Overview and System Requirements - Alert Sync

Overview

Cookdown Alert Sync for ServiceNow allows you to send filtered SCOM alerts to ServiceNow to create incidents, and keep both systems up-to-date using bi-directional syncing.

It supports pushing SCOM alerts into ServiceNow's Event Management plugin as Events to get the benefit of combining event data from SCOM with other data sources or can operate as a standalone product, allowing SCOM alerts to automatically raise Incidents without Event Management.

Without Event Management 

When an Alert is raised in SCOM an Alert Record is created in ServiceNow containing the properties of the Alert from SCOM. These properties are kept up to date if anything in SCOM changes.

Created Alerts are matched against Incident Creation Rules which define when a received Alert has an Incident raised for it too

When Bi-directional sync is enabled, when an Incident is created, the Incident ID and Assignment Group are sent to SCOM. When the Incident created is updated (EG it is assigned to someone new, moves state or is assigned a new Business Service) data is sent to SCOM so there is end-to-end visibility. For more info on what is synced by default and on how to change this behavior see the Out of the Box behaviors article.

By default, when an Incident is Resolved (or closed) from ServiceNow, the Alert Record and the source SCOM Alert are also closed

With Event Management

When Alert Sync is used with Event Management, SCOM alerts are sent to Event Management's public API. SCOM alerts are received as Events which can be handled by Event Management in the same fashion as it handles events from other data sources

Key Concepts and Features

  • Alert - a specific event generated by SCOM where a monitor has exceeded a threshold or a rule has been breached. EG SCOM can monitor a server's CPU usage and generate an alert where the CPU usage is higher than 50% for more than 5 mins
  • Incident - "An unplanned interruption to an IT service or reduction in the quality of an IT service or a failure of a Configuration Item that has not yet impacted an IT service (for example failure of one disk from a mirror set)" - from ITIL 2011. In ServiceNow, Incidente are put through the Incident Management Process in the form of tickets that can be assigned to teams, raised against specific pieces of infrastructure (called Configuration Items, held in ServiceNow's CMBD)
  • Automatic Incident creation - with Alert Sync you can raise incidents in ServiceNow automatically when Alerts are opened in SCOM against Incident Creation Rules that you define. There are settings that govern when Alerts are sent from SCOM and that govern which Alerts that ServiceNow receives are raised as Incidents
  • One Direction sync (default behavior) - by default you get one direction Sync (SCOM > ServiceNow), this means that you can manage your Alerts in ServiceNow as Incidents and get notified when the SCOM Alerts that caused the Incidents to be raised get updated or closed
  • Bi Direction Sync - If enabled, not only do you get the benefits of one direction sync described above, but key data from the created Incidents are synced to SCOM such as the Incident ID, Assigned Group, and assignee. When this info changes the data is pushed to SCOM and stored in the properties of the Alert


System Requirements

  • SCOM 2012 R2 or later
  • ServiceNow Kingston or later (including Paris)
  • Connectivity between your SCOM Management Servers and ServiceNow for REST
  • A valid product license

Security

SCOM stores credentials for the service account you create in ServiceNow for Alert Sync's use and distributes these credentials securely to SCOM Management Servers of your choosing. This is done using SCOMs native RunAs accounts functionality, more info on how this works.

The ServiceNow service account needs to have our custom role. This role grants permissions to the following:

  • Incident Creation (typically granted via the "ITIL" role)
  • Access to our custom tables, which hold SCOM alerts, Incident Creation Rules and app settings (granted via the roles specified on the installation page)
  • REST endpoint (typically granted via the "web_service_role" role on older ServiceNow versions)

Alert Sync supports Basic authentication to ServiceNow only. All traffic is sent using your ServiceNow instance's default TLS/SSL config over HTTPS. More info.