Mapping of Cortex XSIAM fields with ServiceNow

R.Hirelkar — Thu, 18 Sep 2025 17:48:24 GMT

Please can you suggest how can you map more than the set fields with ServiceNow for an incident? Currently only limited fields are able to map.

Re: Mapping of Cortex XSIAM fields with ServiceNow

susekar — Wed, 11 Feb 2026 14:28:59 GMT

Hello @R.Hirelkar,

Greetings for the day.

To map more than the default fields between ServiceNow and Cortex XSIAM for incidents, you must configure Classification & Mapping and properly update the Incoming and Outgoing Mappers in your ServiceNow integration instance.

1. Identify Field Machine Names

Cortex XSIAM requires the exact technical machine name (API/column name) of ServiceNow fields, which often differs from the display label.

In ServiceNow:

Navigate to the target table (for example, incident or sn_si_incident).
Open the field definition.
Retrieve the Column name (for example, u_custom_field instead of "Custom Field").

Always use the column name in mappings and API calls.

2. Configure Classification & Mapping

This step ensures that incoming ServiceNow data is properly associated with XSIAM Incident Fields.

Navigate to:

Settings → Configurations → Object Setup → Incidents → Classification & Mapping

Steps:

Click New and select Incident Mapper (incoming), or edit an existing mapper.
Select the appropriate ServiceNow schema.
Map the required ServiceNow attributes to the corresponding XSIAM incident fields.

Make sure the mapper is associated with the correct Incident Type.

3. Update the Integration Instance Mapper

The integration instance contains the Incoming Mapper and Outgoing Mapper, which control field translation.

Navigate to:

Settings → Integrations → Instances

Select your ServiceNow integration instance.

Incoming Mapper

Explicitly define mappings for all required custom fields.
Ensure keys match the exact ServiceNow column names.

Outgoing Mapper (for mirroring incidents)

If synchronizing XSIAM incidents back to ServiceNow:

Update the Outgoing Mapper.
Include all required custom fields in the mapping configuration.

4. Create Custom Incident Fields (If Required)

If out-of-the-box fields are insufficient—or if you encounter mapping issues with certain predefined fields—create custom incident fields in XSIAM.

Navigate to:

Settings → Configurations → Object Setup → Incidents → Fields

Steps:

Click + Add Field.
Define the field.
Ensure the Field Name (internal name) matches the key used in your mapper or API call.

Also confirm the field is associated with the correct Incident Type.

5. Manual Command Syntax (CLI Method):

If using the !servicenow-create-ticket command to create tickets manually, use the custom_fields argument with proper syntax:

Key-value pairs separated by semicolons
Entire string wrapped in double quotes

Example:

!servicenow-create-ticket ticket_type=sn_si_incident custom_fields="u_field1=value1;u_field2=value2"

The keys must match the ServiceNow column names exactly.

(Troubleshooting)

Fields Appear Blank

Verify the field is associated with the correct Incident Type.
Confirm it is included in the relevant mapper.
Ensure the machine name matches exactly.

JSON Objects in Fields

If a field (such as Asset) is returned as a JSON object containing link/value pairs, you may need to:

Use a User-Defined Parsing Rule, or
Extract and map the human-readable value explicitly before syncing.

If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".

Thanks & Regards,
S. Subashkar Sekar

topic Mapping of Cortex XSIAM fields with ServiceNow in Cortex XSIAM Discussions

Mapping of Cortex XSIAM fields with ServiceNow

Re: Mapping of Cortex XSIAM fields with ServiceNow

1. Identify Field Machine Names

2. Configure Classification & Mapping

3. Update the Integration Instance Mapper

Incoming Mapper

Outgoing Mapper (for mirroring incidents)

4. Create Custom Incident Fields (If Required)

5. Manual Command Syntax (CLI Method):

(Troubleshooting)

Fields Appear Blank

JSON Objects in Fields