Forum Discussion

Pranesh1060's avatar
Pranesh1060
Brass Contributor
Nov 12, 2019

Updating records from SNOW to Sentinel

Hello Experts,    I was just wondering if there is a way to get the records from SNOW to update in Sentinel. For eg : Now that every time an alert is triggered in Sentinel, a ticket is created in ...
GaryBushey's avatar
GaryBushey
Bronze Contributor
Nov 12, 2019

Pranesh1060 There is not a trigger that gets fired when an Incident is updated.  There is not currently an automated way to have an Azure Sentinel Incident updated when a MCAS alert is resolved (I did not find a MCAS connector in Logic Apps to write one either).

 

You may be able  to use the Security Graph to do this as listed in this article: https://techcommunity.microsoft.com/t5/Azure-Sentinel/Ingesting-Office-365-Alerts-with-Graph-Security-API/ba-p/984888

 

You can add the idea to Azure Sentinel Feedback: https://feedback.azure.com/forums/920458-azure-sentinel

Cristian Calinescu's avatar
Cristian Calinescu
Brass Contributor
Nov 18, 2019

GaryBushey- We have the same problem. I was able to create a logic app that automatically creates Service Now tickets when alerts are fired, but had to do it via Microsoft Graph. There is no trigger in Logic apps for example when an incident is created in Azure Sentinel. Plus, if you create alert rules in Sentinel for Microsoft security services (Azure ATP, MCAS, WDATP,etc.) there is no functionality at the moment to attach a playbook to that rule.

Basically, what I'm trying to achieve via a logic app is the following:

- create an incident in SNOW when a new incident is created in Azure Sentinel

- close the incident in snow when the status of the Azure Sentinel incident is changed to Closed

- close the corresponding alert in MCAS, Azure ATP, WDATP, etc. when the Azure Sentinel incident is closed.

I managed to get this to work through a logic app but via the Microsoft Graph API (getting the alerts from Microsoft Graph Security), but I would rather do it via Azure Sentinel, so to have a unified single point of management for all Microsoft security tools and also integrate it via a logic app with the ITSM tool (Service Now).

If anyone has any ideas on how to achieve this it would be great.

 

  • psmaan1's avatar
    psmaan1
    Copper Contributor
    Mar 18, 2020

    Cristian Calinescu 

    I am trying to do similar setup. I am setting up MCAS and other Azure security product`s alert monitoring in Sentinel. I would like to implement something like this where if an alert is closed in Sentinel, it gets automatically closed on respective tool (or multiple tools) as well. 

    Can you please elaborate how did you manage to do it?