Skip to content

Cases ServiceNow Integration

This guide explains how to integrate Coralogix with ServiceNow to automatically create, update, and synchronize ServiceNow records from Coralogix Cases. It covers what the integration does, how the components work together, how to set it up step-by-step, and how to verify and operate it in production.

What this integration does

The Coralogix ServiceNow integration connects Coralogix Cases with ServiceNow records (Incidents by default).

Once configured, it enables you to:

  • Automatically create ServiceNow records (Incidents by default) when Coralogix Cases are created
  • Keep ServiceNow records synchronized as Cases are acknowledged, updated, resolved, or closed
  • Optionally enable bi-directional sync, so actions taken in ServiceNow update the corresponding Coralogix Case
  • Route different types of Cases to ServiceNow based on routing rules

This allows teams to manage the incident lifecycle in ServiceNow, while Coralogix is used for alerting, investigation, and troubleshooting.

Coralogix ServiceNow app overview

The Coralogix ServiceNow app is an official, no-cost application provided by Coralogix and available through the ServiceNow Store. It follows ServiceNow certification and best-practice implementation requirements.

  • A ServiceNow administrator must approve and install the app.
  • After installation, users with the appropriate roles can access the Coralogix application from the ServiceNow navigation bar.

Note: Link to the ServiceNow Store listing will be provided separately.

Key components and architecture

Understanding the main components helps explain how data flows between Coralogix and ServiceNow.

Case notifications table

The Case notifications table is a Coralogix-owned table in ServiceNow that receives incoming events from the Coralogix Notification Center.

Every Coralogix Case event, such as case created, acknowledged, updated, and closed creates a new record in this table.

These records act as the initial trigger for processing inside ServiceNow.

Case object (Synchronization and staging layer)

The Case object is the core synchronization layer of the integration.

It represents the logical relationship between:

  • A Coralogix Case, and
  • Its corresponding ServiceNow record

The Case object:

  • Tracks the Coralogix Case state
  • Acts as a staging layer for incoming data
  • Determines whether to create or update a ServiceNow record
  • Routes updates to the configured target table

By default, the target table is Incident, but this can be changed if required.

Processing logic

Processing logic is part of the Case object.

When a Case Notification is received:

  • If no related ServiceNow record exists, a new record is created
  • If a related record already exists, it is updated

After processing, updates are applied to the configured target table (Incident by default).

This ensures a one-to-one relationship between a Coralogix Case and a ServiceNow record.

Case policies (Inbound and outbound)

Case policies define how data moves into and out of ServiceNow.

Inbound scenarios (Coralogix → ServiceNow)

Inbound policies define what happens in ServiceNow when Coralogix Case events are received.

Coralogix provides an out-of-the-box inbound policy that:

  • Creates a ServiceNow Incident
  • Synchronizes predefined fields
  • Keeps the Incident aligned with the Coralogix Case state

You can customize inbound behavior by:

  • Changing the target table (for example, Event instead of Incident)
  • Adding conditions to control when records are created or updated
  • Customizing scripts to map fields to your internal workflows

Note: If you apply custom configurations, you are responsible for maintaining them. Custom behavior may fall outside Coralogix’s support scope.

Outbound scenarios (ServiceNow → Coralogix)

Outbound policies enable bi-directional synchronization.

They define how ServiceNow record state changes are reflected back in Coralogix Case updates.

When bi-directional synchronization is enabled, the following mappings apply:

  • Assigning a ServiceNow Incident → acknowledges the corresponding Coralogix Case
  • Resolving a ServiceNow Incident → resolves the corresponding Coralogix Case
  • Closing or canceling a ServiceNow Incident → closes the corresponding Coralogix Case

These mappings ensure that actions taken during incident handling in ServiceNow are accurately reflected in the Coralogix Case lifecycle.

Note: Advanced update options, such as synchronizing comments, assignments, or additional fields, are planned for future phases and are not currently available.

Coralogix connection (ServiceNow side)

A Coralogix Connection record is automatically created in ServiceNow when you configure the ServiceNow connector in Coralogix.

This record:

  • Represents the logical connection to Coralogix
  • Stores authentication details
  • Enables inbound and outbound synchronization

It requires a Coralogix API key with the appropriate permissions.

ServiceNow connector (Coralogix side)

On the Coralogix side, the integration is represented by a ServiceNow connector in the Notification Center.

The connector:

  • Is configured using a ServiceNow username and password
  • Sends Coralogix Case events into ServiceNow
  • Triggers creation of Case Notification records

Once created, the connector can be used in routing rules.

End-to-end flow

A typical end-to-end flow looks like this:

  1. A ServiceNow admin installs and approves the Coralogix app
  2. A dedicated ServiceNow user is created with the required permissions
  3. A ServiceNow connector is created in Coralogix
  4. A Coralogix Connection record is automatically created in ServiceNow
  5. A Coralogix API key with the required permissions is generated manually and added to the Coralogix Connection in ServiceNow to enable bi-directional synchronization.
  6. A Coralogix Case is created
  7. Notification Center sends a Case event
  8. A Case Notification record is created in ServiceNow
  9. A Case object is created or updated
  10. A ServiceNow Incident is created or updated
  11. Resolving the Incident resolves the Coralogix Case

Create a ServiceNow connector in Coralogix

To allow Coralogix to send Case notifications to ServiceNow:

  1. In Coralogix, navigate to Alerts → Notification Center → Connectors
  2. Select New connector, then choose ServiceNow
  3. Enter:
    • Name
    • Description
    • ServiceNow instance URL
    • ServiceNow username
    • ServiceNow password
  4. Select Create connector

The connector is now available for routing rules.

Route Coralogix Cases to ServiceNow

Routing determines which Cases are sent to ServiceNow.

Add routing labels

  1. Open an alert definition

  2. Add routing labels, for example:

    routing.group:sre
routing.environment:prod

  3. Save the alert

Create a router and routing rule

  1. Go to Notification Center → Routers
  2. Create a router that matches your routing labels
  3. Add a routing rule:
    • Condition: true or a specific Case condition
    • Destination: ServiceNow connector
  4. Save the router

Matching Case notifications are now sent to ServiceNow.

Generate a Coralogix API key

Generate or use an existing team API key from the API keys UI containing the cases role.

Configure the Coralogix connection in ServiceNow

  1. Open the Coralogix Connection record in ServiceNow
  2. The Coralogix app automatically sets the endpoint URL. No manual action is required.
  3. Configure credentials using the Coralogix API key

Configure outbound (bi-directional) behavior

Important behavior rules:

  • Case states do not move backward
  • Resolving an Incident resolves the Case
  • Reopening an Incident does not re-acknowledge the Case
  • Only resolved Cases can close

To disable closed-state synchronization, remove the closure condition from the outbound policy.

Verify bi-directional synchronization

  1. Open a ServiceNow Incident created by Coralogix
  2. Change its state to In progress
  3. Confirm the Coralogix Case moves to Acknowledged
  4. Resolve or close the Incident and confirm the Case updates

Verify delivery

  1. Trigger an alert that creates a Coralogix Case
  2. Confirm the Incident appears in ServiceNow
  3. Update the Incident and confirm the Case reflects the change

Operating the integration

Once live:

  • Use routing rules to control which Cases are sent to ServiceNow
  • Use inbound policies to adapt record creation to your workflows
  • Use outbound policies to control how ServiceNow updates flow back to Coralogix
  • Review Case Notifications and Case objects for troubleshooting
  • Review outbound HTTP logs to verify outbound sync from Servicenow to Coralogix
Need help? Contact Support.
What's new? Find out here.
LLM? Read llms.txt.
Previous Case Settings
Next Hosted OpenSearch View