Fetched Integrations Objects in XSIAM 3.4

mhalbeisen — Tue, 24 Feb 2026 15:41:00 GMT

Good morning Live Community,

Recently upgraded from XDR to XSIAM. Have never had XSOAR in the past, but worked through POCs at two different orgs, so somewhat familiar, nowhere near proficient. Built some simple automations largely dependent on Marketplace content packs.

Working through the Beacon course material slowly but also am starting to tinker.

Looking to ingest incidents from ServiceNow into XSIAM. I have the content pack V2, it's enabled and I can run commands to pull incidents manually in the playground.

I crafted my query and updated the instance to only pull down the specific incidents I want from the ServiceNow. I confirmed that I can see in the instance run history that they are being fetched, however, I can't seem to find them anywhere.

In trying to create a playbook automation to turn these objects into cases and configure case mirroring I find that I am unable to figure out how to access these objects from the playbook start as a trigger when they are ingested.

Any ideas how I would manually query these fetched integrations objects to validate that they're there? Once I can confirm they exist in XSIAM, and know how to access them, I can work out how to make them cases.

We are under the "Cases and Issues" model.

Re: Fetched Integrations Objects in XSIAM 3.4

susekar — Wed, 25 Feb 2026 14:32:29 GMT

Hello @mhalbeisen ,

Greetings for the day.

In Cortex XSIAM, incidents fetched from ServiceNow are processed through the internal automation engine (XSOAR) and, if successfully mapped, appear as Issues. If you can see that incidents are being fetched in the instance run history but cannot find them in the UI, follow these steps to validate their existence and configure them for automation.

1. Manually Query Ingested Objects via XQL:

To confirm that the ServiceNow incidents have successfully reached XSIAM's raw database, query the dedicated raw dataset using Cortex Query Language (XQL). For the ServiceNow V2 integration, fetched incidents are typically stored in the following dataset:

Navigate to Investigation & Response > Search > Query Builder and run:

dataset = servicenow_v2_generic_alert_raw
| sort desc _time

If this dataset returns results, it confirms the integration is successfully ingesting the data, but the platform has not yet converted these raw objects into Issues.

2. Locate Fetched Objects in the "Issues" Table:

Under the "Cases and Issues" model, fetched incidents from third-party integrations appear in the Issues table before they are grouped into Cases.

Navigate to Incident Response > Cases & Issues > Issues and check if the records appear there.

If they do not, it is likely because they failed to pass through the Classifier or Mapper.

3. Troubleshooting Missing "Issues":

If you see the incidents in XQL but not in the Issues table, check the following:

Classifier and Mapper
Every fetching integration requires a Classifier (to determine the incident type) and an Incoming Mapper (to map ServiceNow fields to XSIAM fields). Ensure these are selected in your ServiceNow V2 instance configuration under:
Settings > Configurations > Data Collection > Automation & Feed Integrations.

If these are missing or failing, the objects will be dropped after fetch.

Severity Thresholds
XSIAM may not automatically generate a Case for low-severity issues by design. Ensure the incoming incidents have a severity level high enough to trigger your case generation logic, or manually promote them from the Issues table to a Case.

4. Triggering a Playbook:

In XSIAM, playbooks do not trigger directly on raw objects; they trigger on Issues via Automation Rules.

Navigate to Investigation & Response > Automation > Automation Rules.

Create a new rule with:

WHEN: Issue Created
IF: Add a filter to target your ServiceNow objects (for example, Issue Domain = IT or alert_source = ServiceNow)
THEN: Run Playbook and select your desired playbook

(Summary Checklist)

Query validation: Use dataset = servicenow_v2_generic_alert_raw in Query Builder.
Issue visibility: Check Cases & Issues > Issues.
Mapping check: Ensure the ServiceNow V2 Classifier and Incoming Mapper are enabled in the integration settings.
Playbook access: Use Automation Rules to link the ingested Issue to your playbook.

If you feel this has answered your query, please let us know by clicking like and "marking this as a Solution".

Thanks & Regards,
S. Subashkar Sekar