameters:
Split delimiter: the delimiter that is used to separate log lines, such as\n.
ClickNext.
Review the feed configuration in theFinalizescreen, and then clickSubmit.
ClickGenerate Secret Keyto generate a secret key to authenticate this feed.
Copy and store the secret key. You cannot view this secret key again. If needed, you can regenerate a new secret key, but this action makes the previous secret key obsolete.
From theDetailstab, copy the feed endpoint URL from theEndpoint Informationfield. You need to specify this endpoint URL in your client application.
Recommendation: Specify the API key as a header instead of specifying it in the URL.
If your webhook client doesn't support custom headers, you can specify the API key and secret key using query parameters in the following format:
ENDPOINT_URL?key=API_KEY&secret=SECRET
Replace the following:
ENDPOINT_URL: the feed endpoint URL.
API_KEY: the API key to authenticate to Google SecOps.
SECRET: the secret key that you generated to authenticate the feed.
Configure Webhook in ServiceNow
Sign in to ServiceNow Security with privileged account.
Go toConfiguration>Monitoring>Connections.
Clickadd.
SelectWebhook.
Specify values for the following parameters:
Name: Provide a descriptive name for the webhook (for example,Google SecOps).
URL: Enter the Google SecOpsENDPOINT_URLwithAPI_KEYandSECRET.
ClickSaveto complete the webhook configuration.
UDM Mapping
Log field
UDM mapping
Logic
created_by
target.user.userid
Mapped totarget.user.useridifsnc_useris empty.
event
metadata.product_event_type
Directly mapped from the raw log field "event".
event_created
metadata.event_timestamp.seconds
Converted to seconds from the raw log field "event_created" using thedatefilter.
ip_address
principal.ip
Directly mapped from the raw log field "ip_address" if not empty.
snc_user
target.user.userid
Directly mapped from the raw log field "snc_user" if not empty.
user
principal.user.userid
Directly mapped from the raw log field "user" if not empty or "null".
extensions.auth.type
Set to "MACHINE" if theeventfield is "Failed Login", "SNC Login", "Admin Login", or "Impersonation".
metadata.event_type
Set to "USER_LOGIN" if theeventfield is "Failed Login", "SNC Login", "Admin Login", or "Impersonation". Set to "USER_CHANGE_PERMISSIONS" if theeventfield is "Security Elevation".
metadata.log_type
Hardcoded to "SERVICENOW_SECURITY".
metadata.product_name
Hardcoded to "SERVICENOW_SECURITY".
metadata.vendor_name
Hardcoded to "SERVICENOW".
principal.user.userid
Set to "UNKNOWN" if theuserfield is empty or "null".
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[[["\u003cp\u003eThis guide outlines how to collect security event data from ServiceNow JSON logs and ingest them into Google SecOps using a webhook feed.\u003c/p\u003e\n"],["\u003cp\u003eThe process involves setting up a feed in Google SecOps, generating a secret API key, and configuring the ServiceNow webhook to send logs to the specified Google SecOps endpoint URL.\u003c/p\u003e\n"],["\u003cp\u003eSecurity event types such as logins and permission changes are handled, and data fields from ServiceNow logs are mapped to the Unified Data Model (UDM) within Google SecOps.\u003c/p\u003e\n"],["\u003cp\u003eAuthentication for the webhook feed is managed using an API key and secret key, which can be specified in the request header or as query parameters.\u003c/p\u003e\n"],["\u003cp\u003eSpecific UDM mapping is provided, outlining how fields like user IDs, event timestamps, IP addresses, and event types are transferred from ServiceNow to their corresponding fields in Google Security Operations.\u003c/p\u003e\n"]]],[],null,["# Collect ServiceNow Security logs\n================================\n\nSupported in: \nGoogle secops [SIEM](/chronicle/docs/secops/google-secops-siem-toc)\n| **Note:** This feature is covered by [Pre-GA Offerings Terms](https://chronicle.security/legal/service-terms/) of the Google Security Operations Service Specific Terms. Pre-GA features might have limited support, and changes to pre-GA features might not be compatible with other pre-GA versions. For more information, see the [Google SecOps Technical Support Service guidelines](https://chronicle.security/legal/technical-support-services-guidelines/) and the [Google SecOps Service Specific Terms](https://chronicle.security/legal/service-terms/).\n\nOverview\n--------\n\nThis parser extracts security event data from ServiceNow JSON logs, mapping relevant fields to the UDM. It handles various event types like logins and permission changes, populating principal/target user information, IP addresses, and metadata like vendor and product details.\n\nBefore you begin\n----------------\n\nEnsure that you have the following prerequisites:\n\n- Google SecOps instance.\n- Privileged access to ServiceNow Security.\n\nSet up feeds\n------------\n\nTo configure a feed, follow these steps:\n\n1. Go to **SIEM Settings** \\\u003e **Feeds**.\n2. Click **Add New Feed**.\n3. On the next page, click **Configure a single feed**.\n4. In the **Feed name** field, enter a name for the feed; for example, **ServiceNow Security Logs**.\n5. Select **Webhook** as the **Source type**.\n6. Select **ServiceNow Security** as the **Log type**.\n7. Click **Next**.\n8. Optional: Specify values for the following input parameters:\n - **Split delimiter** : the delimiter that is used to separate log lines, such as `\\n`.\n9. Click **Next**.\n10. Review the feed configuration in the **Finalize** screen, and then click **Submit**.\n11. Click **Generate Secret Key** to generate a secret key to authenticate this feed.\n12. Copy and store the secret key. You cannot view this secret key again. If needed, you can regenerate a new secret key, but this action makes the previous secret key obsolete.\n13. From the **Details** tab, copy the feed endpoint URL from the **Endpoint Information** field. You need to specify this endpoint URL in your client application.\n14. Click **Done**.\n\nCreate an API key for the webhook feed\n--------------------------------------\n\n1. Go to **Google Cloud console \\\u003e Credentials**.\n\n [Go to Credentials](https://console.cloud.google.com/apis/credentials)\n2. Click **Create credentials** , and then select **API key**.\n\n3. Restrict the API key access to the **Google Security Operations API**.\n\nSpecify the endpoint URL\n------------------------\n\n1. In your client application, specify the HTTPS endpoint URL provided in the webhook feed.\n2. Enable authentication by specifying the API key and secret key as part of the custom header in the following format:\n\n X-goog-api-key = \u003cvar class=\"readonly\" translate=\"no\"\u003eAPI_KEY\u003c/var\u003e\n X-Webhook-Access-Key = \u003cvar class=\"readonly\" translate=\"no\"\u003eSECRET\u003c/var\u003e\n\n **Recommendation**: Specify the API key as a header instead of specifying it in the URL.\n3. If your webhook client doesn't support custom headers, you can specify the API key and secret key using query parameters in the following format:\n\n \u003cvar translate=\"no\"\u003eENDPOINT_URL\u003c/var\u003e?key=\u003cvar translate=\"no\"\u003eAPI_KEY\u003c/var\u003e&secret=\u003cvar translate=\"no\"\u003eSECRET\u003c/var\u003e\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003eENDPOINT_URL\u003c/var\u003e: the feed endpoint URL.\n - \u003cvar translate=\"no\"\u003eAPI_KEY\u003c/var\u003e: the API key to authenticate to Google SecOps.\n - \u003cvar translate=\"no\"\u003eSECRET\u003c/var\u003e: the secret key that you generated to authenticate the feed.\n\nConfigure Webhook in ServiceNow\n-------------------------------\n\n1. Sign in to ServiceNow Security with privileged account.\n2. Go to **Configuration** \\\u003e **Monitoring** \\\u003e **Connections**.\n3. Click add .\n4. Select **Webhook**.\n5. Specify values for the following parameters:\n - **Name** : Provide a descriptive name for the webhook (for example, **Google SecOps**).\n - **URL** : Enter the Google SecOps **ENDPOINT_URL** with **API_KEY** and **SECRET**.\n6. Click **Save** to complete the webhook configuration.\n\nUDM Mapping\n-----------\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]
