iCinga do expose the custom datafields in objects/services. It is servicenow script which was not picking up the custom fields as they are not default.
But now my problem is - it exposes too many things. For example the command is exposed. The command will generally have a password for many plugins (like DBs). This is a big security issue. Can the user which is calling the restAPI be restricted somehow - so that it can pull everything from /objects/services apart from the command and var mapping? But it should pull the custom variables 