You can connect Expel Workbench with ServiceNow. After you make the connection,ServiceNow allows 2-way communication with Expel Workbench:

  • New tickets in ServiceNow create alerts in Workbench.

  • Status updates and other actions in Workbench update or close tickets in ServiceNow.

ServiceNow integration

To configure ServiceNow with Workbench, contact your engagement manager, or our customer success engineer by tagging @cse in our joint Slack channel. You can also email

Step 1: Configuring ServiceNow API access for Expel

This procedure creates the user account and OAuth token required by Expel to communicate with your ServiceNow instance.

  1. Log in to the ServiceNow instance using the administrator account.

  2. Elevate your role to security_admin.

  3. Navigate to User Administration, then Users, and create a new user account for Expel.

  4. Grant the Expel user the incident_manager role. This gives it the required permissions to access the incidents table from the REST APIs.

  5. Go to System OAuth > Application Registry > New.

  6. Click Create an OAuth API endpoint for external clients.

  7. Fill out the form and submit it.

Step 2: Configuring ServiceNow in Workbench


Expel secures all login information our SOC analysts need about your devices in a MFA password product. Access to this login information is protected using our internal MFA processes. To learn more about the IP addresses all Expel traffic comes from, go here.

  1. Login to

  2. Go to Organization Settings > Security Devices.

  3. Click + Add Security Device.

  4. Search for and select ServiceNow.

  5. Complete all fields using the credentials and information you collected in Step 1.

    • Name and Location: enter ServiceNow and for location either Cloud or On-prem.

    • Server Address: the ServiceNow instance URL. For example:

    • Username and Password: Expel user credentials from Step 1.

    • Client ID and Client Secret: OAuth token from Step 1.

    • Assignment Group: Optional. You can leave it blank.

    • Console Login: Optional. You can leave it blank.

Standard workflows

These workflows are automatically available after the ServiceNow integration steps are complete.

Workbench can ingest ServiceNow tickets as alerts

Workbench can ingest alerts from ServiceNow if they are tagged for Expel. To enable this workflow, take the following steps.

  1. Create a ServiceNow ticket.

  2. Add the tag [Expel] to the beginning of the Short description.

  3. Enter all required fields.

This ticket appears in Workbench as an Alert for an Expel analyst to triage and investigate.


Alert assignment changes in Workbench are reflected in ServiceNow

When the Expel analyst picks up the ticket and assigns it to him or herself, this status change is reflected in the ServiceNow ticket. This allows you to see in ServiceNow that the ticket is being worked by Expel.

In ServiceNow, you see the Assigned to field of the ticket is now set to Expel(expeluser).

Investigation status of alerts is reflected in ServiceNow

When Expel investigates an alert, we move the alert into an investigation (if we need more information to understand what happened) or an incident (if we have high confidence that unauthorized or high-risk activity occurred).

In ServiceNow, you see the following changes in the ticket:

  • The ticket’s state is set to In Progress.

  • The Assigned to field is set to Expel to indicate that Expel is actively investigating.

  • The ticket’s Work notes are updated with the Workbench investigation or incident name and URL.

Closing the Workbench alert closes the ServiceNow ticket

An alert can be closed in 1 of 2 ways in Workbench:

  1. Directly from the Alerts list or grid view.

  2. Indirectly, after an investigation or incident containing that alert is closed.

In the case where the closed alert started as a ServiceNow ticket, you see the following in ServiceNow:

  • The original ServiceNow ticket State is set to Resolved.

  • The Work notes and Closure notes includes the closed reason category and comment from Workbench.

Advanced Workflows

These workflows are not part of the standard set because they require additional setup from Expel which must be done on an individual customer basis. If you want to use one or more of these workflows, contact your engagement manager.

Remediation or investigative actions assigned to you create tickets in ServiceNow

In Workbench after a ServiceNow alert is added to an incident or an investigation, any remediation actions created and assigned to you are reflected in ServiceNow as separate tickets.

A ServiceNow ticket for an Investigative action:

  • Has a short description identical to an investigation action email notification title, such as “<investigation/incident_shortname> - Investigation Action Assigned - <investigation_type>

  • Has Assignment Group assigned, set during your ServiceNow Integration Onboarding.

  • Contains a link to the investigative action in Workbench.

  • Contains in its Work notes instructions and comments to perform the investigation.

A ServiceNow ticket for a Remediation action:

  • Has a short description identical to remediation action email notification title, such as “<incident_shortname> - Remediation Action Assigned - <remediation_type>.

  • Has Assignment Group assigned, set during your ServiceNow Integration Onboarding.

  • Contains a link to the Remediation Action in Workbench.

  • Contains in its Work Notes instructions and comments to perform the remediation.

Remediation or investigative actions completed in Workbench close tickets in ServiceNow

This workflow allows for additional syncing and custom field settings. With this workflow, when investigative, verify, and remediation actions are completed in Workbench, they are closed in ServiceNow.

Service now