Define Parameters
General
Perform the following steps to define general parameters for the Add-On:
Step 1 – Navigate to your add-on folder and select the ITSMSettings.xml file.
Step 2 – Define general parameters such as Auditor connection parameters, the number of tickets the service can create per hour, ability to reopen closed tickets, etc. For most parameters, default values are provided.
Step 3 – Provide new values as follows: <parameter>value</parameter>. You can skip or define
parameters depending on your execution scenario and security policies.
| Parameter | Default value | Description |
|---|---|---|
| Connection to Netwrix Auditor | ||
| NetwrixAuditorHost | localhost:9699 | - The add-on runs on the computer where the Auditor Server resides and uses the default Integration API port 9699. To specify a non-default port, provide a new port number (e.g., https://localhost:8788). - The add- on must always run locally, on the computer where the Auditor Server resides. |
| NetwrixAuditorUserName | Current user credentials | Unless specified, the add-on runs under the LocalSystem account. If you want the add-on to use another account to connect to the Auditor Server, specify the account name in the DOMAIN\username format. Alternatively, after deploying the Netwrix Auditor ITSM Integration Service service, specify an account in its properties. The account must be assigned the Global reviewer role in the Auditor or be a member of the Netwrix AuditorAdministrators group. The user must have sufficient permissions to create files on the computer. |
| NetwrixAuditorPassword | – | Provide a password for the account. Unless an account is specified, the service runs under the LocalSystem account and does not require a password. |
| TicketFloodLimit | 10 | Specify the maximum number of standalone tickets the service can create during TicketFloodInterval. If a ticket flood limit is reached, the service writes all new alerts into a single ticket. |
| TicketFloodInterval | 3600 | Specify the time period, in seconds. During this time period, the service can create as many tickets as specified in TicketFloodLimit. The default value is 3600 seconds, i.e., 1 hour. |
| ConsolidationInterval | 900 | Specify the time period, in seconds. During this time period, the service does not process similar alerts as they happen but consolidates them before updating open tickets in your ITSM. The default values is 900 seconds, i.e., 15 minutes. This option works in combination with UpdateTicketOnRepetitiveAlerts and is helpful if you want to reduce the number of ticket updates on ITSM side. I.e., this option defines the maximum delay for processing alerts and updating existing tickets. Tickets for new alert types are created immediately. For example, a new alert is triggered—the service opens a new incident ticket. The alert keeps firing 20 times more within 10 minutes. Instead of updating the ticket every time, the service consolidates alerts for 15 minutes, and then updates a ticket just ones with all collected data. |
| CheckAlertQueueInterval | 5 | Internal parameter. Check and process the alert queue every N seconds; in seconds. |
| UpdateTicketOnRepetitiveAlerts | true | Instead of creating a new ticket, reopen an existing ticket that is in a closed state (be default, closed, canceled, and resolved) if a similar alert occurs within UpdateInterval. This option works only when UpdateTicketOnRepetitiveAlerts is set to "true". NOTE: If you want to reopen closed tickets, you must be granted the right to perform Write operations on inactive incidents. |
| UpdateInterval | 86400 | Specify the time period, in seconds. If a similar alert occurs in less than N seconds, it is treated as a part of an existing incident. The default value is 86400 seconds, i.e., 24 hours. If an alerts is triggered after the UpdateInterval is over, a new ticket is created. |
| EnableTicketCorrelation | true | Review history and complement new tickets with information about similar tickets created previously. This information is written to the Description field. This option is helpful if you want to see if there is any correlation between past incidents (occurred during last month, by default) and a current incident. |
| CorrelationInterval | 2592000 | Specify the time period, in seconds. During this time period, the service treats similar tickets as related and complements a new ticket with data from a previous ticket. The default value is 2592000 seconds, i.e., 1 month. Information on alerts that are older than 1 month is removed from internal service storage. |
| ProcessActivityRecordQueueInterval | 5 | Internal parameter. Process Activity Record queue every N seconds; in seconds. |
| DisplayOnlyFirstActivityRecord | true | Add only the first Activity Record in the work notes, Activity Records that update this ticket will be added as attachments to this ticket. If false, all Activity Records will be displayed in the ticket work notes. |
| ActivityRecordRequestsRetention | ||
| RequestLimit | 5000 | Internal parameter. The maximum number of Activity Record requests the service can store in its internal memory. Once the limit is reached, the service clears Activity Record requests starting with older ones. |
| RequestLimitInterval | 604800 | Internal parameter. The service can store the Activity Record requests not older than N seconds; in seconds. Older Activity Record requests are cleared. |
| ActivityRecordWebRequests | ||
| RequestLimit | 200 | Internal parameter. The maximum number of Activity Records the service can retrieve in a single request. |
| RequestTimeout | 180 | Internal parameter. By default, 3 minutes. Defines the connection timeout. |
| TicketRequestsRetention | ||
| RequestLimit | 300000 | Internal parameter. The maximum number of ticket requests the service can store in its internal memory. Once the limit is reached, the service clears ticket requests starting with older ones. |
| RequestLimitInterval | 604800 | Internal parameter. The service can store the ticket requests not older than N seconds; in seconds. Older tickets requests are cleared. |
NOTE: Stop and then restart the service every time you update any of configuration files.
ServiceNow Parameters
Follow the steps to define ServiceNow parameters:
Step 1 – Navigate to your add-on folder and select ServiceNowSettings.xml.
Step 2 – Define parameters such as ServiceNow connection parameters inside the <Connection>
section.
Step 3 – Provide new values as follows: <paramenter>value</parameter>.
<Connection> parameter | Default value | Description |
|---|---|---|
| URL | — | Provide a link to your ServiceNow system (e.g., https://enterprise.service-now.com). |
| UserName | — | Specify a user account. Make sure the user has sufficient permissions to create tickets and update them. The itil role is recommended. NOTE: If you want to reopen closed tickets, you must be granted the right to perform Write operations on inactive incidents. |
| Password | — | Provide a password. |
Step 4 – Review the <TicketParameters> section. The parameters inside this section correspond
to ServiceNow ticket fields and use the same naming (e.g., priority, urgency). To find out a field
name in ServiceNow, switch to XML view (on the ticket header, navigate to Show XML).
Each <TicketParameter> includes the <Name></Name> and <Value></Value> pair that defines a
ServiceNow ticket field and a value that will be assigned to it. For most parameters, default values
are provided. Add more ticket parameters or update values if necessary.
NOTE: The template remains the same for all alerts and cannot be adjusted per individual alerts.
| Name | Value | Description |
|---|---|---|
| short_description | [Netwrix Auditor] %AlertName% | Sets Short description to alert title (e.g., [Netwrix Auditor] ITSM Add-On: User Account Locked Out). |
| category | software | Sets the incident Category to "Software". |
| impact | 1 | Sets Impact to "1 – High". |
| urgency | 1 | Sets Urgency to "1 – High". |
| severity | 1 | Sets Severity to "1 – High". |
| assignment_ group | d625dccec0a8016700a22a0 f7900d06 | Sets Assignment group to "Service Desk". NOTE: You cannot use a group name as a value. Provide its guid instead. |
| description | %AlertDescription% %PreviousTicketReference% | Provides an alert description and references to related tickets in Description. |
| work_notes | Alert Details: ... | Adds the full alert text to Work notes, including data source, who, what, where, etc. To find out what is included in the alert details, see the ServiceNowSettings.xml file. NOTE: You can write alert details in the Additional comments field instead of Work notes. To do this, rename <Name>work_notes</Name> into <Name>comments</Name>. If you want to write alert details into both fields, create a copy of <TicketParameter> entry containing work_notes and <Name>work_notes</Name> into <Name>comments</Name. To skip alert details, remove entries for work_notes or comments. |
Step 5 – Review the <CorrelationTicketFormat> section. It shows what information about related
tickets will be included in your current ticket. Update the template if necessary.
| CorrelationTicketFormat | Description |
|---|---|
| Previous incident for the same alert type: Number: %number% Opened: %opened_at% Assigned to: %assigned_to% Assignment group: %assignment_group% State: %state% | Each %parameter% corresponds to a ServiceNow ticket field. The service will automatically substitute these parameters with values from a related ticket. Rearrange fields or add more if necessary. To find out a field name in ServiceNow, switch to XML view (on the ticket header, navigate to Show XML). |
Step 6 – Review the <ReopenTicketOptions> section. It defines the tickets the add- on can
reopen automatically.
| Name | Description |
|---|---|
| ClosedTicketStates TicketState | Lists ticket statuses. Only tickets with this status can be reopened. By default, resolved, closed, and canceled tickets can be reopened. To specify a new status, provide its ID in the <TicketState> tag (e.g., 8 for canceled). |
| NewState | Defines a ticket status once it is reopened. By default, new. To specify another status, provide its ID in the <NewState> tag (e.g., 1 for new). |
NOTE: Stop and then restart the service every time you update any of configuration files.