Inbound Integration for Data Loss Prevention Incident Response

  • Release version: Washingtondc
  • Updated February 1, 2024
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Inbound Integration for Data Loss Prevention Incident Response

    This document details how to create single or multiple Data Loss Prevention (DLP) incidents using the Inbound REST API in the ServiceNow platform. It is essential for organizations looking to efficiently manage DLP incidents through automated integration.

    Show full answer Show less

    Key Features

    • Create Single DLP Incident: Utilize a POST request to the endpoint https://{instance}/api/now/import/sndlirincidentimport. Required parameters include application window title, assigned user, detection date, machine details, and more.
    • Create Multiple DLP Incidents: Send a POST request to https://{instance}/api/now/import/sndlirincidentimport/insertMultiple. Parameterized payloads for multiple incidents allow batch processing by defining records in a single request.
    • Role Requirement: Users must have the role sndlir.apiintegrationuser to perform these actions.
    • Asynchronous Transformation: By default, incident creation processes are asynchronous. Options for synchronous transformation are available with specific configuration steps.

    Key Outcomes

    By implementing the inbound integration, ServiceNow customers can streamline the creation and management of DLP incidents. This integration helps in enhancing incident response efficiency, ensuring timely action on data protection issues, and facilitating better tracking through clearly defined parameters and responses.

    Create single or multiple DLP incidents by using the Inbound REST API.

    Create a single DLP incident

    Role required: sn_dlir.api_integration_user.

    To create a single DLP incident, define the following parameters as necessary:
    Field Description
    HTTP Method POST
    URL https://{instance}/api/now/import/sn_dlir_incident_import
    Request Header
    Accept:
    application/json
    Content-Type:
    application/json
    Sample Payload 
    {
    "application_window_title": "<value>",
    "assigned_to": "<value>",
    "attachments": "<value>",
    "data_owner_email": "<value>",
    "destination": "<value>",
    "dest_ip": "<value>",
    "dest_ip_port": "<value>",
    "detection_date": "<value>",
    "endpoint_on_corporate_net": "<value>",
    "files": "",
    "file_created": "",
    "file_created_by": "",
    "file_location": "",
    "file_modified_by": "",
    "file_name": "",
    "file_owner": "",
    "file_permissions": "",
    "ftp_user_name": "",
    "last_modified": "",
    "machine_ip": "",
    "machine_name": "",
    "match_count": "",
    "policy_id": "",
    "policy_name": "",
    "printer_name": "",
    "printer_type": "",
    "print_job_name": "",
    "recipients": "",
    "scanned_machine": "",
    "scan_source": "",
    "seen_before": "",
    "sender":"",
    "source":"",
    "source_file":"",
    "source_ip":"",
    "source_ip_port":"",
    "subject":"",
    "url":"",
    "user_justification":""
}
    Sample Response 
    {
    "import_set": "ISET0010003",
    "staging_table": "sn_dlir_incident_import",
    "result": [
        {
            "transform_map": "",
            "table": "sn_dlir_incident",
            "display_name": "number",
            "display_value": "DLP0001012",
            "record_link": "https://{instance}/api/now/table/sn_dlir_incident/7cda322297c2411056a43d1e6253af1f",
            "status": "inserted",
            "sys_id": "7cda322297c2411056a43d1e6253af1f"
        }
    ]
}

    Create multiple DLP incidents

    Role required: sn_dlir.api_integration_user.

    To create multiple DLP incidents from the same request, define the following parameters as necessary:
    Field Description
    HTTP Method POST
    URL https://{instance}/api/now/import/sn_dlir_incident_import/insertMultiple
    Request Header
    Accept:
    application/json
    Content-Type:
    application/json
    Sample Payload 
    {
    "records": [
        {
            "file_name": "<value>",
            "file_modified_by": "<value>",
            "work_notes": "<value>",
            "url": "<value>",
            "scan_source": "<value>",
            "data_owner_email": "<value>",
            "file_created_by": "<value>",
            "file_owner": "<value>",
            "policy_name": "<value>"
        },
        {
            "dest_ip": "<value>",
            "dest_ip_port": "<value>",
            "detection_date": "<value>",
            "endpoint_on_corporate_net": "<value>",
            "files": "<value>",
            "file_created": "<value>",
            "file_created_by": "<value>",
            "file_location": "<value>",
            "file_modified_by": "<value>",
            "file_name": "<value>",
            "file_owner": "<value>",
        }
    ]
}
    Sample Response 
    {
    "import_set_id": "a38f69229734dd1056a43d1e6253af75",
    "multi_import_set_id": "e78f69229734dd1056a43d1e6253af75"
}
    Note:
    By default, the transformation is asynchronous. To set synchronous transformation, create a new record in the REST Insert Multiples [sys_rest_insert_multiple] table, select the source table as sn_dlir_incident_import, and set the transformation to synchronous.