Inbound Integration for Data Loss Prevention Incident Response

  • Release version: Yokohama
  • Updated January 30, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Inbound Integration for Data Loss Prevention Incident Response

    The Inbound Integration for Data Loss Prevention (DLP) Incident Response allows ServiceNow customers to create DLP incidents using the Inbound REST API. This capability is essential for organizations looking to streamline their incident management processes and ensure timely responses to data loss incidents.

    Show full answer Show less

    Key Features

    Customers can create either a single DLP incident or multiple incidents in one request, requiring the role of sndlir.apiintegrationuser for access. The following parameters are essential for each method:

    • Single Incident Creation: Uses the POST method with a specified URL to create a single incident, requiring defined parameters in the payload such as applicationwindowtitle, assignedto, and detectiondate.
    • Multiple Incident Creation: Allows for batch incident creation with a similar POST method, using a payload that includes an array of records, each containing fields like filename, dataowneremail, and policyname.

    Key Outcomes

    Upon successful requests, customers receive responses that include important identifiers like importset and sysid for tracking the incidents created. Additionally, the integration supports asynchronous transformation by default, with an option to set it to synchronous by modifying the relevant record in the sysrestinsertmultiple table.

    Create single or multiple DLP incidents by using the Inbound REST API.

    Create a single DLP incident

    Role required: sn_dlir.api_integration_user.

    To create a single DLP incident, define the following parameters as necessary:
    Field Description
    HTTP Method POST
    URL https://{instance}/api/now/import/sn_dlir_incident_import
    Request Header
    Accept:
    application/json
    Content-Type:
    application/json
    Sample Payload 
    {
    "application_window_title": "<value>",
    "assigned_to": "<value>",
    "attachments": "<value>",
    "data_owner_email": "<value>",
    "destination": "<value>",
    "dest_ip": "<value>",
    "dest_ip_port": "<value>",
    "detection_date": "<value>",
    "endpoint_on_corporate_net": "<value>",
    "files": "",
    "file_created": "",
    "file_created_by": "",
    "file_location": "",
    "file_modified_by": "",
    "file_name": "",
    "file_owner": "",
    "file_permissions": "",
    "ftp_user_name": "",
    "last_modified": "",
    "machine_ip": "",
    "machine_name": "",
    "match_count": "",
    "policy_id": "",
    "policy_name": "",
    "printer_name": "",
    "printer_type": "",
    "print_job_name": "",
    "recipients": "",
    "scanned_machine": "",
    "scan_source": "",
    "seen_before": "",
    "sender":"",
    "source":"",
    "source_file":"",
    "source_ip":"",
    "source_ip_port":"",
    "subject":"",
    "url":"",
    "user_justification":""
}
    Sample Response 
    {
    "import_set": "ISET0010003",
    "staging_table": "sn_dlir_incident_import",
    "result": [
        {
            "transform_map": "",
            "table": "sn_dlir_incident",
            "display_name": "number",
            "display_value": "DLP0001012",
            "record_link": "https://{instance}/api/now/table/sn_dlir_incident/7cda322297c2411056a43d1e6253af1f",
            "status": "inserted",
            "sys_id": "7cda322297c2411056a43d1e6253af1f"
        }
    ]
}

    Create multiple DLP incidents

    Role required: sn_dlir.api_integration_user.

    To create multiple DLP incidents from the same request, define the following parameters as necessary:
    Field Description
    HTTP Method POST
    URL https://{instance}/api/now/import/sn_dlir_incident_import/insertMultiple
    Request Header
    Accept:
    application/json
    Content-Type:
    application/json
    Sample Payload 
    {
    "records": [
        {
            "file_name": "<value>",
            "file_modified_by": "<value>",
            "work_notes": "<value>",
            "url": "<value>",
            "scan_source": "<value>",
            "data_owner_email": "<value>",
            "file_created_by": "<value>",
            "file_owner": "<value>",
            "policy_name": "<value>"
        },
        {
            "dest_ip": "<value>",
            "dest_ip_port": "<value>",
            "detection_date": "<value>",
            "endpoint_on_corporate_net": "<value>",
            "files": "<value>",
            "file_created": "<value>",
            "file_created_by": "<value>",
            "file_location": "<value>",
            "file_modified_by": "<value>",
            "file_name": "<value>",
            "file_owner": "<value>",
        }
    ]
}
    Sample Response 
    {
    "import_set_id": "a38f69229734dd1056a43d1e6253af75",
    "multi_import_set_id": "e78f69229734dd1056a43d1e6253af75"
}
    Note:
    By default, the transformation is asynchronous. To set synchronous transformation, create a new record in the REST Insert Multiples [sys_rest_insert_multiple] table, select the source table as sn_dlir_incident_import, and set the transformation to synchronous.