* [Blog](https://www2.paloaltonetworks.com/blog)
* [Security Operations](https://www2.paloaltonetworks.com/blog/security-operations/)
* [Must-Read Articles](https://www2.paloaltonetworks.com/blog/security-operations/category/must-read-articles/)
* Playbook of the Week: Ser...

# Playbook of the Week: ServiceNow Ticket Mirroring with Cortex XSOAR

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fplaybook-of-the-week-servicenow-ticket-mirroring-with-cortex-xsoar%2F)  
[](https://twitter.com/share?text=Playbook+of+the+Week%3A+ServiceNow+Ticket+Mirroring+with+Cortex+XSOAR&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fplaybook-of-the-week-servicenow-ticket-mirroring-with-cortex-xsoar%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fplaybook-of-the-week-servicenow-ticket-mirroring-with-cortex-xsoar%2F&title=Playbook+of+the+Week%3A+ServiceNow+Ticket+Mirroring+with+Cortex+XSOAR&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www2.paloaltonetworks.com/blog/security-operations/playbook-of-the-week-servicenow-ticket-mirroring-with-cortex-xsoar/&ts=markdown)  
\[\](mailto:?subject=Playbook of the Week: ServiceNow Ticket Mirroring with Cortex XSOAR)  
Link copied  
By [Yvonne Le](https://www.paloaltonetworks.com/blog/author/yvonne-le/?ts=markdown "Posts by Yvonne Le")  
Aug 08, 2022  
4 minutes  
[Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown)  
[Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown)  
[Cortex XSOAR](https://www.paloaltonetworks.com/blog/tag/cortex-xsoar/?ts=markdown)  
[playbook of the week](https://www.paloaltonetworks.com/blog/tag/playbook-of-the-week/?ts=markdown)  
[Security Orchestration Automation and Response](https://www.paloaltonetworks.com/blog/tag/security-orchestration-automation-and-response/?ts=markdown)  
[ServiceNow](https://www.paloaltonetworks.com/blog/tag/servicenow/?ts=markdown)  
[SOAR](https://www.paloaltonetworks.com/blog/tag/soar-2/?ts=markdown)  
[XSOAR playbook](https://www.paloaltonetworks.com/blog/tag/xsoar-playbook/?ts=markdown)

Working across multiple platforms to handle your daily operations and services is anything but efficient. With the rise in major cybersecurity incidents, security teams need a quick and efficient incident response plan to mitigate any risks or delays.

Incident response (IR) teams use ticketing systems as part of the communication process to create trackable reports for every incident. In a typical incident management scenario, once a case is opened, a documented response is followed, which includes instructions such as who to alert, what systems to review, what actions to take, and anything else that is a manual or automated effort. As the steps are performed, the case management system needs to be updated so that everything is tracked.

This allows anybody who is involved in the case to know what has already occurred and what items are still outstanding. Often, as impacted assets are discovered, the IR team needs to list the details of the assets, such as time and date of when the findings occurred, to help scope out the situation. Then as new people are added to the ticketing process, proper communication needs to be executed so that they are updated and briefed on all the details of the case.

With Cortex XSOAR, managing your ticketing processes and IT operations is now easier than ever with our integration with ServiceNow. The [ServiceNow IT Service Management (ITSM) content pack](https://xsoar.pan.dev/marketplace/details/ServiceNow) modernizes the way you manage and deliver services to your users. Cortex XSOAR interfaces with ServiceNow to help teams streamline security-related service management and IT operations. The data in ServiceNow tickets can be mirrored to Cortex XSOAR so you can track the status and information in the task. You can also provide comments or attachments in XSOAR which will appear in ServiceNow.

**How the Cortex XSOAR ServiceNow Content Pack Works**

The Cortex XSOAR ServiceNow content pack includes various playbooks to create ServiceNow tickets, incident mirroring to mirror data, and ticket state polling to track when the ticket closes. It allows you to view, create, update, or delete a ServiceNow ticket directly from Cortex XSOAR. It also enriches it with data and manages Security Incident Response (SIR) tickets.

The content pack also includes two out-of-the-box layouts for a more concise visualization of the ServiceNow ticket information within Cortex XSOAR. The layout can be added as a new tab to existing layouts on your screen, reducing the need to toggle between multiple interfaces.
![Phishing Use Case - ServiceNow](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/08/cbY0DnTrNcvHdtNwLh7IVaHu8PduhZ73amzHKrgnLUM6my0CUcNeBooovOhWJldGPbiC9u7G4oHEaDMQKqBMxkRHVaDbGFEEN2KrlP9Vv9P-Q84ZOvBrpGS6sILS.png)
A new ServiceNow ticket will be ingested in Cortex XSOAR via the Mirror ServiceNow Ticket Playbook

The primary playbook within the content pack is the Mirroring Integration playbook, which allows you to mirror incidents, create new tickets, and manage cases directly from ServiceNow. When mirroring incidents, you can make changes in ServiceNow that will be reflected in Cortex XSOAR, or vice versa, allowing you to manage ServiceNow tickets in Cortex XSOAR. The content pack enables out-of-the-box incoming and outgoing mirroring and continuously syncs data between ServiceNow and Cortex XSOAR. This includes the ServiceNow database schema from the integration, which brings all of the available fields, comments, work notes, files and attachments from either of the systems which will then be available in the other system.

Ticket state polling or field polling is another optional sub-playbook within the pack that will poll for the state (indicated in the ServiceNow State field of the ticket) once the ticket has been marked as resolved or closed, as seen below.
![Playbook triggered, inputs/outputs](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/08/zwQ95t7sJ9KewEBVSv4cJNFYcqB-LgeevwrIyRmsisWEjYBgLcPyKxgQtJYLKMLjQW773ehCVsLG470czeie9fij3DZ_x2Z8QdMRjXCFMfUt4DYGuME940OAiyGS.png)
FieldPolling Sub-playbook within the ServiceNow Mirror ServiceNow Ticket Playbook

For more information on the ServiceNow Content Pack, refer to the [developer article here](https://xsoar.pan.dev/docs/reference/integrations/service-now-v2#use-cases) and here for a deeper understanding of the [Mirror ServiceNow Ticket playbook](https://xsoar.pan.dev/docs/reference/playbooks/mirror-service-now-ticket#playbook-image).

**To learn more about how you can automate security operations with Cortex XSOAR, check out our virtual self-guided [XSOAR Product Tour](https://www.paloaltonetworks.com/resources/infographics/xsoar-product-tour)**

**We also host virtual and in-person events, so check [here](https://www.paloaltonetworks.com/resources/cortex-events) for upcoming ones.**

**Please Suggest Other Ideas or Vote!**

If you like these ideas or would like to suggest other ideas, please collaborate with us through the Cortex XSOAR Aha page: [https://xsoar.ideas.aha.io/ideas](https://xsoar.ideas.aha.io/ideas)

[](https://xsoar.ideas.aha.io/ideas)  
[![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/06/word-image-77.png)](https://xsoar.ideas.aha.io/ideas)

*** ** * ** ***

## Related Blogs

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown)

[#### Playbook of the Week: Automated Rapid Response to 3CXDesktopApp Supply Chain Attack](https://www2.paloaltonetworks.com/blog/security-operations/playbook-of-the-week-automated-rapid-response-to-3cxdesktopapp-supply-chain-attack/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown)

[#### Playbook of the Week: Automated Rapid Response to Microsoft Outlook for Windows Vulnerability](https://www2.paloaltonetworks.com/blog/security-operations/playbook-of-the-week-automated-rapid-response-to-microsoft-outlook-for-windows-vulnerability/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown)

[#### Playbook of the Week: Automating Your Threat Intelligence with Cortex XSOAR](https://www2.paloaltonetworks.com/blog/security-operations/playbook-of-the-week-automating-your-threat-intelligence-with-cortex-xsoar/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown)

[#### Playbook of the Week: Automating Attack Surface Management with Cortex XSOAR](https://www2.paloaltonetworks.com/blog/security-operations/playbook-of-the-week-automating-attack-surface-management/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown), [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown)

[#### Playbook of the Week: Automating Cortex XDR Investigation and Response](https://www2.paloaltonetworks.com/blog/security-operations/playbook-of-the-week-automating-cortex-xdr-investigation-and-response/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown)

[#### Playbook of the Week: MITRE ATT\&CK---Courses of Action with Cortex XSOAR](https://www2.paloaltonetworks.com/blog/security-operations/playbook-of-the-week-mitre-attck-courses-of-action-with-cortex-xsoar/)

### Subscribe to Security Operations Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www2.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language