SNOW Logic App Connector

Question

Is it possible to generate SNOW tickets to the "Events" table as opposed to the the "Incidents" table using the built-in Logic App connector?

andrewblumhardt · Answer

Use the SNOW playbook in the repo as an example. You can trigger using a log analytics query. Here is a similar example. https://secureinfra.blog/2020/09/23/sentinel-email-notification-logic-app/

leo_szalk · Answer

AndrewBlumhardt&nbsp;I was using the playbook from the repo as a template. This question is more of a question on the SNOW side than Sentinel.The way our SNOW works is that when a "ticket" comes in it starts in the Event table so that it can begin automated correlation then moves to the Alert table and then to the incident table.&nbsp;I saw the Event table in the SNOW connector parameters, however there was issues with the playbook failing to run. But when I changed it to send to the Incidents table, it worked without issue.

garybushey · Answer

leo_szalk&nbsp;The only Event table in Azure Sentinel holds the Windows Events that you get from using the Microsoft Monitoring Agent.&nbsp; Not sure what the SNOW connector is referring to.

leo_szalk · Answer

GaryBushey&nbsp;Let me kind of rephrase this.&nbsp;So in the SNOW connector, specifically Create Record, I'm referring to the Record Type field. In it, there's an Events record type that I need to have the Sentinel incidents go to due to how we have SNOW configured. However, I've been running into issues having logic app send details to that specific record type.&nbsp;&nbsp;Reading through the documentation and some of the blogs, others have it set up to send to the SNOW Incidents record type. When I tried sending the Sentinel incident details to that record type, it worked. So my question is, is it possible to send it to the Events record type. We have a lot of automation and correlation rules set up in SNOW on the Events record type so it would need to send the details there as opposed to the Incident record type.&nbsp;Hopefully that makes sense!

garybushey · Answer

leo_szalk&nbsp;OK.&nbsp; I got it now.&nbsp; Sorry, but I do not have enough Service Now knowledge to be able to assist you further.

Forum Discussion

SNOW Logic App Connector

6 Replies

Resources