Inbound Integration for Data Loss Prevention Incident Response

  • Release version: Australia
  • Updated March 12, 2026
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Inbound Integration for Data Loss Prevention Incident Response

    The Inbound REST API allows ServiceNow customers to create single or multiple Data Loss Prevention (DLP) incidents efficiently. This integration is crucial for automating incident management and enhancing response capabilities to data loss events.

    Show full answer Show less

    Key Features

    • Create Single DLP Incident: Use the POST method to submit a single incident by defining necessary parameters such as application window title, assigned user, and relevant file details.
    • Create Multiple DLP Incidents: Submit multiple incidents in a single request using the insertMultiple endpoint, streamlining the process further by including multiple records in the payload.
    • Asynchronous Transformation: By default, incident transformation occurs asynchronously, but can be set to synchronous if required.

    Key Outcomes

    By leveraging this integration, customers can expect to automate the creation and management of DLP incidents, reduce manual entry errors, and ensure timely response to data loss threats. The API responses confirm successful submissions and provide reference information for tracking incidents.

    Create single or multiple DLP incidents by using the Inbound REST API.

    Create a single DLP incident

    Role required: sn_dlir.api_integration_user.

    To create a single DLP incident, define the following parameters as necessary:
    Field Description
    HTTP Method POST
    URL https://{instance}/api/now/import/sn_dlir_incident_import
    Request Header
    Accept:
    application/json
    Content-Type:
    application/json
    Sample Payload 
    {
    "application_window_title": "<value>",
    "assigned_to": "<value>",
    "attachments": "<value>",
    "data_owner_email": "<value>",
    "destination": "<value>",
    "dest_ip": "<value>",
    "dest_ip_port": "<value>",
    "detection_date": "<value>",
    "endpoint_on_corporate_net": "<value>",
    "files": "",
    "file_created": "",
    "file_created_by": "",
    "file_location": "",
    "file_modified_by": "",
    "file_name": "",
    "file_owner": "",
    "file_permissions": "",
    "ftp_user_name": "",
    "last_modified": "",
    "machine_ip": "",
    "machine_name": "",
    "match_count": "",
    "policy_id": "",
    "policy_name": "",
    "printer_name": "",
    "printer_type": "",
    "print_job_name": "",
    "recipients": "",
    "scanned_machine": "",
    "scan_source": "",
    "seen_before": "",
    "sender":"",
    "source":"",
    "source_file":"",
    "source_ip":"",
    "source_ip_port":"",
    "subject":"",
    "url":"",
    "user_justification":""
}
    Sample Response 
    {
    "import_set": "ISET0010003",
    "staging_table": "sn_dlir_incident_import",
    "result": [
        {
            "transform_map": "",
            "table": "sn_dlir_incident",
            "display_name": "number",
            "display_value": "DLP0001012",
            "record_link": "https://{instance}/api/now/table/sn_dlir_incident/7cda322297c2411056a43d1e6253af1f",
            "status": "inserted",
            "sys_id": "7cda322297c2411056a43d1e6253af1f"
        }
    ]
}

    Create multiple DLP incidents

    Role required: sn_dlir.api_integration_user.

    To create multiple DLP incidents from the same request, define the following parameters as necessary:
    Field Description
    HTTP Method POST
    URL https://{instance}/api/now/import/sn_dlir_incident_import/insertMultiple
    Request Header
    Accept:
    application/json
    Content-Type:
    application/json
    Sample Payload 
    {
    "records": [
        {
            "file_name": "<value>",
            "file_modified_by": "<value>",
            "work_notes": "<value>",
            "url": "<value>",
            "scan_source": "<value>",
            "data_owner_email": "<value>",
            "file_created_by": "<value>",
            "file_owner": "<value>",
            "policy_name": "<value>"
        },
        {
            "dest_ip": "<value>",
            "dest_ip_port": "<value>",
            "detection_date": "<value>",
            "endpoint_on_corporate_net": "<value>",
            "files": "<value>",
            "file_created": "<value>",
            "file_created_by": "<value>",
            "file_location": "<value>",
            "file_modified_by": "<value>",
            "file_name": "<value>",
            "file_owner": "<value>",
        }
    ]
}
    Sample Response 
    {
    "import_set_id": "a38f69229734dd1056a43d1e6253af75",
    "multi_import_set_id": "e78f69229734dd1056a43d1e6253af75"
}
    Note:
    By default, the transformation is asynchronous. To set synchronous transformation, create a new record in the REST Insert Multiples [sys_rest_insert_multiple] table, select the source table as sn_dlir_incident_import, and set the transformation to synchronous.