Moved to SIEM for better handling

---

Peter

Moderator

We have it setup via email, we just have to get a unique code from the Service-Now admins for each alarm we intend to send, this code which is placed in the body of the message (at the top) which lets Service-Now know which field mappings and Incident type to create. We work with the Service-Now admins to map the fields we intend to include in the message (providing sample messages), and then figure out where those would map to in Service-Now.

We are trying to expand the usage of Service Now to create Incidents in our new Security Operations Management module with multiple lines of text in the description.  To do so our instance of Service-Now is setup to use [$$ and $$] between any text you want to be added to the "Description" if using multiple lines of data.

However the inserted alarm fields already use [$ and ] to enclose specific field data, and thus we are having issues. Working with Service-Now admins to change to ($$ and $$)

Using an escape character of \ does not seem to work, in other words: \[$$ or \[\$\$

Description

• Single line of text or multiple lines wrapped in tokens Description: [$$ description text $$].
• Multi-line:
  • The line must begin with "description: [$$" (case insensitive)
  • The description must be ended with the token "$$]"
  • Example:

Description: [$$ I cannot login to Oracle.

I’m getting a 404 error on the login page.

I suspect the DNS server is down.

$$]

• Single-line - use the simple body code:
  • Example:

  description:  I cannot login to Oracle.