Forum Discussion

naramesh's avatar
naramesh
Copper Contributor
May 26, 2021
Solved

Logicapp to sync incident status between sentinel to Servicenow.

Hello,   Looking for some pointers on how to sync the incident status from sentinel to servicenow. If the incident is marked as "Closed" in sentinel, I would like to close it on the service now too...
naramesh's avatar
naramesh
Copper Contributor
May 26, 2021
Thanks for the quick response. I would like to create a logic app that will close the servicenow incident when the incident in Sentinel is marked as closed.

Above playbook will sync, when a close is triggered from Service now but not vice versa.
    • Nazan2045's avatar
      Nazan2045
      Former Employee
      Sep 08, 2021

      ibnmbodji It seems the Logic App is no longer available, do you have the updated link? Thank you

      • Sayeed_Patel's avatar
        Sayeed_Patel
        Copper Contributor
        Oct 05, 2021

        Hello,

        I'm trying to connect Logic Apps to ServiceNow and get/post information. Is there a guide that can help me do that?

    • naramesh's avatar
      naramesh
      Copper Contributor
      Jun 01, 2021
      Thank you so much for your help. I shall check this out.
      • wootts's avatar
        wootts
        Iron Contributor
        Jun 10, 2021

        naramesh 

         

        Hi all this is an interesting topic and something I am keen to know more about.  So.....

        We have a situation whereby we create an incident in ServiceNow (SIR) from an incident in Sentinel.  which on a 1 on 1 basis is great.  We close the incident in SIR it closes in Sentinel and the main platform which provided the information. 

         

        Then scenario 2

         

        Incident is created in SIR.  Another Alert is triggered which by example M365D says is linked to this and creates a Multi Stage / Main incident consisting of the initial incident and any that follow. 

         

        The problem being we dont want to close the first incident as that is being worked on. But Sentinel closes it (automatically) and states no entities and no alerts attached.  As these have been moved to the main incident which is now compiling all the alerts as they flow through.   

         

        How do we get it to update the very first incident and not populate a new incident ID.  Or even overwrite the initial Incident in SIR with a new name, new information from the now main incident. 

         

        hope that makes at least  some sense.   

         

Resources