02-12-2026 12:23 AM
Hi,
We have integrated XSIAM with ServiceNow CMDB. We want to pull critical assets from the CMDB into XSIAM using an API and we have to do feature field configuration for these critical assets. Currently, I only see an option to upload a static file in the feature field configuration ( Host/ User/IPaddress)
Could someone please help with the following:
Thanks!
02-17-2026 05:29 AM
Hello @A.Velusamy ,
Greetings for the day.
Integrating ServiceNow CMDB data into Cortex XSIAM to identify critical assets involves several components. While the "Featured Hosts, Users, and IP addresses" list in Case Configuration currently relies on manual updates, you can achieve dynamic asset identification using XSIAM’s ingestion and grouping capabilities.
To pull CMDB data from ServiceNow and maintain it in XSIAM, you must use the ServiceNow Event Collector rather than the standard ServiceNow CMDB Integration.
-The ServiceNow CMDB Integration is designed for automation and enrichment commands (fetching data on demand within a playbook) and does not create persistent datasets.
-The ServiceNow Event Collector is the correct tool for continuous ingestion and dataset creation.
-Once configured, XSIAM automatically creates datasets based on the selected ServiceNow tables using the format:
servicenow_cmdb_<table_name>_raw
Ensure you are using the system names of the ServiceNow fields (e.g., u_critical_asset) rather than the display names to ensure the data is captured correctly in the raw dataset.
A known limitation in default ingestion is that ServiceNow often returns system links or IDs (sys_ids) instead of human-readable values for reference fields like “Owned By” or “Asset.”
To resolve this, you can:
Use an XQL query to join the CMDB raw table with the ServiceNow user or asset tables to replace IDs with actual names.
When using commands in the Playground or Playbooks, use the sysparm_display_value=true parameter to fetch actual names. For example:
!servicenow-query-computers computername=ExampleName systemparams="sysparmdisplayvalue=true;sysparmexcludereference_link=True" raw-response=trueImplement User Defined Parsing Rules to extract specific values from the ingested JSON objects.
Currently, there is no public API endpoint to programmatically add or remove entries from the "Featured" lists (Hosts, Users, IP addresses) within Case Configuration. Managing this list remains a manual process via UI entry or file upload.
Instead of the "Featured" list, use Dynamic Asset Groups, which are designed for this exact use case.
Identify the attributes in your ingested CMDB dataset that signify a "critical" status (e.g., a specific tag or a high criticality flag).
Navigate to Inventory > Groups and create a group using filters based on these attributes.
You can also use Asset Roles Configuration to classify these critical assets (e.g., "crown jewels"). This improves UEBA precision and incident scoring.
These dynamic groups can be used in:
Scope-Based Access Control (SBAC): Restrict or prioritize visibility for specific teams
Incident Scoring: Automatically increase the score of incidents involving assets in your "Critical" group
Scheduled Queries: Monitor activity specifically for those assets
To automate the direct mapping of the raw ServiceNow dataset fields to the specific normalized attributes that drive dynamic Asset Groups, configure custom enrichment logic.
If your organization strictly requires automation of the "Featured" list via API, you will need to submit a formal Feature Request (FR) through your Palo Alto Networks account team.
If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".
Thanks & Regards,
S. Subashkar Sekar
02-17-2026 05:29 AM
Hello @A.Velusamy ,
Greetings for the day.
Integrating ServiceNow CMDB data into Cortex XSIAM to identify critical assets involves several components. While the "Featured Hosts, Users, and IP addresses" list in Case Configuration currently relies on manual updates, you can achieve dynamic asset identification using XSIAM’s ingestion and grouping capabilities.
To pull CMDB data from ServiceNow and maintain it in XSIAM, you must use the ServiceNow Event Collector rather than the standard ServiceNow CMDB Integration.
-The ServiceNow CMDB Integration is designed for automation and enrichment commands (fetching data on demand within a playbook) and does not create persistent datasets.
-The ServiceNow Event Collector is the correct tool for continuous ingestion and dataset creation.
-Once configured, XSIAM automatically creates datasets based on the selected ServiceNow tables using the format:
servicenow_cmdb_<table_name>_raw
Ensure you are using the system names of the ServiceNow fields (e.g., u_critical_asset) rather than the display names to ensure the data is captured correctly in the raw dataset.
A known limitation in default ingestion is that ServiceNow often returns system links or IDs (sys_ids) instead of human-readable values for reference fields like “Owned By” or “Asset.”
To resolve this, you can:
Use an XQL query to join the CMDB raw table with the ServiceNow user or asset tables to replace IDs with actual names.
When using commands in the Playground or Playbooks, use the sysparm_display_value=true parameter to fetch actual names. For example:
!servicenow-query-computers computername=ExampleName systemparams="sysparmdisplayvalue=true;sysparmexcludereference_link=True" raw-response=trueImplement User Defined Parsing Rules to extract specific values from the ingested JSON objects.
Currently, there is no public API endpoint to programmatically add or remove entries from the "Featured" lists (Hosts, Users, IP addresses) within Case Configuration. Managing this list remains a manual process via UI entry or file upload.
Instead of the "Featured" list, use Dynamic Asset Groups, which are designed for this exact use case.
Identify the attributes in your ingested CMDB dataset that signify a "critical" status (e.g., a specific tag or a high criticality flag).
Navigate to Inventory > Groups and create a group using filters based on these attributes.
You can also use Asset Roles Configuration to classify these critical assets (e.g., "crown jewels"). This improves UEBA precision and incident scoring.
These dynamic groups can be used in:
Scope-Based Access Control (SBAC): Restrict or prioritize visibility for specific teams
Incident Scoring: Automatically increase the score of incidents involving assets in your "Critical" group
Scheduled Queries: Monitor activity specifically for those assets
To automate the direct mapping of the raw ServiceNow dataset fields to the specific normalized attributes that drive dynamic Asset Groups, configure custom enrichment logic.
If your organization strictly requires automation of the "Featured" list via API, you will need to submit a formal Feature Request (FR) through your Palo Alto Networks account team.
If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".
Thanks & Regards,
S. Subashkar Sekar
02-19-2026 02:07 AM
Thanks Subashkar. This is really helpful. We have used another one ServiceNow CMDB integration ( pulls the data) instead of Servicenow Event Collector.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
