ServiceNow + Azure Automation: Scheduled Job
Purpose
Simulate an enterprise-real autonomous security response workflow:
Scheduled execution → alert triage → incident management → external containment action → state transition.
Used to test the ability to trace:
- Scheduled job execution
- Identity context
- Cross-table logic
- External REST egress
- Deterministic state transitions
Components
1. Custom Table: u_security_alert
Standalone table (not extending Task).
Key Fields
| Field | Type | Purpose |
|---|---|---|
| u_state | Choice (NEW, PROCESSED, FAILED) | Processing state machine |
| u_severity | Choice (Low, Medium, High, Critical) | Drives incident priority |
| u_signature | String | Alert type |
| u_host | String | Affected host |
| u_user | String | Affected identity |
| u_source | String (default "MockEDR") | Alert origin |
| u_first_seen | DateTime | Timestamp |
| u_raw_payload | Long text | JSON payload |
| u_incident | Reference → incident | Linked ITSM record |
| u_action_status | String | success / failed / exception |
| u_action_error | Long text | REST failure details |
| u_attempted_at | DateTime | Execution timestamp |
This table acts as the inbound security signal queue.
2. Azure Function (External System Simulation)
HTTP-triggered function (Function-level key auth).
Endpoint:
POST /api/edr-isolate
Validates required fields:
- alert_id
- host
- severity
- incident_number
Returns:
200 OK
{
status: "ok",
received: <payload>,
ts: <timestamp>
}
Purpose:
Simulates an EDR containment action (e.g., isolate endpoint).
3. ServiceNow Outbound REST Message
Name:
SV0 Azure EDR Stub
Method record:
POST
Headers:
- Content-Type: application/json
- x-functions-key:
Called via:
new sn_ws.RESTMessageV2("SV0 Azure EDR Stub", "POST")
4. Scripted Scheduled Job
Name:
SV0 Process Security Alerts
Type:
periodic
Period:
900 seconds (15 minutes)
Execution Flow:
Step 1
Query:
u_security_alert where u_state = NEW
Step 2 — For each alert
A. Incident Deduplication
Search incident created in last 24h where:
- short_description contains u_signature
- short_description contains u_host
If found:
- Add work note
- Reuse incident
Else:
-
Create new incident
-
Short description:
Security Alert: <severity> <signature> on <host> -
Description includes:
- user
- source
- raw payload
-
Priority mapping:
- Critical → 1
- High → 2
- Else → 3
Link alert.u_incident to incident.
B. External Containment Call
Build JSON body:
{
alert_id,
host,
user,
severity,
signature,
incident_number,
requested_by,
run_id (UUID)
}
Call Azure Function via RESTMessageV2.
C. State Transition
If HTTP 200:
- u_state = PROCESSED
- u_action_status = success
Else:
- u_state = FAILED
- u_action_status = failed
- u_action_error = HTTP status + response body
Always:
- u_attempted_at = now()
Autonomous Execution Characteristics
This scenario contains:
- Scheduled trigger (non-human)
- Identity context (system user)
- Data-driven branching
- ITSM record creation
- Cross-record linking
- External HTTP egress
- Deterministic state updates
This mirrors real enterprise SOAR-lite automation.
Execution Path (High-Level)
sysauto_script (Scheduled Job)
↓
u_security_alert (NEW records)
↓
incident (create or reuse)
↓
Outbound REST (Azure Function)
↓
u_security_alert state transitio
Endpoint
https://sv0-edr-stub-7165.azurewebsites.net /api/edr-isolate