Configuring ServiceNow destinations

Tanium can create an incident ticket in ServiceNow. The input for the incident ticket can be any connection source including saved questions or Tanium system status information.

You must install a complementary ServiceNow App for Tanium on your ServiceNow instances.

Example Use Cases

  • Create a ServiceNow Incident for any system where the CPU utilization is over 95%.
  • Create a ServiceNow Incident when an IOC (Indicator of Compromise) is detected on an endpoint.
  • Create a ServiceNow Incident on System or Application crash events.


ServiceNow administrative privileges to install the Tanium App and create a user.

Install the Tanium App on your ServiceNow instance

For ServiceNow to allow Tanium to create Incident tickets, you must first install and configure the Tanium App on your ServiceNow instance.

  1. Download the Tanium App from the ServiceNow App store:
  2. Install the App.
    From the Downloads page, you can find the app is in the ServiceNow System Applications > Applications menu. Click Install. When the installation completes, the page refreshes to show that App as installed.
  3. Create a user.
    You must create a user account for Tanium™ Connect to use when interacting with your instance of ServiceNow. Within ServiceNow, click User Administration > Users and click New. Create the new user.
  4. Assign the required role to the user.
    Add a role to the new user that you just created. Scroll down to the Roles section of the page and click Edit. Find the “x_tanium_tanium.Tanium Integration” role and add the role for the selected user. Right click on the menu bar and click Save.

Specify general connection information

  1. On the Connect home page, click Create Connection > Create.
  2. Enter a name and description for your connection.
  3. Enable the connection to run on a schedule.
    Select Enable. You can set up the schedule when you configure the rest of the connection. If the schedule is not enabled, the connection only runs when you manually run it.
  4. (Optional) Set the logging level.
    By default, the logging is set to Information. Set the log level to Trace or Debug if you are debugging the connection. To reduce the amount of logging, you can set the log level to Warning, Error, or Fatal.

Configure the connection source

The connection source determines what data you are sending to the destination. This data is usually information from Tanium, such as a saved question, question log, system status, or event. The settings vary depending on which source you choose.

Configure the ServiceNow destination

  1. Specify authentication credentials, including the host name, user name, and password.
    The user that you specify must be the user that you assigned to the special Tanium role (x_tanium_tanium.Tanium Integration).
  2. Specify information about the ticket that gets created in ServiceNow.
  3. Specify Tanium settings. If you have a proxy defined for your Tanium Module Server, select the Use Tanium Module Server Proxy Setting setting.
  4. If the connection uses TLS encryption, select Secure.

Configure filters

(Optional) You can use filters to modify the data that you are getting from your connection source before it is sent to the destination.

For more information about the types of filters you can configure, see Reference: Filtering options.

Format data for ServiceNow

When you select the ServiceNow destination, you are limited to a CSV file as your only output option.

You can change the Destination name of each column and Value Type to force the column to be a String, Numeric, or DateTime value.

If you choose Numeric for the value, you can specify a default value that is used if the data cannot be coerced into a numeric value. You can specify any negative or positive number.

If you choose DateTime for the value, specify the Date/Time format that you want to use for the column. For more information about using a variable, see Time stamp variables.

Schedule the connection

Connections can run at a highly configurable time interval, such as multiple times per hour, day, week, or month.

Update the schedule: 

  • Use the Generate Cron tab to build a schedule based on some common time intervals. This tab generates a Cron expression.
  • To view or edit the Cron expression directly, click the Edit Cron Expression tab.

Save and verify connection

  1. Click Create Connection > Create. When the connection gets created, your new connection displays in the list on the Connections page.
  2. To view details about when the connection is running, click the name of the connection. On the resulting connection details page, click the Runs tab.
  3. To view individual run logs, click the link in the Status column in the Runs table.

When a connection runs, the connection logs will have a URL that is a direct link to the incident that was created. This link is very helpful in determining whether the incident was created as expected. How many tickets get created depend on the value that is set for the Aggregate setting. When Aggregate is enabled, all results for the saved question are put in a single incident ticket. If you do not have this setting enabled, each unique row in the results has an incident ticket opened.

Connection logs for the ServiceNow connector are in the same place as other connection logs. For more information, see Troubleshooting.