Use Azure alerts to create a ServiceNow alert or event work item

Important

As of September 2022, we are starting the 3-year process of deprecating support for using ITSM actions to send alerts and events to ServiceNow.

This article describes the process of sending alerts and events to ServiceNow using ITSM actions.

After you create your ITSM connection, use the ITSM action in action groups to create work items in your ITSM tool based on Azure alerts. Action groups provide a modular and reusable way to trigger actions for your Azure alerts. You can use action groups with metric alerts, activity log alerts, and Log Analytics alerts in the Azure portal.

Note

Wait 30 minutes after you create the ITSM connection for the sync process to finish.

Create ITSM work items

  1. In the Azure portal, select Monitor > Alerts.

  2. On the menu at the top of the screen, select Manage actions. Screenshot that shows selecting Action groups.

  3. On the Action groups screen, select +Create. The Create action group screen appears.

  4. Select the Subscription and Resource group where you want to create your action group. Enter values in Action group name and Display name for your action group. Then select Next: Notifications. Screenshot that shows the Create an action group screen.

  5. On the Notifications tab, select Next: Actions.

  6. On the Actions tab, select ITSM in the Action type list. For Name, provide a name for the action. Then select the pen button that represents Edit details. Screenshot that shows selections for creating an action group.

  7. In the Subscription list, select the subscription that contains your Log Analytics workspace. In the Connection list, select your ITSM Connector name. It will be followed by your workspace name. An example is MyITSMConnector(MyWorkspace).

  8. In the Work Item type field, select the type of work item.

  9. In the last section of the interface for creating an ITSM action group, if the alert is a log alert, you can define how many work items will be created for each alert. For all other alert types, one work item is created per alert.

    • If the work item type is Event:

      If you select Create a work item for each row in the search results, every row in the search results creates a new work item. Because several alerts occur for the same affected configuration items, there is also more than one work item. For example, an alert that has three configuration items creates three work items. An alert that has one configuration item creates one work item.

      If you select the Create a work item for configuration item in the search results, ITSMC creates a single work item for each alert rule and adds all affected configuration items to that work item. A new work item is created if the previous one is closed. This means that some of the fired alerts won't generate new work items in the ITSM tool. For example, an alert that has three configuration items creates one work item. If an alert has one configuration item, that configuration item is attached to the list of affected configuration items in the created work item. An alert for a different alert rule that has one configuration item creates one work item.

      Screenshot that shoes the ITSM Ticket section with an even work item type.

    • If the work item type is Alert:

      If you select Create a work item for each row in the search results, every row in the search results creates a new work item. Because several alerts occur for the same affected configuration items, there is also more than one work item. For example, an alert that has three configuration items creates three work items. An alert that has one configuration item creates one work item.

      If you do not select Create a work item for each row in the search results, ITSMC creates a single work item for each alert rule and adds all affected configuration items to that work item. A new work item is created if the previous one is closed. This means that some of the fired alerts won't generate new work items in the ITSM tool. For example, an alert that has three configuration items creates one work item. If an alert has one configuration item, that configuration item is attached to the list of affected configuration items in the created work item. An alert for a different alert rule that has one configuration item creates one work item.

      Screenshot that shows the ITSM Ticket area with an alert work item type.

  10. You can configure predefined fields to contain constant values as a part of the payload. Based on the work item type, three options can be used as a part of the payload:

    • None: Use a regular payload to ServiceNow without any extra predefined fields and values.
    • Use default fields: Use a set of fields and values that will be sent automatically as a part of the payload to ServiceNow. Those fields aren't flexible, and the values are defined in ServiceNow lists.
    • Use saved templates from ServiceNow: Use a predefined set of fields and values that were defined as a part of a template definition in ServiceNow. If you already defined the template in ServiceNow, you can use it from the Template list. Otherwise, you can define it in ServiceNow.
  11. Select OK.

When you create or edit an Azure alert rule, use an action group, which has an ITSM action. When the alert triggers, the work item is created or updated in the ITSM tool.

Note

  • For information about the pricing of the ITSM action, see the pricing page for action groups.
  • The short description field in the alert rule definition is limited to 40 characters when you send it using the ITSM action.
  • If you have policies for inbound traffic for your ServiceNow instances, add ActionGroup service tag to allowList.
  • Notice that when you are defining a query in Log Search alerts you need to have in the query result the Configuration items names with one of the label names "Computer", "Resource", "_ResourceId" or "ResourceId”. This mapping will enable to map the configuration items to the ITSM payload.