Send incidents to ServiceNow - Application Real-Time Monitoring Service

When ARMS detects an alert condition, you may need the corresponding incident to appear in ServiceNow automatically, without manual copy-paste between systems. Application Real-Time Monitoring Service (ARMS) supports this through a webhook that sends an HTTP POST request to the ServiceNow Incident table API, creating an incident record in your ServiceNow instance each time an alert fires.

Prerequisites

Before you begin, make sure that you have:

A valid ServiceNow account
The instance ID of your ServiceNow instance (the subdomain in <instanceId>.service-now.com)

Warning

The webhook URL embeds ServiceNow credentials in plaintext. Create a dedicated service account with the minimum required roles. Do not use an admin account.

Create a webhook for ServiceNow

Log in to the ARMS console.
In the left-side navigation pane, choose Alert Management > Notification Objects.
Click the Webhook Integration tab.
Click Create Webhook.

Configure the following parameters:

Parameter	Description
Webhook Name	A descriptive name for the webhook, such as `ServiceNow-Incidents`.
Post	Select Post and enter the ServiceNow Incident API URL: `https://<admin>:<password>@<instanceId>.service-now.com/api/now/table/incident`
Header	Key: `Content-Type`, Value: `application/json`
Notification Template	The JSON payload that maps ARMS alert data to ServiceNow incident fields. See the notification template section below for a ready-to-use example.

Replace the placeholders in the Post URL:

Placeholder	Description	Example
`<admin>`	The account name used to log on to the ServiceNow instance	`svc-arms`
`<password>`	The password used to log on to the ServiceNow instance	`--------`
`<instanceId>`	The unique ID of your ServiceNow instance	`dev12345`

(Optional) Click Send Test to verify the webhook.
Click OK.

Notification template

The notification template defines how ARMS alert data maps to ServiceNow incident fields. Use the following template as a starting point:

{
  "short_description": "Issue # {{ .commonLabels.alertname }} ",
  "comments": "Issue # {{ for .alerts }} {{ .annotations.message }}\n{{end}} ",
  "caller_id": "admin"
}

Field	ServiceNow incident field	What it contains
`short_description`	Short description	The alert name from ARMS, used as the incident title.
`comments`	Additional comments	The alert message details. The template iterates over all firing alerts and appends each message.
`caller_id`	Caller	The ServiceNow user associated with the incident. Replace `admin` with your service account username.

Activate the webhook in a notification policy

After you create the webhook, add it as a notification method in a notification policy. When you create or update a notification policy in ARMS, select this webhook so that matching incidents are forwarded to ServiceNow automatically.