09-18-2025 10:48 AM
Please can you suggest how can you map more than the set fields with ServiceNow for an incident? Currently only limited fields are able to map.
02-11-2026 06:28 AM
Hello @R.Hirelkar,
Greetings for the day.
To map more than the default fields between ServiceNow and Cortex XSIAM for incidents, you must configure Classification & Mapping and properly update the Incoming and Outgoing Mappers in your ServiceNow integration instance.
Cortex XSIAM requires the exact technical machine name (API/column name) of ServiceNow fields, which often differs from the display label.
In ServiceNow:
Navigate to the target table (for example, incident or sn_si_incident).
Open the field definition.
Retrieve the Column name (for example, u_custom_field instead of "Custom Field").
Always use the column name in mappings and API calls.
This step ensures that incoming ServiceNow data is properly associated with XSIAM Incident Fields.
Navigate to:
Settings → Configurations → Object Setup → Incidents → Classification & Mapping
Steps:
Click New and select Incident Mapper (incoming), or edit an existing mapper.
Select the appropriate ServiceNow schema.
Map the required ServiceNow attributes to the corresponding XSIAM incident fields.
Make sure the mapper is associated with the correct Incident Type.
The integration instance contains the Incoming Mapper and Outgoing Mapper, which control field translation.
Navigate to:
Settings → Integrations → Instances
Select your ServiceNow integration instance.
Explicitly define mappings for all required custom fields.
Ensure keys match the exact ServiceNow column names.
If synchronizing XSIAM incidents back to ServiceNow:
Update the Outgoing Mapper.
Include all required custom fields in the mapping configuration.
If out-of-the-box fields are insufficient—or if you encounter mapping issues with certain predefined fields—create custom incident fields in XSIAM.
Navigate to:
Settings → Configurations → Object Setup → Incidents → Fields
Steps:
Click + Add Field.
Define the field.
Ensure the Field Name (internal name) matches the key used in your mapper or API call.
Also confirm the field is associated with the correct Incident Type.
If using the !servicenow-create-ticket command to create tickets manually, use the custom_fields argument with proper syntax:
Key-value pairs separated by semicolons
Entire string wrapped in double quotes
Example:
!servicenow-create-ticket ticket_type=sn_si_incident custom_fields="u_field1=value1;u_field2=value2"
The keys must match the ServiceNow column names exactly.
Verify the field is associated with the correct Incident Type.
Confirm it is included in the relevant mapper.
Ensure the machine name matches exactly.
If a field (such as Asset) is returned as a JSON object containing link/value pairs, you may need to:
Use a User-Defined Parsing Rule, or
Extract and map the human-readable value explicitly before syncing.
If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".
Thanks & Regards,
S. Subashkar Sekar
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
