Inbound Integration for Data Loss Prevention Incident Response

  • Release version: Zurich
  • Updated July 31, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Inbound Integration for Data Loss Prevention Incident Response

    This integration enables ServiceNow customers to create Data Loss Prevention (DLP) incidents through an inbound REST API. It supports creating either single or multiple DLP incidents via HTTP POST requests. The integration requires thesndlir.apiintegrationuserrole to authenticate and perform these operations.

    Show full answer Show less

    Create a Single DLP Incident

    To create a single DLP incident, send a POST request to the /api/now/import/sndlirincidentimport endpoint on your ServiceNow instance. The request must include JSON-formatted incident details such as application window title, assigned user, file information, policy details, and network information.

    The API accepts a rich set of fields to capture comprehensive incident data, enabling thorough incident documentation and response.

    The response confirms the creation with details including the incident number, record link, and unique system ID.

    Create Multiple DLP Incidents

    To submit multiple DLP incidents in one request, send a POST request to the /api/now/import/sndlirincidentimport/insertMultiple endpoint. The payload contains an array of incident records with relevant fields for each incident.

    A response provides import set IDs to track the batch processing of incidents.

    By default, incident data transformation is asynchronous. To enable synchronous transformation, create a record in the REST Insert Multiples [sysrestinsertmultiple] table with the source table set to sndlirincidentimport and transformation mode set to synchronous. This allows immediate processing and confirmation of incident creation.

    Practical Benefits for ServiceNow Customers

    • Automated Incident Creation: Streamlines the integration of external DLP systems with ServiceNow, reducing manual effort.
    • Comprehensive Incident Details: Supports detailed incident data for improved investigation and response.
    • Bulk Incident Handling: Efficiently process multiple incidents in a single API call, enhancing scalability.
    • Flexible Processing Modes: Choose between asynchronous or synchronous data transformation based on operational needs.

    Create single or multiple DLP incidents by using the Inbound REST API.

    Create a single DLP incident

    Role required: sn_dlir.api_integration_user.

    To create a single DLP incident, define the following parameters as necessary:
    Field Description
    HTTP Method POST
    URL https://{instance}/api/now/import/sn_dlir_incident_import
    Request Header
    Accept:
    application/json
    Content-Type:
    application/json
    Sample Payload 
    {
    "application_window_title": "<value>",
    "assigned_to": "<value>",
    "attachments": "<value>",
    "data_owner_email": "<value>",
    "destination": "<value>",
    "dest_ip": "<value>",
    "dest_ip_port": "<value>",
    "detection_date": "<value>",
    "endpoint_on_corporate_net": "<value>",
    "files": "",
    "file_created": "",
    "file_created_by": "",
    "file_location": "",
    "file_modified_by": "",
    "file_name": "",
    "file_owner": "",
    "file_permissions": "",
    "ftp_user_name": "",
    "last_modified": "",
    "machine_ip": "",
    "machine_name": "",
    "match_count": "",
    "policy_id": "",
    "policy_name": "",
    "printer_name": "",
    "printer_type": "",
    "print_job_name": "",
    "recipients": "",
    "scanned_machine": "",
    "scan_source": "",
    "seen_before": "",
    "sender":"",
    "source":"",
    "source_file":"",
    "source_ip":"",
    "source_ip_port":"",
    "subject":"",
    "url":"",
    "user_justification":""
}
    Sample Response 
    {
    "import_set": "ISET0010003",
    "staging_table": "sn_dlir_incident_import",
    "result": [
        {
            "transform_map": "",
            "table": "sn_dlir_incident",
            "display_name": "number",
            "display_value": "DLP0001012",
            "record_link": "https://{instance}/api/now/table/sn_dlir_incident/7cda322297c2411056a43d1e6253af1f",
            "status": "inserted",
            "sys_id": "7cda322297c2411056a43d1e6253af1f"
        }
    ]
}

    Create multiple DLP incidents

    Role required: sn_dlir.api_integration_user.

    To create multiple DLP incidents from the same request, define the following parameters as necessary:
    Field Description
    HTTP Method POST
    URL https://{instance}/api/now/import/sn_dlir_incident_import/insertMultiple
    Request Header
    Accept:
    application/json
    Content-Type:
    application/json
    Sample Payload 
    {
    "records": [
        {
            "file_name": "<value>",
            "file_modified_by": "<value>",
            "work_notes": "<value>",
            "url": "<value>",
            "scan_source": "<value>",
            "data_owner_email": "<value>",
            "file_created_by": "<value>",
            "file_owner": "<value>",
            "policy_name": "<value>"
        },
        {
            "dest_ip": "<value>",
            "dest_ip_port": "<value>",
            "detection_date": "<value>",
            "endpoint_on_corporate_net": "<value>",
            "files": "<value>",
            "file_created": "<value>",
            "file_created_by": "<value>",
            "file_location": "<value>",
            "file_modified_by": "<value>",
            "file_name": "<value>",
            "file_owner": "<value>",
        }
    ]
}
    Sample Response 
    {
    "import_set_id": "a38f69229734dd1056a43d1e6253af75",
    "multi_import_set_id": "e78f69229734dd1056a43d1e6253af75"
}
    Note:
    By default, the transformation is asynchronous. To set synchronous transformation, create a new record in the REST Insert Multiples [sys_rest_insert_multiple] table, select the source table as sn_dlir_incident_import, and set the transformation to synchronous.