Can we integrate ArcSight with ServiceNow to trigger Incident tickets?
It is possible to integrate arcsight with service now for reporting incidents. You just need to create a mail id for service now and send the arcsight alert as mail to that mail ID and service now will automatically create a incident based on the mail from Arcsight alert.
I have been working on this for the past 6 months as well; the best thing I can come up with is using SNMP to send traps. Other options are sending emails or the syslog option through the Supper Connector.
We don’t have a standard Service Now setup but rather we have customized our entire environment with many servers in-between that we can integrate with. But what it comes down to is at the end of the day we will need to create another server to receive and interpret what are getting and then forward them on to Service Now.
Good luck, we have engaged PS and they could not come up with anything that works for us.
Did you ever get this work from Arcsight into ServiceNOW? Did you end up doing SNMP, Email or another tools. We need to get tickets cut with priority levels assigned to them into ServiceNOW. Please let me know as this is of interest to us. Since their isn't a formal Arcsight MIB this make this a hard task to for us to resolve in a short order.
Please let me know?!
PS have done some integration with ServiceNOW in the past - so hopefully they will look at what was done before for you!
Generically though, there are a few options, some of which are already touched on - such as sending an email to a specific ID or using SNMP. However, do consider the following:
1) Export event to XML - this is the "Export to external system" action from a rule trigger. This basically creates a date stamped XML file in the manager folder that is correlated event and any relevant base events. The schema is fairly logical and you can customize it (as in include base events or not), but its NOT well documented. Once in XML, you can have a file reader from the external ticketing system to read and process the data from there - importantly though, you get the full reference data from ESM including the base events, which is essential to link things together!
2) ESM API - increasingly, I am working with customers and partners who are using this. It was there in 6.0, better in 6.5 and supported in 6.8, but it actually works now! You can do a lot better integration here, since we expose the case capability now. So you can have ESM create the cases, add events and even classify things, but then have the external ticketing system hit some REST API's and pull the case data in - creating things as they need. Now, you should also be able to update back, but this might be a bit too far for some - but the great thing is that you can do this and it does work. You might want to check the documentation on this and see what we can do!
Hope this helps.
Did anyone figure out the way to integrated ESM with ServiceNow? if yes , can someone share the documented steps for the same.
Is it possible to send ESM alerts/incident as events or traps to OMi and OMi can be configured to get ticket created in ServiceNow? Do we have formal ESM Mib file which can be downloaded and put up in OMi so that OMi can understand the alert and generate ticket accordingly.
Any help on same will be appreciated.
Sorry for the late response to this, but just spotted this - yes, it is possible to get ESM to send events or traps as needed.
To send an event, you can use a notification to an email with the relevant data in it - so just set this up as you would a normal notification and chain.
From there take a look at page 37 and look for the configuration section for setting up SNMP and sending traps.