This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew

Fetched Integrations Objects in XSIAM 3.4

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Fetched Integrations Objects in XSIAM 3.4

mhalbeisen
L0 Member

‎02-24-2026 07:41 AM

Good morning Live Community,

 

Recently upgraded from XDR to XSIAM.  Have never had XSOAR in the past, but worked through POCs at two different orgs, so somewhat familiar, nowhere near proficient.  Built some simple automations largely dependent on Marketplace content packs.

 

Working through the Beacon course material slowly but also am starting to tinker.

Looking to ingest incidents from ServiceNow into XSIAM.  I have the content pack V2, it's enabled and I can run commands to pull incidents manually in the playground. 

I crafted my query and updated the instance to only pull down the specific incidents I want from the ServiceNow.  I confirmed that I can see in the instance run history that they are being fetched, however, I can't seem to find them anywhere.

In trying to create a playbook automation to turn these objects into cases and configure case mirroring I find that I am unable to figure out how to access these objects from the playbook start as a trigger when they are ingested.

Any ideas how I would manually query these fetched integrations objects to validate that they're there?  Once I can confirm they exist in XSIAM, and know how to access them, I can work out how to make them cases. 

We are under the "Cases and Issues" model. 

0 Likes Likes
1 REPLY 1

susekar
L4 Transporter

‎02-25-2026 06:32 AM

Hello @mhalbeisen ,

 

Greetings for the day.

 

In Cortex XSIAM, incidents fetched from ServiceNow are processed through the internal automation engine (XSOAR) and, if successfully mapped, appear as Issues. If you can see that incidents are being fetched in the instance run history but cannot find them in the UI, follow these steps to validate their existence and configure them for automation.

 

1. Manually Query Ingested Objects via XQL:

To confirm that the ServiceNow incidents have successfully reached XSIAM's raw database, query the dedicated raw dataset using Cortex Query Language (XQL). For the ServiceNow V2 integration, fetched incidents are typically stored in the following dataset:

 

Navigate to Investigation & Response > Search > Query Builder and run:

dataset = servicenow_v2_generic_alert_raw
| sort desc _time
 

If this dataset returns results, it confirms the integration is successfully ingesting the data, but the platform has not yet converted these raw objects into Issues.

 

2. Locate Fetched Objects in the "Issues" Table:

Under the "Cases and Issues" model, fetched incidents from third-party integrations appear in the Issues table before they are grouped into Cases.

Navigate to Incident Response > Cases & Issues > Issues and check if the records appear there.

If they do not, it is likely because they failed to pass through the Classifier or Mapper.

 

3. Troubleshooting Missing "Issues":

If you see the incidents in XQL but not in the Issues table, check the following:

Classifier and Mapper
Every fetching integration requires a Classifier (to determine the incident type) and an Incoming Mapper (to map ServiceNow fields to XSIAM fields). Ensure these are selected in your ServiceNow V2 instance configuration under:
Settings > Configurations > Data Collection > Automation & Feed Integrations.

If these are missing or failing, the objects will be dropped after fetch.

Severity Thresholds
XSIAM may not automatically generate a Case for low-severity issues by design. Ensure the incoming incidents have a severity level high enough to trigger your case generation logic, or manually promote them from the Issues table to a Case.

 

4. Triggering a Playbook:

In XSIAM, playbooks do not trigger directly on raw objects; they trigger on Issues via Automation Rules.

Navigate to Investigation & Response > Automation > Automation Rules.

Create a new rule with:

  • WHEN: Issue Created

  • IF: Add a filter to target your ServiceNow objects (for example, Issue Domain = IT or alert_source = ServiceNow)

  • THEN: Run Playbook and select your desired playbook

(Summary Checklist)

  • Query validation: Use dataset = servicenow_v2_generic_alert_raw in Query Builder.

  • Issue visibility: Check Cases & Issues > Issues.

  • Mapping check: Ensure the ServiceNow V2 Classifier and Incoming Mapper are enabled in the integration settings.

  • Playbook access: Use Automation Rules to link the ingested Issue to your playbook.

If you feel this has answered your query, please let us know by clicking like and "marking this as a Solution".

 

Thanks & Regards,
S. Subashkar Sekar

0 Likes Likes
  • 120 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks