Prisma Cloud: ServiceNow Integration is not reopening incidents based on a change in status

If the incident status is manually updated on ServiceNow, Prisma Cloud will not reopen the incidents or update their status.

• Prisma Cloud
• ServiceNow

If a user manually closes the incident on ServiceNow, we keep the entry in our database and send an update to the same sysID instead of creating a new entry.

When Prisma Cloud sends the Resolved Notification, ServiceNow will close it and send us the response. We will then remove the entry from the database. So, the next time the alert reopens, Prisma will send the Create call as a notification.

Option 1: Ensure that incidents opened by the Prisma User in ServiceNow are not closed manually. When incidents are manually closed, an entry remains in our database, and subsequent updates are sent to the same sysID rather than creating a new entry.

Option 2: (Workaround) Disable the 'Resolved' and 'Dismissed' states in your ServiceNow notification template. This would not cause any issues if you manually resolve the alerts on ServiceNow, as Prisma will only push 'Open' alerts to ServiceNow.

View our documentation here on ServiceNow integration. 

Alerts can be retriggered upon request to be sent to the outbound integration.