ServiceNow CMDB data to XSIAM

A.Velusamy — Thu, 12 Feb 2026 08:23:26 GMT

Hi,

We have integrated XSIAM with ServiceNow CMDB. We want to pull critical assets from the CMDB into XSIAM using an API and we have to do feature field configuration for these critical assets. Currently, I only see an option to upload a static file in the feature field configuration ( Host/ User/IPaddress)

Could someone please help with the following:

How to get CMDB data from ServiceNow using an API and keep it as a dynamic list in XSIAM?
How can this dynamic list be used for feature field configuration?

Thanks!

Re: ServiceNow CMDB data to XSIAM

susekar — Tue, 17 Feb 2026 13:29:13 GMT

Hello @A.Velusamy ,

Greetings for the day.

Integrating ServiceNow CMDB data into Cortex XSIAM to identify critical assets involves several components. While the "Featured Hosts, Users, and IP addresses" list in Case Configuration currently relies on manual updates, you can achieve dynamic asset identification using XSIAM’s ingestion and grouping capabilities.

1. Getting CMDB Data via API and Creating a Dynamic Dataset

To pull CMDB data from ServiceNow and maintain it in XSIAM, you must use the ServiceNow Event Collector rather than the standard ServiceNow CMDB Integration.

Integration Choice:

-The ServiceNow CMDB Integration is designed for automation and enrichment commands (fetching data on demand within a playbook) and does not create persistent datasets.
-The ServiceNow Event Collector is the correct tool for continuous ingestion and dataset creation.

Dataset Generation:

-Once configured, XSIAM automatically creates datasets based on the selected ServiceNow tables using the format:

Identifying Critical Assets:

Ensure you are using the system names of the ServiceNow fields (e.g., u_critical_asset) rather than the display names to ensure the data is captured correctly in the raw dataset.

2. Handling Reference Fields (URLs vs. Display Values):

A known limitation in default ingestion is that ServiceNow often returns system links or IDs (sys_ids) instead of human-readable values for reference fields like “Owned By” or “Asset.”

To resolve this, you can:

XQL Joins:

Use an XQL query to join the CMDB raw table with the ServiceNow user or asset tables to replace IDs with actual names.

API Parameters:

When using commands in the Playground or Playbooks, use the sysparm_display_value=true parameter to fetch actual names. For example:

Parsing Rules

Implement User Defined Parsing Rules to extract specific values from the ingested JSON objects.

3. Using CMDB Data for Featured Field Configuration:

Currently, there is no public API endpoint to programmatically add or remove entries from the "Featured" lists (Hosts, Users, IP addresses) within Case Configuration. Managing this list remains a manual process via UI entry or file upload.

Recommended Alternative: Dynamic Asset Groups:

Instead of the "Featured" list, use Dynamic Asset Groups, which are designed for this exact use case.

Define Attributes:

Identify the attributes in your ingested CMDB dataset that signify a "critical" status (e.g., a specific tag or a high criticality flag).

Create Dynamic Groups:

Navigate to Inventory > Groups and create a group using filters based on these attributes.

Asset Roles:

You can also use Asset Roles Configuration to classify these critical assets (e.g., "crown jewels"). This improves UEBA precision and incident scoring.

Workflow Integration:

These dynamic groups can be used in:

Scope-Based Access Control (SBAC): Restrict or prioritize visibility for specific teams
Incident Scoring: Automatically increase the score of incidents involving assets in your "Critical" group
Scheduled Queries: Monitor activity specifically for those assets

To automate the direct mapping of the raw ServiceNow dataset fields to the specific normalized attributes that drive dynamic Asset Groups, configure custom enrichment logic.

If your organization strictly requires automation of the "Featured" list via API, you will need to submit a formal Feature Request (FR) through your Palo Alto Networks account team.

If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".

Thanks & Regards,
S. Subashkar Sekar

Re: ServiceNow CMDB data to XSIAM

A.Velusamy — Thu, 19 Feb 2026 10:07:59 GMT

Thanks Subashkar. This is really helpful. We have used another one ServiceNow CMDB integration ( pulls the data) instead of Servicenow Event Collector.

Re: ServiceNow CMDB data to XSIAM

A.Velusamy — Wed, 11 Mar 2026 09:50:31 GMT

Hi, I have some followup questions on this below points which you have mentioned in the last post. Now i have the CMDB data but i won't be able to call those attributes which says "critical" in Dynamic group creation, becase this attribute is not available in Dynamic group. Can you please provide your thoughts on this.

Define Attributes:

Identify the attributes in your ingested CMDB dataset that signify a "critical" status (e.g., a specific tag or a high criticality flag).

Create Dynamic Groups:

Navigate to Inventory > Groups and create a group using filters based on these attribute

topic ServiceNow CMDB data to XSIAM in Cortex XSIAM Discussions

ServiceNow CMDB data to XSIAM

Re: ServiceNow CMDB data to XSIAM

1. Getting CMDB Data via API and Creating a Dynamic Dataset

Integration Choice:

Dataset Generation:

Identifying Critical Assets:

2. Handling Reference Fields (URLs vs. Display Values):

XQL Joins:

API Parameters:

Parsing Rules

3. Using CMDB Data for Featured Field Configuration:

Recommended Alternative: Dynamic Asset Groups:

Define Attributes:

Create Dynamic Groups:

Asset Roles:

Workflow Integration:

Re: ServiceNow CMDB data to XSIAM

Re: ServiceNow CMDB data to XSIAM

Define Attributes:

Create Dynamic Groups: