Skip to main content

Update ServiceNow incidents with affected CIs

The webhook body in the provided ServiceNow outbound webhook templates includes the key u_affected_cis. This can be used to pass a list of affected configuration items (CIs) into the created ServiceNow incident. The list can be supplied as either a CSV string or a JSON Array that is encoded as a string.


Do not attempt to pass a list of affected CIs by using the cmdb_ci field located under u_payload. This field only accepts string values, not lists.

When the request is processed in ServiceNow, each item in this list is added to the incident as an Affected CI if it matches a valid ServiceNow CMDB record.

There are two modes of operation depending on the Enable to append rather than replace the Affected CI list on update application property:

  • By default, this option is enabled so that the unique elements of the u_affected_cis passed in updates are appended to the list of Affected CIs in the ServiceNow incident. This is the most efficient mode of operation and shouldn’t need to be changed in most cases.

  • If this option is disabled, the u_affected_cis passed in updates are used to completely replace the list of affected CIs in the ServiceNow incident (the affected CIs are first deleted and then replaced with the new list).

The contents of the u_affected_cis key can be taken from tags that have been propagated up to the incident. The provided outbound webhook assumes that tags.affected_ci exists in the incident and contains a valid list of CIs.

Assuming that the event “source” field contains a valid CI Name, one way to populate the tags.affected_ci field in the incident would be to create an Event Workflow that copies the event source field to the tags.affected_ci field. For example:

curl -X POST '' \ 
--header 'Accept: application/json' \ 
--header 'apiKey: <api_key>' \ 
--header 'Content-Type: application/json' \ 
--data-raw '{     
	"name": "Copy source to tags",     
	"description": "Copy event source into tag to populate CIs in incident tags",     
	"trigger": {         
		"type": "EVENT_CREATED",         
		"entryFilter": ""     
	"type": "EVENT",     
	"priority": 2,     
	"steps": [         
		"actionName": "TemplateFieldAction",             
		"description": "This action constructs a string by concatenating values from the processed object fields, with other text if necessary, based on the provided template. To reference an object field use the following format: ${<field_name>}. Multiple fields can be referenced in the same template.",
		"configuration": {                 
			"template": "${source}",                 
			"outputFieldName": "tags.affected_ci"             

You should ensure that tags.affected_ci is included in the list of tags that will be propagated from alerts up to incidents. For more information, see Including alert tags in incidents.

When multiple alerts are rolled up into an incident, the incident tags.affected_ci will be populated as a CSV list of values taken from the tags.affected_ci field of each alert.