Major incident war room: ServiceNow to Slack and Jira

Build me an agent workflow that runs on a cron schedule every five minutes and acts as a major incident orchestrator across ServiceNow, Slack, and Jira. The goal is that any newly created Priority 1 (critical) incident in ServiceNow should immediately open a Slack war room message and a matching Jira engineering ticket, with all three records cross-linked.

On each run, the agent should:

1) Call ServiceNow's List Incidents action filtered to priority=1 and sys_created_on within the last 5 minutes (use a small buffer like 6 minutes to avoid edge gaps). For each incident, read short_description, description, caller, affected configuration item (cmdb_ci), assignment_group, and assigned_to.

2) Skip any incident whose work_notes already contain a sentinel tag like [war-room-bot:processed]. This is how we avoid double-posting if the cron overlaps with a slow downstream call.

3) For each new P1, write a one-paragraph incident summary in plain English covering the symptom, suspected scope (which system/CI/customers), and customer impact. The agent should decide what to surface vs. omit; do not just paste the raw description.

4) Post an opening message to the #major-incidents Slack channel via Slack Bot's Send a Message action. The message should include: the ServiceNow incident number (e.g. INC0012345), severity, the one-paragraph summary, the current on-call assignee (assigned_to display name) and assignment group, and a clickable deep link to the ServiceNow incident at https://<instance>.service-now.com/nav_to.do?uri=incident.do?sys_id=<sys_id>. Capture the posted message's permalink (or channel+ts) so we can write it back to ServiceNow in step 6.

5) Create a corresponding engineering Jira issue via Jira's Create Issue action in a configurable project (default key: INC or ENG). Use the same one-paragraph summary as the Jira summary/description, set priority to Highest, set issue type to Incident (or Bug if Incident is not configured), and add the label linked-from-servicenow. In the Jira description, include the ServiceNow incident number, the ServiceNow deep link, and the Slack channel link from step 4. Capture the returned Jira issue key (e.g. INC-4821).

6) Call ServiceNow's Update or Resolve Incident action on the original incident to append a work_note that contains: the Slack channel/message permalink, the Jira issue key and its browse URL, and the sentinel tag [war-room-bot:processed] so we know not to reprocess it. Work_notes are append-only journal fields in ServiceNow, so this just adds a new entry.

Operational notes for the agent: only fire downstream actions for genuinely new incidents (created in the last 5 minutes AND not yet tagged). If Slack succeeds but Jira fails, do not tag ServiceNow as processed yet, so the next run retries. Keep the Slack message tone calm and factual, not alarmist; it should read like an incident commander's opening note, not a stack trace. Do not include PII from the caller field beyond their display name.

Integrations: ServiceNow (List Incidents, Update or Resolve Incident), Slack Bot (Send a Message), Jira (Create Issue). Trigger: cron, every 5 minutes.

Configurable inputs that should be easy to change later: the Slack channel name, the Jira project key and issue type, the priority filter (default priority=1, optionally include 2), the lookback window in minutes, and the sentinel tag string.

Additional information

What does this prompt do?

Watches ServiceNow every five minutes for newly created Priority 1 incidents that warrant a major incident response.
Writes a one paragraph plain English summary covering the symptom, suspected scope, and customer impact, so responders know what is happening without reading the full record.
Posts an opening message to your major incidents Slack channel with the incident number, severity, summary, on-call assignee, and a direct link back to the ServiceNow record.
Creates a matching engineering issue in Jira at the highest priority, tagged so it is easy to find from the comms side, and writes both the Slack channel link and the Jira issue key back into the ServiceNow work notes.

What do I need to use this?

A ServiceNow account with permission to read incidents and update work notes.
A Slack workspace with a channel for major incident comms, for example #major-incidents.
A Jira project where the engineering team can pick up new issues.
Agreement on what counts as a war room incident, typically Priority 1 critical.

How can I customize it?

Change the trigger to run less often, or scope it to business hours only.
Broaden the filter to include Priority 2, or narrow it to specific assignment groups or affected services.
Swap the Slack channel, the Jira project, or the issue priority and labels to match your incident playbook.
Adjust the summary to call out customer impact, downstream dependencies, or runbook links your responders expect.

Frequently asked questions

Will it post the same incident more than once?

No. The agent tags each ServiceNow incident in its work notes after it has been processed, and skips anything that has already been tagged on later runs.

What if responders need to find the ServiceNow record from Slack, or the Slack channel from Jira?

Every record points to the others. The Slack message links to ServiceNow, the Jira issue references the ServiceNow incident number, and the ServiceNow work notes contain both the Slack channel link and the Jira issue key.

Can it handle priorities other than P1?

Yes. The default is Priority 1 because that is the usual war room threshold, but you can include Priority 2, or filter by category, assignment group, or affected service when you set it up.

What happens if Slack or Jira is briefly down?

The agent only marks the ServiceNow incident as processed once the downstream work succeeds, so a transient outage just means the next five minute run picks it up again.

How quickly do responders see a new incident?

Within five minutes of the P1 being created in ServiceNow. You can shorten or lengthen that window when you configure the workflow.