Introduction
The Teramind-ServiceNow integration is designed to automatically generate records in ServiceNow based on incidents fetched from Teramind’s ‘OMNI’ - an AI/ML threat detection, incident management, and analytics engine via the Teramind API. This integration helps teams monitor critical incidents directly within ServiceNow, reducing the need to switch between platforms.
The entire integration is packaged into a single, certified ServiceNow Enterprise Workflow Application: Teramind Incident Monitor.
Teramind app for ServiceNow provides seamless integration between Teramind’s award-winning behavioral analytics platform and ServiceNow for the creation and management of ITSM, SecOps, and BPO use cases.
Teramind-ServiceNow Integration Benefits
Integrating both products will help you utilize the strength of each product, fill out gaps, and leverage your existing investment while simplifying security and business cases.
Easy, No-Code Implementation | Certified ServiceNow app-based installation. The easy, no-code implementation allows you to seamlessly integrate Teramind incidents into ServiceNow in just a few minutes. No need to go through the API complexity or understand platform architecture if you don’t want to. |
Create ITSM Workflows | The integration makes the creation and management of ITSM cases and security incidents easy. Take advantage of Teramind’s exhaustive and high-fidelity telemetry collection, advanced OCR functionality, and powerful analytics capabilities to stay one step ahead of meaningful behavior patterns in your organization, then create and update relevant cases via your existing ServiceNow workflows. |
Enhance Security Operations (SecOps) | Enrich your cybersecurity posture control with granular, endpoint analytics, UEBA and AI/ML-based threat detection, insider risks, and data exfiltration intelligence within your ServiceNow SecOps dashboards. Simplify and automate threat and vulnerability management and response while reducing risks to your organization. |
Implement a Fast Incident Response Program | Simplify incident tracking and vulnerability management by consolidating data from Teramind into ServiceNow. Enable real-time visibility of incidents within ServiceNow, enhancing the response time for critical incidents. |
Get Early Warnings | Real-time events reporting and AI-based threat modeling allow you to detect risks before they become threats or identify flight risk users to prevent insider threats. |
Reduce False Positives | Combine Teramind’s powerful OMNI engine with flexible event prompts such as severity, incident source, etc., and ServiceNow’s advanced filtering to replace noise with insights and clarity. |
Conduct Audit & Forensic Investigations | Use Teramind’s strength in capturing detailed event logs, OCR, and session recording and combine them with ServiceNow’s features such as Tags to mark up incidents and assign/delegate activities to analysts for cohesive case management. Launch Investigation directly from the incidents view with embedded URLs. |
Build Custom Applications | Use Teramind record sets to build your custom application and dashboards with the “create application file” feature. Direct access to raw data in a table with the ability to import external data allows you to aggregate data from multiple sources to build extremely powerful apps. |
Utilize NQL | Use ServiceNow’s NQL feature to organize Teramind incidents, refine your list results, and find the data you want quickly without having to build complex queries. For example, “critical problems grouped by departments”, “new problems sorted by severity updated in descending order”, etc. |
Optimize Business Processes (BPO) | Use ServiceNow’s Process Mining and Interactive Analysis features powered by Teramind’s rich, granular data to optimize your business processes. |
Enjoy Premium Support & SLA | First-party support, regular updates, and premium SLA. |
Installation Overview
App Version | 1.0.1 |
Compatibility |
|
Dependencies/Plugins | None |
Terms & Conditions | |
Licensing | Free |
Prerequisites |
|
*You will need to have the ServiceNow feature enabled on your Teramind instance before you can begin. Please contact your Customer Service Representative to activate the feature on your instance.
Step 1: Create an Access Token
Teramind uses JSON Web Token (JWT) for authentication and access control for its API. The access token will allow the Teramind ServiceNow app to securely communicate with your Teramind instance.
Follow the instructions below to create an access token:
1. Log into your Teramind Dashboard.
2. Click the User Menu.
3. Select the Access tokens option from the drop-down menu.
4. Click the ADD ACCESS TOKEN button. The Add access token window will pop up:
5. Enter a name for the access token and press the CREATE button.
6. Copy the access token in a safe place. You will not be able to view the token once you click the DONE button. You will need this token in Step 3:10.
7. Click the DONE button.
Step 2: Install the App
Depending on what type of instance you have, there are several ways you can install an application on ServiceNow. Here, we show you two options:
Option 1: Installing from My Company Applications
If your company already has entitlement to the app, you can install it via the My Company Applications option.
To do so, follow the instructions below:
1. Log into your ServiceNow portal.
2. Select All from the menu on top.
3. Search for system applications in the Filter field.
4. Select the System Applications > My Company Applications option. You will be taken to the Application Manager screen:
5. Click the Install button next to the Teramind Incident Monitor app. It should be under the Not Installed section. The Application Installation window will pop up:
6. Click the Install button. The installation process will begin, and you will see the progress:
7. Once the installation is completed successfully, click the Close button to close the window.
Option 2: Installing from Store Applications
If your company doesn’t have the entitlement to the app, you can install it via the Available To Obtain From Store option.
To do so, follow the instructions below:
1. Log into your ServiceNow portal.
2. Select All from the menu on top.
3. Search for system applications in the Filter field.
4. Select the System Applications > All Available Applications > Available to Obtain From Store option. You will be taken to the Store Applications screen:
5. Search for teramind in the Search field on top.
6. Click the View Details button.
7. Click the Get button.
8. Follow the instructions on screen. On the final step, click the Go button to install the app.
For more information about installing a free app from the ServiceNow Store, check out the ServiceNow Documentation.
Step 3: Configure System Properties
System properties are used to store system configurations, usually settings that do not change often. System properties are kept in the sys_properties table in ServiceNow.
The Teramind app comes with two system properties that need to be configured with your Teramind instance information.
Follow the instructions below to configure them:
1. Select All from the menu on top.
2. Search for sys_properties.list in the Filter field (note that you will not see any result, that’s normal), and press the Enter key. You will be taken to the System Properties screen:
3. Enter teramind in the Search field and press Enter.
4. Click the x_teram_monitor.tm.instance.url name. The System Property window will open:
5. You might see a warning on top about the scope of the record. If you see such a warning, click the here link in the warning message, then you will be able to modify the property fields.
6. In the Value field, enter your Teramind instance URL (your Teramind Dashboard URL). For example, https://demo.teramind.co.
7. Click the Update button. The changes will be saved, and you will be taken back to the System Properties screen:
8. Click the x_teram_monitor.tm.token name. The System Property window will open:
9. You might see a warning on top about the scope of the record. If you see such a warning, click the here link in the warning message, then you will be able to modify the property fields.
10. In the Value field, enter the access token you copied in Step 1:6.
11. Click the Update button to save the changes.
Step 4: Schedule Script Execution
ServiceNow uses JavaScript to extend application functionality.
The Teramind app comes with several scripts of its own. One of the primary scripts, Create Teramind Incidents is used to pull data from your Teramind instance into ServiceNow. To run the script automatically, you can schedule a script execution job.
Follow the instructions below to set up a job:
1. Select All from the menu on top.
2. Search for teramind in the Filter field.
3. Select the Teramind Incident Monitor > Teramind Incidents > Teramind Jobs Setup option. You will be taken to the ScheduledScript Execution screen:
4. Click the Create Teramind Incidents name. The Scheduled Script Executions window will open:
5. You might see a warning on top about the scope of the record. If you see such a warning, click the here link in the warning message, then you will be able to modify the fields.
6. Click the Active checkbox to activate the script.
7. By default, the script is configured to run every 5 minutes. But you can change these settings to suit your needs.
8. Click the Execute Now button to save the script, run it at once and then close the window.
9. Click the Update button to save the script and close the window.
Incidents are fetched in a batch of 100 each time the script is executed.
More information about creating a scheduled script execution can be found on the ServiceNow Developer Portal.
Step 5: View Incidents
Once the Create Teramind Incidents script has been executed, you will be able to view the Teramind incidents on a ServiceNow List view.
Follow the instructions below to view the incidents:
1. Select All from the menu on top.
2. Search for teramind in the Filter field.
3. Select the Teramind Incident Monitor > Teramind Incidents > All option. You will be taken to the Teramind Incidents screen:
4. Click the Personalize List 
icon to configure what columns are shown on the list. Check out the Personalizing the List Columns section below to learn more.
5. You can search the list by using the Search field. Check out the Searching the List section below to learn more.
6. You can conduct a more advanced search by clicking the Filter 
icon. Check out the Filtering the List section below to learn more.
7. You can use the List Control 
menu near the top-left corner to manipulate the list in several ways. For example: group rows by column, set the number of rows being displayed, edit the filters, etc.
8. Hover over a column and click the Column Menu 
to sort the column, create groups, launch interactive analytics, and perform other tasks.
9. You can select one or more rows (by clicking the checkmark in front of a row) and then select an action from the Actions on selected rows… menu to perform certain row actions such as delete rows, add tags, etc. Check out the Using Row Actions section to learn more.
10. You can click a Teramind Incident ID to open the incident for editing. You can also double-click any value to edit it. Note that the changes you make to an incident will only affect the record in ServiceNow, records in your Teramind instance will not be affected.
11. You can create an incident manually by clicking the New button. Note that any incident you create will remain on ServiceNow, it will not be sent to your Teramind instance.
More information about the List can be found in the ServiceNow Documentation Portal.
Personalizing the List Columns
By default, the Teramind Incidents list shows the Teramind Incident ID, Agent Email, Incident Duration, Incident Category, Incident Source, Incident Type, and Incident URL. But you can configure what columns will be shown from the Personalize List Column menu:
1. Click the Personalize List icon.
2. Select columns from the Available or Selected lists and use the arrow buttons to move the selected columns from one list to the other. See the table below for an explanation of each column.
3. Use the option at the bottom to change the list display and edit options.
More information about Personalize List Columns can be found in the ServiceNow Documentation Portal.
List of Available Columns
Column | Description |
Teramind Incident ID | A unique ID for the incident. This is used by Teramind OMI to track the incidents. The code is also used with the Incident URL (see below). |
Agent Email | The employee’s email linked to the incident. |
Incident Duration | Incident duration. |
Incident Category | This is the same as the OMNI’s Insight Category filter. It basically shows the Behavior Policy that was violated. |
Incident Source | This is the same as the OMNI’s Source filter. There are currently two types of sources: BI/behavior_alert (the Behavior Alert) or Insight (AI/ML detected incident). |
Incident Type | This is the same as the OMNI’s Insight Type filter. It shows Behavior Rules or AI/ML incident type. |
Incident URL | You can use this URL to go to the investigation page on OMNI:  |
Agent ID | The employee’s ID linked to the incident. You can open the employee’s page on Teramind by using the following URL syntax: https://<instance>/#/employees/<Agent ID> For example: https://demo.teramind.co/#/employees/20 |
Class | Used internally to track the incidents on the ServiceNow table. It’s linked to the |
Computer ID | The computer’s ID linked to the incident. You can open the employee’s page on Teramind by using the following URL syntax: https://<instance>/#/computer/<Computer ID> For example: https://demo.teramind.co/#/computer/3 |
Created | Timestamp of when the incident was created (pulled from Teramind by the script). |
Created By | ServiceNow account which created the incident. |
Incident Started At | The timestamp of when the incident started. |
Incident Ended At | The timestamp of when the incident ended. |
Incident Updated At | The timestamp of the incident update. |
Is Frozen | Indicates if the incident is preserved for investigation. The value can be either True or False. |
Severity Score | A number indicating the risk severity of the incident.
|
Tags | Tags you have assigned to the incident. Please see the Using Row Actions section to learn more about tags. |
Updated | If you have edited the incident in ServiceNow, the timestamp of the update. Otherwise, it will be the same as the Created column. |
Updated by | Name of the user who made the last update. |
Updates | The number of times the incident was edited/updated in ServiceNow. |
Searching the List
You can search for any column values using the Search feature:
1. First type something in the Search field above and press Enter.
2. You will then see individual Search fields on top of each column. Enter the search text in any column’s search field and press Enter to search for a value in that column.
Filtering the List
Filters allow you to specify which incidents are displayed in a list. It’s essentially a more advanced search feature:
1. Click the Filter icon.
2. Select a column, a condition operator (e.g., equals, contains, etc.), and then the value for the column. You can optionally click the AND button or the OR button to add additional conditions to the filter as required.
3. Press the Run button to run the filter.
More information about Filters can be found in the ServiceNow Developer Portal.
Using Row Actions
Row Actions let you manage the selected rows/records and assign tags to them.
1. Click the Checkbox in front of a row to select the row. You can select multiple rows.
2. Click the Actions on selected row… menu near the top-right corner to open the drop-down menu. Here are the actions you can take:
Delete: This option will delete the selected record(s)/row(s).
Delete with Preview: This option will let you first preview the record(s) before deleting them.
Create Application File: This option will let you include the selected records when sharing the application.
More information about Creating Application Files can be found in the ServiceNow Documentation Portal.
Assign Tag: Tags help you facilitate incident investigation by organizing incidents into topics of interest. Select any existing tag under the Assign Tag to the selected records. Click the New Tag option to create a new tag. The Tag Details pop-up window will open where you can create the tag and set its sharing level:
Remove Tag: This option will remove the tag.
More information about Tags can be found in the ServiceNow Documentation Portal.
Additional Actions
Configuring Optional Incident Filters
You can apply optional filters (called System Properties in ServiceNow) to fetch only the incident data meeting a specified value/criteria.
Follow the instructions below to configure the optional filters:
1. Select All from the menu on top.
2. Search for sys_properties.list in the Filter field (note that you will not see any result, that’s normal), and press the Enter key. You will be taken to the System Properties screen:
3. Click the New button. The System Property-New Record window will open:
4. Enter the name of the property (filter) in the Name field according to the table below.
5. Select the value type from the Type field according to the table below.
6. Enter the filter value in the Value field according to the table below. You can enter multiple values separated by commas (,). For example: “high,critical”.
7. Click the Submit button to save the property.
Follow Steps 1-6 above to add additional properties.
List of Optional Filters
Filter (System Property) | Type | Examples* |
| String |
|
| String |
|
| String |
|
| String |
|
*Note: Do not use the “” when entering the values in the System Property window.
Clearing the Incidents Table
The app comes with a Clear Teramind Incidents script that, when activated, will remove records from the incidents table that are older than 30 days. However, you can change the script to remove newer or older records.
Follow the instructions below to configure the script:
1. Select All from the menu on top.
2. Search for teramind in the Filter field.
3. Select the Teramind Incident Monitor > Teramind Incidents > Teramind Jobs Setup option. You will be taken to the Scheduled Script Execution screen:
4. Click the Clear Teramind Incidents name. The Scheduled Script Executions window will open:
5. You might see a warning on top about the scope of the record. If you see such a warning, click the here link in the warning message, then you will be able to modify the fields.
6. Click the Active checkbox to activate the script.
7. Select how frequently the script will execute from the Run field and then configure any additional options for the schedule. For example: if you choose the Run frequency as Periodically, you can specify the Repeat Interval and the Starting date and time.
8. If you want, you can edit the daysOld variable to a different value to increase/decrease the records retention period*. For example, if you want to keep records for up to three months, you can set this value to 91.
*Be careful when editing the script’s code directly. Any mistake can make the whole App unstable or prevent it from running.
9. Click the Execute Now button to save the script, run it at once, and then close the window.
10. Click the Update button to save the script and close the window.
Viewing Logs
You can view the system logs including logs generated by the Teramind app to troubleshoot issues.
1. Select All from the menu on top.
2. Search for system logs in the Filter field.
3. Select the System Logs > System Log > All option. You will be taken to the Logs screen:
4. Click the Filter icon.
5. Select Source package from the column list, contains from the condition list, type “teramind" in the value field of the filter, and then press the Run button to run the filter. The list will now show logs from the Teramind app.
Clearing Logs
The app comes with a Clear Script Execution script (job) that, when activated, will remove records from the script execution logs table that are older than 30 days. However, you can change the script to remove newer or older logs.
Follow the instructions below to configure the script:
1. Select All from the menu on top.
2. Search for teramind in the Filter field.
3. Select the Teramind Incident Monitor > Teramind Incidents > Teramind Jobs Setup option. You will be taken to the ScheduledScript Execution screen:
4. Click the Clear Script Execution Logs name. The Scheduled Script Executions window will open:
5. You might see a warning on top about the scope of the record. If you see such a warning, click the here link in the warning message, then you will be able to modify the fields.
6. Click the Active checkbox to activate the script.
7. By default, the script is set up to run on the first day of every month. You can select how frequently the script will execute from the Run field and then configure any additional options for the schedule.
8. If you want, you can edit the retentionDays variable to a different value to increase/decrease the records retention period*. For example, if you want to keep records for up to three months, you can set this value to 90.
*Be careful when editing the script’s code directly. Any mistake can make the whole App unstable or prevent it from running.
9. Click the Execute Now button to save the script, run it at once, and then close the window.
10. Click the Update button to save the script and close the window.
Uninstalling the App
Follow the instructions below to uninstall the app:
1. Select All from the menu on top.
2. Search for teramind in the Filter field.
3. Click the Edit Application 
icon next to the Teramind Incident Monitor option. You will be taken to the Application Menu screen:
4. Click the Information 
icon next to the Application field. A small, Store Application window will pop up.
5. Click the Open Record button on the pop-up window. You will be taken to the Store Application screen:
6. Scroll down and then under the Related Links section, click the Uninstall link. The Uninstall Teramind Incident Monitor window will pop up:
7. If you want, you can uncheck the Retain tables and data option to remove all the tables and data associated with the app.
8. Click the OK button. A warning dialog will appear:
9. Typing uninstall in the dialog and press OK to continue. The installation process will begin, and you will see the Progress window:
10. Wait until the uninstallation is done then click the Done button to close the window.
Architecture
Architecture Features
|