Thank you for your feedback.
Form temporarily unavailable. Please try again or contact docfeedback@servicenow.com to submit your comments.
Versions
  • London
  • Kingston
  • Jakarta
  • Istanbul
  • Helsinki
  • Geneva
  • Store
Close

Data imported into security alerts

Data imported into security alerts

When an event is created with more JSON-encoded data, that data is imported into any field with a name that matches the fieldName of that value in the JSON data. If you have data in your third-party monitoring software (for example, Splunk) that is not common to the base system, you can add new fields to the Alert table to accommodate the data import.

The JSON format for importing data into alerts is the same format used for creating security incidents from events and alerts:
  • { "fieldName" : "fieldValue", "fieldName" : "fieldValue" }

The only difference is that the data in the field is always overwritten with the fieldValue.

When the security event data is imported, it populates the fields in the Alert table with matching field names. If the alert is later turned into a security incident, the same additional information data populates matching fields in the security incident.