--- title: Attach security findings to a ServiceNow ticket description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: Docs > API Reference > Security Monitoring --- # Attach security findings to a ServiceNow ticket{% #attach-security-findings-to-a-servicenow-ticket %} Copy pageCopied {% tab title="v2" %} **Note**: This endpoint is in preview and is subject to change. If you have any feedback, contact [Datadog support](https://docs.datadoghq.com/help/). | Datadog site | API endpoint | | ----------------- | ------------------------------------------------------------------------------- | | ap1.datadoghq.com | PATCH https://api.ap1.datadoghq.com/api/v2/security/findings/servicenow_tickets | | ap2.datadoghq.com | PATCH https://api.ap2.datadoghq.com/api/v2/security/findings/servicenow_tickets | | app.datadoghq.eu | PATCH https://api.datadoghq.eu/api/v2/security/findings/servicenow_tickets | | app.ddog-gov.com | PATCH https://api.ddog-gov.com/api/v2/security/findings/servicenow_tickets | | us2.ddog-gov.com | PATCH https://api.us2.ddog-gov.com/api/v2/security/findings/servicenow_tickets | | app.datadoghq.com | PATCH https://api.datadoghq.com/api/v2/security/findings/servicenow_tickets | | us3.datadoghq.com | PATCH https://api.us3.datadoghq.com/api/v2/security/findings/servicenow_tickets | | us5.datadoghq.com | PATCH https://api.us5.datadoghq.com/api/v2/security/findings/servicenow_tickets | ### Overview Attach security findings to a ServiceNow ticket by providing the ServiceNow ticket URL. You can attach up to 50 security findings per ServiceNow ticket. If the ServiceNow ticket is not linked to any case, this operation will create a case for the security findings and link the ServiceNow ticket to the newly created case. Security findings that are already attached to another ServiceNow ticket will be detached from their previous ServiceNow ticket and attached to the specified ServiceNow ticket. This endpoint requires any of the following permissions: `security_monitoring_findings_write``appsec_vm_write` ### Request #### Body Data (required) {% tab title="Model" %} | Parent field | Field | Type | Description | | ------------- | --------------------------------------- | -------- | ------------------------------------------------------------------------------------------------------------------------------------ | | | data [*required*] | object | Data of the ServiceNow ticket to attach security findings to. | | data | attributes [*required*] | object | Attributes of the ServiceNow ticket to attach security findings to. | | attributes | servicenow_ticket_url [*required*] | string | URL of the ServiceNow incident to attach security findings to. Must be a service-now.com URL pointing to an incident record. | | data | relationships [*required*] | object | Relationships of the ServiceNow ticket to attach security findings to. | | relationships | findings [*required*] | object | Security findings to attach to the ServiceNow ticket. | | findings | data | [object] | Array of security finding data objects. | | data | id [*required*] | string | Unique identifier of the security finding. | | data | type [*required*] | enum | Security findings resource type. Allowed enum values: `findings` | | relationships | project [*required*] | object | Case management project with the ServiceNow integration configured. It is used to attach security findings to the ServiceNow ticket. | | project | data [*required*] | object | Data object representing a case management project. | | data | id [*required*] | string | Unique identifier of the case management project. | | data | type [*required*] | enum | Projects resource type. Allowed enum values: `projects` | | data | type [*required*] | enum | ServiceNow tickets resource type. Allowed enum values: `servicenow_tickets` | {% /tab %} {% tab title="Example" %} ```json { "data": { "attributes": { "servicenow_ticket_url": "https://example.service-now.com/now/nav/ui/classic/params/target/incident.do?sys_id=abcdef0123456789abcdef0123456789" }, "relationships": { "findings": { "data": [ { "id": "ZGVmLTAwcC1pZXJ-aS0wZjhjNjMyZDNmMzRlZTgzNw==", "type": "findings" } ] }, "project": { "data": { "id": "aeadc05e-98a8-11ec-ac2c-da7ad0900001", "type": "projects" } } }, "type": "servicenow_tickets" } } ``` {% /tab %} ### Response {% tab title="200" %} OK {% tab title="Model" %} Case response. | Parent field | Field | Type | Description | | -------------------- | ---------------------- | --------- | ------------------------------------------------------------------------------------------------------------------------------------------------ | | | data | object | Data of the case. | | data | attributes | object | Attributes of the case. | | attributes | archived_at | date-time | Timestamp of when the case was archived. | | attributes | assigned_to | object | User assigned to the case. | | assigned_to | data [*required*] | object | Relationship to user object. | | data | id [*required*] | string | A unique identifier that represents the user. | | data | type [*required*] | enum | Users resource type. Allowed enum values: `users` | | attributes | attributes | object | Custom attributes associated with the case as key-value pairs where values are string arrays. | | additionalProperties | | [string] | | attributes | closed_at | date-time | Timestamp of when the case was closed. | | attributes | created_at | date-time | Timestamp of when the case was created. | | attributes | creation_source | string | Source of the case creation. | | attributes | description | string | Description of the case. | | attributes | due_date | string | Due date of the case. | | attributes | insights | [object] | Insights of the case. | | insights | ref | string | Reference of the insight. | | insights | resource_id | string | Unique identifier of the resource. For example, the unique identifier of a security finding. | | insights | type | string | Type of the resource. For example, the type of a security finding is "SECURITY_FINDING". | | attributes | jira_issue | object | Jira issue associated with the case. | | jira_issue | error_message | string | Error message if the Jira issue creation failed. | | jira_issue | result | object | Result of the Jira issue creation. | | result | account_id | string | Account ID of the Jira issue. | | result | issue_id | string | Unique identifier of the Jira issue. | | result | issue_key | string | Key of the Jira issue. | | result | issue_url | string | URL of the Jira issue. | | jira_issue | status | string | Status of the Jira issue creation. Can be "COMPLETED" if the Jira issue was created successfully, or "FAILED" if the Jira issue creation failed. | | attributes | key | string | Key of the case. | | attributes | modified_at | date-time | Timestamp of when the case was last modified. | | attributes | priority | string | Priority of the case. | | attributes | servicenow_ticket | object | ServiceNow ticket associated with the case. | | servicenow_ticket | result | object | Result of the ServiceNow ticket creation or attachment. | | result | instance_name | string | ServiceNow instance name extracted from the ticket URL. | | result | sys_id | string | Unique identifier of the ServiceNow incident record. | | result | sys_target_link | string | Direct link to the ServiceNow incident record. | | result | sys_target_sys_id | string | Unique identifier of the target ServiceNow record. | | result | table_name | string | ServiceNow table containing the incident record. | | result | url | string | URL of the ServiceNow incident record. | | servicenow_ticket | status | string | Status of the ServiceNow ticket operation. Can be "COMPLETED" if successful, or "FAILED" if the operation failed. | | attributes | status | string | Status of the case. | | attributes | status_group | string | Status group of the case. | | attributes | status_name | string | Status name of the case. | | attributes | title | string | Title of the case. | | attributes | type | string | Type of the case. For security cases, this is always "SECURITY". | | data | id | string | Unique identifier of the case. | | data | relationships | object | Relationships of the case. | | relationships | created_by | object | User who created the case. | | created_by | data [*required*] | object | Relationship to user object. | | data | id [*required*] | string | A unique identifier that represents the user. | | data | type [*required*] | enum | Users resource type. Allowed enum values: `users` | | relationships | modified_by | object | User who last modified the case. | | modified_by | data [*required*] | object | Relationship to user object. | | data | id [*required*] | string | A unique identifier that represents the user. | | data | type [*required*] | enum | Users resource type. Allowed enum values: `users` | | relationships | project | object | Project in which the case was created. | | project | data [*required*] | object | Data object representing a case management project. | | data | id [*required*] | string | Unique identifier of the case management project. | | data | type [*required*] | enum | Projects resource type. Allowed enum values: `projects` | | data | type [*required*] | enum | Cases resource type. Allowed enum values: `cases` | {% /tab %} {% tab title="Example" %} ```json { "data": { "attributes": { "archived_at": "2025-01-01T00:00:00.000Z", "assigned_to": { "data": { "id": "00000000-0000-0000-2345-000000000000", "type": "users" } }, "attributes": { "": [] }, "closed_at": "2025-01-01T00:00:00.000Z", "created_at": "2025-01-01T00:00:00.000Z", "creation_source": "CS_SECURITY_FINDING", "description": "A description of the case.", "due_date": "2025-01-01", "insights": [ { "ref": "/security/appsec/vm/library/vulnerability/dfa027f7c037b2f77159adc027fecb56?detection=static", "resource_id": "ZGVmLTAwcC1pZXJ-aS0wZjhjNjMyZDNmMzRlZTgzNw==", "type": "SECURITY_FINDING" } ], "jira_issue": { "error_message": "{\"errorMessages\":[\"An error occured.\"],\"errors\":{}}", "result": { "account_id": "463a8631-680e-455c-bfd3-3ed04d326eb7", "issue_id": "2871276", "issue_key": "PROJ-123", "issue_url": "https://domain.atlassian.net/browse/PROJ-123" }, "status": "COMPLETED" }, "key": "PROJ-123", "modified_at": "2025-01-01T00:00:00.000Z", "priority": "P4", "servicenow_ticket": { "result": { "instance_name": "example", "sys_id": "abcdef0123456789abcdef0123456789", "sys_target_link": "https://example.service-now.com/incident.do?sys_id=abcdef0123456789abcdef0123456789", "sys_target_sys_id": "abcdef0123456789abcdef0123456789", "table_name": "incident", "url": "https://example.service-now.com/now/nav/ui/classic/params/target/incident.do?sys_id=abcdef0123456789abcdef0123456789" }, "status": "COMPLETED" }, "status": "OPEN", "status_group": "SG_OPEN", "status_name": "Open", "title": "A title for the case.", "type": "SECURITY" }, "id": "c1234567-89ab-cdef-0123-456789abcdef", "relationships": { "created_by": { "data": { "id": "00000000-0000-0000-2345-000000000000", "type": "users" } }, "modified_by": { "data": { "id": "00000000-0000-0000-2345-000000000000", "type": "users" } }, "project": { "data": { "id": "aeadc05e-98a8-11ec-ac2c-da7ad0900001", "type": "projects" } } }, "type": "cases" } } ``` {% /tab %} {% /tab %} {% tab title="400" %} Bad Request {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="404" %} Not Found {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="429" %} Too many requests {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} ### Code Example ##### \## default # \# Curl command curl -X PATCH "https://api.datadoghq.com/api/v2/security/findings/servicenow_tickets" \ -H "Accept: application/json" \ -H "Content-Type: application/json" \ -H "DD-API-KEY: ${DD_API_KEY}" \ -H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \ -d @- << EOF { "data": { "attributes": { "servicenow_ticket_url": "https://example.service-now.com/now/nav/ui/classic/params/target/incident.do?sys_id=abcdef0123456789abcdef0123456789" }, "relationships": { "findings": { "data": [ { "id": "ZGVmLTAwcC1pZXJ-aS0wZjhjNjMyZDNmMzRlZTgzNw==", "type": "findings" } ] }, "project": { "data": { "id": "aeadc05e-98a8-11ec-ac2c-da7ad0900001", "type": "projects" } } }, "type": "servicenow_tickets" } } EOF {% /tab %}