Skip to content

feat(servicenow): pull incident activity into Keep alerts and incidents#5528

Open
nexicturbo wants to merge 2 commits intokeephq:mainfrom
nexicturbo:feat/servicenow-incident-activity
Open

feat(servicenow): pull incident activity into Keep alerts and incidents#5528
nexicturbo wants to merge 2 commits intokeephq:mainfrom
nexicturbo:feat/servicenow-incident-activity

Conversation

@nexicturbo
Copy link

@nexicturbo nexicturbo commented Jan 28, 2026
edited
Loading

Summary

Enhances the existing ServiceNow provider to pull incident activity (comments and work notes) into Keep incidents, and enables bidirectional activity sync.

Closes #3379
/claim #3379

Changes

New Capabilities

  • Pull incidents as alerts (_get_alerts()): Maps ServiceNow incidents to Keep \AlertDto\ objects with proper status, severity, and metadata mapping
  • Pull incidents (_get_incidents()): Maps ServiceNow incidents to Keep \IncidentDto\ objects with full lifecycle tracking
  • Pull incident activity (_get_incident_activity()): Fetches comments and work notes from the \sys_journal_field\ table and associates them as alerts within incidents
  • Bidirectional activity sync: New _add_comment()\ and _add_work_note()\ methods to push activity back to ServiceNow incidents via the _notify()\ interface

Mappings

  • ServiceNow incident states -> Keep statuses: New->Firing, In Progress->Acknowledged, On Hold->Suppressed/Acknowledged, Resolved/Closed/Canceled->Resolved
  • ServiceNow priorities (1-5) -> Keep severities: Critical, High, Warning, Low, Info

Infrastructure Improvements

  • Inherits from both \BaseTopologyProvider\ and \BaseIncidentProvider\
  • Added _get_paginated_results()\ helper for efficient paginated API queries
  • Refactored auth into reusable _get_headers()\ and _get_auth()\ helpers
  • Fixed auth logic bug in _notify_update\ (was using basic auth when OAuth token was present, should have been the opposite)
  • Added \incident\ to \PROVIDER_TAGS\ and \Incident Management\ to \PROVIDER_CATEGORY\

ServiceNow API Endpoints Used

  • \GET /api/now/table/incident\ - Pull incidents with pagination
  • \GET /api/now/table/sys_journal_field\ - Pull comments and work notes per incident
  • \PATCH /api/now/table/incident/{sys_id}\ - Add comments/work notes back

Testing

  • Syntax validation passes
  • Module structure follows existing patterns (PagerDuty, Grafana Incident providers)
  • All existing topology functionality preserved unchanged

@nexicturbo
feat(servicenow): add incident pulling with activity/comments/work notes
4249fe7 
Enhance the existing ServiceNow provider to support pulling incidents
as both Keep alerts and Keep incidents, with full activity enrichment.

Changes:
- Extend class to inherit BaseIncidentProvider (alongside BaseTopologyProvider)
- Implement _get_alerts() to pull ServiceNow incidents as AlertDto objects
- Implement _get_incidents() to pull incidents as IncidentDto objects
- Add _format_alert() static method for incident→alert mapping
- Add _format_incident() static method for incident→incident mapping
- Add _query_incidents() for paginated incident table queries
- Add _query_incident_activity() for bulk journal/activity fetching
  from sys_journal_field (comments + work notes)
- Map ServiceNow incident states to Keep AlertStatus/IncidentStatus
- Map ServiceNow priority levels to Keep AlertSeverity/IncidentSeverity
- Enrich alerts/incidents with recent activity data (comments, work notes)
- Add helper methods (_get_auth, _get_headers, _parse_snow_datetime, etc.)
- Add PROVIDER_CATEGORY 'Incident Management' and PROVIDER_TAGS 'alert', 'incident'
- Add FINGERPRINT_FIELDS for deduplication

Resolves: keephq#3379
@vercel
Copy link

vercel bot commented Jan 28, 2026

@nexicturbo is attempting to deploy a commit to the KeepHQ Team on Vercel.

A member of the Team first needs to authorize it.

@algora-pbc algora-pbc bot mentioned this pull request Jan 28, 2026
Open
@dosubot dosubot bot added the size:XL This PR changes 500-999 lines, ignoring generated files. label Jan 28, 2026
@CLAassistant
Copy link

CLAassistant commented Jan 28, 2026
edited
Loading

CLA assistant check
All committers have signed the CLA.

@greptile-apps
Copy link
Contributor

greptile-apps bot commented Jan 28, 2026

Target branch is not in the allowed branches list.

@nexicturbo
feat(servicenow): pull incident activity (comments & work notes) into…
5b8960f 
… Keep incidents

- Extend ServicenowProvider to inherit from BaseIncidentProvider alongside BaseTopologyProvider
- Add _get_alerts() to pull ServiceNow incidents as Keep AlertDto objects
- Add _get_incidents() to pull ServiceNow incidents as Keep IncidentDto objects
- Add incident activity pulling via sys_journal_field table (comments & work notes)
- Add _add_comment() and _add_work_note() for bidirectional activity sync
- Map ServiceNow incident states (New/In Progress/On Hold/Resolved/Closed/Canceled) to Keep statuses
- Map ServiceNow priorities (1-5) to Keep AlertSeverity and IncidentSeverity
- Add paginated result fetching with _get_paginated_results() helper
- Refactor auth/headers into reusable _get_headers() and _get_auth() methods
- Fix auth logic bug in _notify_update (was using basic auth when OAuth token was present)
- Add 'incident' to PROVIDER_TAGS and 'Incident Management' to PROVIDER_CATEGORY

Closes keephq#3379
/claim keephq#3379
@dosubot dosubot bot added the Feature A new feature label Jan 28, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

🙋 Bounty claim Feature A new feature size:XL This PR changes 500-999 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[🔌 Provider]: ServiceNow pull activity from incidents into incidents

2 participants

@nexicturbo @CLAassistant