Closing the loop
As established in our previous post, visibility is only half the battle.
To truly secure an enterprise, you must move from finding a risk, to fixing it.
Veza Actions provides Identity Remediation Automation by serving as the critical bridge, transforming complex identity insights from the Veza Access Graph into actionable work items within your existing IT service management (ITSM) ecosystem.
In this Veza Actions tutorial, we’ll show you how to connect Veza directly to ServiceNow to create a closed-loop remediation engine.
Architecture: Powering ServiceNow with Identity Context
Veza Actions are designed to be plug-and-play.
Instead of requiring complex manual mapping, Veza delivers a context-rich, standardized payload directly to your destination.
- The Trigger: A risk is identified via an Access Intelligence Rule, a Lifecycle Management event, or an Access Review decision.
- The Destination: Your ServiceNow instance. While we also support Email, Jira, Teams, Slack, Crowdstrike SIEM and generic Webhooks, ServiceNow is the gold standard for enterprise change management.
- The Payload: A standardized data packet containing the “who, what, and where” of the identity risk, including a deep link back to the Veza Access Graph for immediate investigation.
Implementation: Setting Up Your ServiceNow Remediation Engine
Step 1: Connect Your ServiceNow Instance
Setting up the connection is a “no-code” process.
- Navigate to Integrations -> Veza Actions -> Add Veza Action
- Select ServiceNow as your delivery channel, aka provider, aka target
- Enter your instance URL, and authentication credentials, and all other required / optional information.
Note: you will need your ServiceNow admin to provide this information. - Test the Integration: Click “Test” to verify the connection and ensure a test entry appears in your ServiceNow environment.
Step 2: Tie Security Rules to Automated Action
Once connected, you can automate ticket creation based on specific identity risks.
We’ll use a query-based rule here, though rules can also be triggered by Lifecycle Management events or Access Review decisions
- Go to Access Visibility > Queries
- Choose a high-priority query (e.g., “Local users that are mapped to inactive IdP users”).
- From the context menu, select Create Rule
- Create rule
- Details: provide a name, description, and alert severity
- Conditions: define the threshold to trigger the rule
- Send Alert: select the desired Veza Action, save the rule, save the query
- Trigger the rule to verify the behavior on the destination
The payload arrives as raw JSON in the activity log; your ServiceNow admin can configure a Business Rule or Flow Designer workflow to parse and map these fields to the appropriate incident fields
Advanced: Customizing the Workflow Downstream
Since Veza provides a standardized, rich payload, you can use ServiceNow Flow Designer to customize how the ticket is handled once it arrives, e.g., “If the payload’s severity field is critical, a Flow Designer condition can set Priority to 1 – Critical and assign directly to the SOC queue”
- Auto-Routing: Use the identity metadata in the Veza payload to automatically route tickets to the correct Application Owner.
- SLA Enforcement: Assign higher priority to tickets that originate from critical “Toxic Combination” rules.
Sample Use Cases for ServiceNow Teams
| Use Case | Trigger | Action Destination | Value to Security Ops |
| Toxic Combination Cleanup | Access Intelligence Breach | ServiceNow Incident | Ensures conflicting access (e.g., Dev + Prod) is tracked and removed per policy. |
| NHI Discovery | Non-Human Identity Anomaly | ServiceNow Change Request | Alerts the cloud team when a service account gains unauthorized “Owner” rights. |
| Review Rejection Sync | Access Review “Deny” Decision | Deprovisioning Flow | Automatically triggers a deprovisioning workflow in your downstream systems. |
Conclusion: Operationalize Your Defense
By integrating Veza with ServiceNow, identity security stops being a manual “cleanup” task and becomes a core part of your automated operations.
Ready to start? Visit the Integrations tab in your Veza admin panel to set up your ServiceNow destination today.
Most teams have their first automated incident live within less than an hour of connecting their ServiceNow instance!
