Showing results for 
Show  only  | Search instead for 
Did you mean: 

McAfee SIEM and ServiceNow Integration


Please let me know the possibility of McAfee SIEM and ServiceNow integration- Would like to have tickets created by ServiceNow automatically, for alerts in McAfee SIEM.


5 Replies

Re: McAfee SIEM and ServiceNow Integration

Moved to SIEM for better handling




Level 10
Report Inappropriate Content
Message 3 of 6

Re: McAfee SIEM and ServiceNow Integration

I haven't done it myself, but others have done it successfully following the information below.

Automatically create an incident through email for a custom application.

Create Incident from Email

Home > Administer > Service Administration > Notifications > Inbound Email Actions

hope this helps.


Syed Rizvi

Level 9
Report Inappropriate Content
Message 4 of 6

Re: McAfee SIEM and ServiceNow Integration

We have also use the Service Now API via a "utility server. The SNOW API is very well documented and uses REST/JSON. We had on the road map to also pull past ticket related to host in current ticket.


Level 12
Report Inappropriate Content
Message 5 of 6

Re: McAfee SIEM and ServiceNow Integration

We have it setup via email, we just have to get a unique code from the Service-Now admins for each alarm we intend to send, this code which is placed in the body of the message (at the top) which lets Service-Now know which field mappings and Incident type to create. We work with the Service-Now admins to map the fields we intend to include in the message (providing sample messages), and then figure out where those would map to in Service-Now.

Level 12
Report Inappropriate Content
Message 6 of 6

Re: McAfee SIEM and ServiceNow Integration

We are trying to expand the usage of Service Now to create Incidents in our new Security Operations Management module with multiple lines of text in the description.  To do so our instance of Service-Now is setup to use [$$ and $$] between any text you want to be added to the "Description" if using multiple lines of data.

However the inserted alarm fields already use [$ and ] to enclose specific field data, and thus we are having issues. Working with Service-Now admins to change to ($$ and $$)

Using an escape character of \ does not seem to work, in other words: \[$$ or \[\$\$


  • Single line of text or multiple lines wrapped in tokens Description: [$$ description text $$].
  • Multi-line:
    • The line must begin with "description: [$$" (case insensitive)
    • The description must be ended with the token "$$]"
    • Example:

Description: [$$ I cannot login to Oracle.

I’m getting a 404 error on the login page.

I suspect the DNS server is down.


  • Single-line - use the simple body code:
    • Example:

  description:  I cannot login to Oracle.

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community