REST APIs for third-party integration with Security Operations

  • Release version: Yokohama
  • Updated March 12, 2026
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of REST APIs for third-party integration with Security Operations

    The Security Operations base system in ServiceNow Yokohama release provides scripted REST APIs designed for easy integration with third-party tools and data sources. These APIs enable customers and partners to collect data externally—such as from VirusTotal via Python scripts—and send it back to their Security Operations instance. The APIs support any scripting language capable of making HTTP POST calls with JSON payloads, allowing flexible, customer-specific processing.

    Show full answer Show less

    Authentication and Authorization

    All API operations use platform authentication managed through Scripted REST APIs. Access is controlled via the snseccmn.apiwrite role, ensuring that only authorized users within the Security Operations application can create records. The API context includes user and domain information, enabling secure data access through GlideRecordSecure and supporting domain separation and audit trails.

    Configuration and Usage

    • Request Parameters: You can customize behavior with parameters such as ignoremandatoryfields (to persist records with missing mandatory fields), includewrap (to include the standard API response wrapper), and simpleresponse (to receive minimal success/failure feedback).
    • Error Handling: Common errors include insufficient access, invalid or empty request bodies, missing mandatory fields, and persistence failures. Solutions typically involve assigning the correct role or conforming to the API and table definitions.

    Practical Use Cases

    • Configuration Item (CI) Enrichment: Third-party scripts can write enrichment data to the snseccmncienrichmentresult table to enhance CI records with external information.
    • Observable Enrichment: Scripts can add detailed third-party data to the sntiobservableenrichmentresult table for observable enrichment.
    • Threat Lookup: Threat intelligence results from external sources can be recorded in the sntilookupresult table.
    • Adding New Records via Enrichment Mapping: Besides updating existing records, the APIs support creating new records by passing an enrichmentmappingid with corresponding raw data for parsing and mapping.

    What This Enables for ServiceNow Customers

    These REST APIs allow customers to seamlessly integrate external threat intelligence and enrichment data into their Security Operations workflows. By enabling automated data ingestion from third-party sources, you can enhance the accuracy and completeness of your security records, improve threat detection and response capabilities, and maintain secure, role-based access to sensitive data. The flexible parameters and robust error handling facilitate reliable integration tailored to your environment.

    The Security Operations base system includes a series of scripted REST APIs that allow customers and partners to easily integrate with an existing Security Operations deployment. The APIs allow you to gather data from outside of your system (for example, a Python script is used to receive data from VirusTotal) and send it back to your instance.

    Scripts written in almost any language (Python, for example) can be used with the APIs to perform customer-specific processes. The scripts must be written in a language able to make an outside-facing HTTP Post call. For example, if you have a Java application, you must use a library, such as the java.net.HttpUrlConnection package, to construct an HTTP call and pass in a JSON string as Body for the message.

    The API is solely used to add data that was gathered outside of our system. For example, if you entered VT python script and received data from VT, you could send that data back to the SN instance.

    Authentication

    All operations within the API definitions use platform authentication provided by the Scripted REST APIs operation feature. To access, navigate to System Web Services > Scripted Web Services > Scripted REST APIs and locate the SecOps Integration Capabilities API.

    The user and the user’s domain are readily available within the context of the API. Records can be tied to a user, an audit path to be established, and domain separation accomplished. Also, since you are authenticated as a specific user, you can use Using GlideRecordSecure to prevent any unauthorized access to data.

    Authorization

    To protect the record creation process from users outside of the Security Operations application, you must have the sn_sec_cmn.api_write role. Only users with this role can access the APIs.

    Configuration request parameters

    The following request parameters are available.
    Name Default Description
    ignore_mandatory_fields false If set to true, the record persists even if mandatory fields are not filled in.
    include_wrap false If set to true, the response includes the instance-provided standard wrapper for Scripted REST APIs.
    simple_response false If set to true, the response includes only whether the operation was successful.

    Error responses

    The following error responses may occur.
    Error message When does it occur? Solution
    Insufficient access User does not have the sn_sec_cmn.api_write role. Add the role to the user.
    Invalid post body Request body is empty or an empty object. Conform to the API definition.
    No fields supplied Data fields provided to persist are empty. Conform to the API definition.
    Mandatory fields missing: x,y,z Mandatory fields are missing. Conform to the table definition of the target table or set ignore_mandatory_fields to true.
    Unable to persist record Unable to persist parsed record. GlideRecord insert() failed, further analysis is required.
    Unknown error Occurs if no known error path has been followed. Further analysis is required.

    CI enrichment use case

    Using your third-party scripts, you can write to the Configuration Item Enrichment [sn_sec_cmn_ci_enrichment_result] table for CI enrichment. The enrichment records are based on existing capabilities that provide detailed information about a record from a third-party source.

    Sample request and responses for the CI enrichment use case are shown here.

    Figure 1. Create-Request for CI enrichment
    CI Enrichment: Create –Request
    Figure 2. Create-Response for CI enrichment
    CI Enrichment: Create –Response

    Observable enrichment use case

    Using your third-party scripts, you can write to the Observable Enrichment Result [sn_ti_observable_enrichment_result] table for observable enrichment. The enrichment records are based on existing capabilities that provide detailed information about a record from a third-party source.

    Sample request and responses for the observable enrichment use case are shown here.

    Figure 3. Create-Request for observable enrichment
    Observable Enrichment: Create–Request
    Figure 4. Create-Response for observable enrichment
    Observable Enrichment: Create Response
    Note:
    In addition to enriching existing records, you can also use Security Operations enrichment data mapping to add new records to tables by passing in an enrichment_mapping_id for an existing enrichment mapping and a corresponding raw_data string that can be parsed by the mapping process.

    Threat lookup use case

    Using your third-party scripts, you can write to the Threat Lookup Result [sn_ti_lookup_result] table for threat lookup results. The lookup records are based on existing capabilities that provide detailed information about a record from a third-party source.

    Sample request and responses for the threat lookup use case are shown here.

    Figure 5. Create-Request for threat lookups
    Create-Request for threat lookups
    Figure 6. Create-Response for threat lookups
    Create-Response for threat lookups