Inbound Integration for Data Loss Prevention Incident Response

  • Release version: Xanadu
  • Updated August 1, 2024
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Inbound Integration for Data Loss Prevention Incident Response

    The Inbound Integration for Data Loss Prevention (DLP) Incident Response allows ServiceNow customers to create single or multiple DLP incidents using the Inbound REST API. This integration is essential for efficiently managing data loss incidents and ensuring a prompt response.

    Show full answer Show less

    Key Features

    • Create Single DLP Incident: Use the POST method to send a request to the specified URL with necessary parameters such as application window title, assigned user, destination, and detection date.
    • Create Multiple DLP Incidents: Allows for the creation of multiple incidents in a single request. Parameters must be defined for each incident within a records array.
    • Asynchronous Transformation: By default, the transformation of incidents is asynchronous, but can be configured to synchronous if required.

    Key Outcomes

    ServiceNow customers can expect to streamline their incident response processes, enhancing efficiency in managing DLP incidents. Successful API calls will return information about the incident, including identifiers and status, enabling tracking and further action as necessary.

    Create single or multiple DLP incidents by using the Inbound REST API.

    Create a single DLP incident

    Role required: sn_dlir.api_integration_user.

    To create a single DLP incident, define the following parameters as necessary:
    Field Description
    HTTP Method POST
    URL https://{instance}/api/now/import/sn_dlir_incident_import
    Request Header
    Accept:
    application/json
    Content-Type:
    application/json
    Sample Payload 
    {
    "application_window_title": "<value>",
    "assigned_to": "<value>",
    "attachments": "<value>",
    "data_owner_email": "<value>",
    "destination": "<value>",
    "dest_ip": "<value>",
    "dest_ip_port": "<value>",
    "detection_date": "<value>",
    "endpoint_on_corporate_net": "<value>",
    "files": "",
    "file_created": "",
    "file_created_by": "",
    "file_location": "",
    "file_modified_by": "",
    "file_name": "",
    "file_owner": "",
    "file_permissions": "",
    "ftp_user_name": "",
    "last_modified": "",
    "machine_ip": "",
    "machine_name": "",
    "match_count": "",
    "policy_id": "",
    "policy_name": "",
    "printer_name": "",
    "printer_type": "",
    "print_job_name": "",
    "recipients": "",
    "scanned_machine": "",
    "scan_source": "",
    "seen_before": "",
    "sender":"",
    "source":"",
    "source_file":"",
    "source_ip":"",
    "source_ip_port":"",
    "subject":"",
    "url":"",
    "user_justification":""
}
    Sample Response 
    {
    "import_set": "ISET0010003",
    "staging_table": "sn_dlir_incident_import",
    "result": [
        {
            "transform_map": "",
            "table": "sn_dlir_incident",
            "display_name": "number",
            "display_value": "DLP0001012",
            "record_link": "https://{instance}/api/now/table/sn_dlir_incident/7cda322297c2411056a43d1e6253af1f",
            "status": "inserted",
            "sys_id": "7cda322297c2411056a43d1e6253af1f"
        }
    ]
}

    Create multiple DLP incidents

    Role required: sn_dlir.api_integration_user.

    To create multiple DLP incidents from the same request, define the following parameters as necessary:
    Field Description
    HTTP Method POST
    URL https://{instance}/api/now/import/sn_dlir_incident_import/insertMultiple
    Request Header
    Accept:
    application/json
    Content-Type:
    application/json
    Sample Payload 
    {
    "records": [
        {
            "file_name": "<value>",
            "file_modified_by": "<value>",
            "work_notes": "<value>",
            "url": "<value>",
            "scan_source": "<value>",
            "data_owner_email": "<value>",
            "file_created_by": "<value>",
            "file_owner": "<value>",
            "policy_name": "<value>"
        },
        {
            "dest_ip": "<value>",
            "dest_ip_port": "<value>",
            "detection_date": "<value>",
            "endpoint_on_corporate_net": "<value>",
            "files": "<value>",
            "file_created": "<value>",
            "file_created_by": "<value>",
            "file_location": "<value>",
            "file_modified_by": "<value>",
            "file_name": "<value>",
            "file_owner": "<value>",
        }
    ]
}
    Sample Response 
    {
    "import_set_id": "a38f69229734dd1056a43d1e6253af75",
    "multi_import_set_id": "e78f69229734dd1056a43d1e6253af75"
}
    Note:
    By default, the transformation is asynchronous. To set synchronous transformation, create a new record in the REST Insert Multiples [sys_rest_insert_multiple] table, select the source table as sn_dlir_incident_import, and set the transformation to synchronous.