Azure Sentinel Incident Bi-directional sync with ServiceNow

Published Sep 15 2020 02:38 AM 16.8K Views
Microsoft

One of the main SIEM use cases is incident management. Azure Sentinel offers robust features that help the analyst to manage the life cycle of security incidents, including:

  • Alert grouping and fusion​
  • Incident triaging and management​
  • An interactive investigation experience​
  • Orchestration and response using Logic Apps

 

In some cases, customers maintain incidents in their IT Service Management (ITSM) systems for remediating security incidents across the organization. For organizations using ITSM systems, there is often a need for a bi-directional sync of Azure Sentinel incidents to their ITSM tool. When this integration occurs, a security incident created in Azure Sentinel, would also be created in the ITSM system. If this ticket is closed in the ITSM system, it will be closed in Azure Sentinel.

In this article, I demonstrate how to use Azure Sentinel Security Orchestration, Automation and Response (SOAR) capability and ServiceNow’s (SNOW) Business Rules feature to implement this bi-directional incident sync between the two systems.

 

high_level.GIF

 

Send an Azure Sentinel incident into ServiceNow incident queue

 

The playbook, available here and presented below, works as follows:

  1. Triggers automatically on a new Alert.
  2. Gets relevant properties from the Incident.
  3. Populates the workspace name variable.
  4. Creates a record of incident type in ServiceNow and populate the Azure Sentinel Incident properties into the SNOW incident record using the following mapping:

 

ServiceNow

Sentinel

Number

Incident Unique ID

Short Description

Description

Severity

Severity

Additional comment

Incident Deep link

 

playbook2_numbers.GIF

 

Deploying the solution

 

  1. Deploy the above Logic APP
  2. Attached this logic app to every analytics rule that you want to sync to ServiceNow, by Selecting it on the automated response section. (currently you need to run this process for each analytics rule that you want to sync)

 

atach-playbook.png

 

Once an analytics rule generates a new incident, a new incident will pop-up on the ServiceNow incident Page.

 

SNOW-Incident-View_visual.GIF

 

Close Sentinel Incident When it closed in ServiceNow.

 

Closing the incident in Azure Sentinel when it is closed in ServiceNow requires two components:

  1. A Business Rule in ServiceNow that run custom JS code when the incident is closed.
  2. A Logic App in Azure Sentinel that waits to the Business Rule POST request.

Step 1: Deploy the Logic App on Azure Sentinel.

 

The playbook, available here and presented below, works as follows:

  1. Triger when an HTTP POST request hits the endpoint (1)
  2. Get relevant properties from the ServiceNow Incident.
  3. Close the incident on Azure Sentinel (4)
  4. Add comment with the name of the user who closed into an Azure sentinel incident comment (5)

playbook2_clean.GIF

 

Step 2: Configure the Logic App

 

  1. Copy the HTTP endpoint URL from the Logic App trigger part.

copy_http_trigger.gif

2. In “run query and list results” (2) authenticate with user that has log analytics read permission or Azure Sentinel Reader role as a minimum requirement.

3. In “get incident – bring fresh ETAG” (3) authenticate to AAD APP with a user that has an Azure Sentinel Reader role, or with a Managed identity with the same permission.

4. On the close incident step (4) we will need to use a user that has an Azure Sentinel Responder role as the identity for

5. On “add comment to incident” (5) use a user that has an Azure Sentinel Contributor account.

 

Step 3: ServiceNow Business Rule

 

What is Business Rule?

Per ServiceNow documentation, a business rule is a server-side script that runs when a record is displayed, inserted, updated, or deleted, or when a table is queried.

To create the business rule

  1. Login to your ServiceNow Instance.
  2. In the left navigation type business rules, press New to create a new business rule.

      (For a business rule types and scopes refer to ServiceNow documentation)

  1. Give the business rule a name, select Incident as the table, and check the Active and the Advanced checkboxes.

busniess_rule_clean.GIF

4. On the “When to run” tab, configure the controls as depicted on the screenshot below.

 

busniess_rule_when_to_run.GIF

5. On the Advance tab, paste the above (like the picture below)

 

Js_script.GIF

 

In line 8, replace the URL with the URL that we copied from the webhook Logic App above; this will be the endpoint that the business rule will interact with.

 

 

{
var ClosedUser = String(current.closed_by.name);
var Description = current.short_description.replace(/(\r\n|\n|\r|['"])/gm,", ");
var number = String(current.number);
var request = new sn_ws.RESTMessageV2();
var requestBody = {"Description": Description , "number": number ,  "ClosedBy":ClosedUser };
request.setRequestBody(JSON.stringify(requestBody));
request.setEndpoint('https://prod-65.eastus.logic.azure.com:443/workflows/9afa26062b1e4a0180d6ecefd26ab58e/triggers/manual/paths/invoke?api-version=2016-10-01&sp=%2Ftriggers%2Fmanual%2Frun&sv=1.0&sig=gv1HMcDt8DanJmOe3UvG22uyU_nere4rTQF8XnInYog');
request.setHttpMethod('POST');
request.setRequestHeader("Accept","application/json");
request.setRequestHeader('Content-Type','application/json');
var response = request.execute();
var responseBody = response.getBody();
var httpStatus = response.getStatusCode();
var parsedData = JSON.parse(responseBody);
gs.log(response.getBody());
}

 

 

In the above example I only send to sentinel 3 properties:

  • ClosedBy – the username that closed the incident in Service Now
  • Description – the incident description
  • Number – the incident ID, originally received from Azure Sentinel.

You can modify the business rule Java Script code and add other properties that can add value to your use case.

 

Summary

Once the user closes the incident in ServiceNow, the listener Logic App triggers and closes the incident in Azure Sentinel, adding a relevant comment as you can see below:

 

closed_incident.GIF

 

This completes the process of implementing incident sync between Azure Sentinel and ServiceNow by leveraging a Logic App and a ServiceNow business rule.

 

Thanks @Ofer_Shezaf and @Kara Cole for all the help during this blog creation.

10 Comments
Occasional Contributor

Thanks for sharing this details.

for auto ticket creation do we need ServiceNow SecOps module license ? or does it support with normal ITSM capability (without SecOps, Security module)

Senior Member

Thanks @Yaniv Shasha for sharing this is a great article!

 

Some of the standard (OOTB) Analytics rules i.e. 'Create incidents based on Microsoft Cloud App Security alerts', 'Create incidents based on Microsoft Defender Advanced Threat Protection alerts' don't have the option of setting an automated response, what would be the recommended approach for creating incidents when these alerts trigger? We're an MSP and ideally we'd want to create a corresponding ServiceNow incident for every incident (for every customer) created in Sentinel so our techs could work from a single source. Interested in your thoughts.

Occasional Contributor

Very interesting this article. Very detailed and complete.

I was left with a question: When inserting comments on the open ticket in Sentinel, does this information update the ticket in Service Now?

Or when commenting on Service Now, if those comments are posted on Sentinel.

Thank you.

Occasional Contributor

I also have the same doubts about the @Paul Sells

Microsoft

@luizao_lf  indeed currently we don't have incident update trigger (only create ) i worked with some customers that implement pulling solution that scan the incident api and looks for last data modified and sync the changes to the remote ITSM system.

 

that said, incident update Triger is in our roadmap but i still dont have ETA to share

Occasional Contributor

@Yaniv Shasha 

I'm having a problem and maybe you can help me.

I use alert aggregation to reduce noise. In the informed way, every time an alert is triggered, even if it is added to the already opened incident and does not create a new one in the sentinel, will an incident be created in Servive Now? If so, this way information would be inconsistent, because in the case of 3 alerts grouped in the same incident, it would be 1 incident in Sentinel and 3 in Service Now.

 

Another point I realized is that the alerts from Microsoft tools (Defender, MCASb ...) do not allow you to link the playbook for opening tickets in Service Now. Do you have any workaround for this situation?

Senior Member

Hi @Yaniv Shasha  

 

Interested to know if there are there any plans to update this guide to reflect the changes to connector functionality, specifically Add Comment to Incident (V2) which has now been depreciated and replaced with Add Comment to Incident (Preview) which uses Incident ARM ID to retrieve the incident to update where previously, you had to supply 4 fields in order to identify the incident to update. 

 

https://techcommunity.microsoft.com/t5/azure-sentinel/what-s-new-azure-sentinel-logic-apps-connector...

 

Thanks

 

Paul

Occasional Visitor

I have not seen any detail has to how Azure is creating the Incidents in ServiceNow ? Is there a Sentinel specific Plugin for ServiceNow that is used as the bridge or is it using native SN API directly to the security incident table? or Microsoft Graph API deployed on the ServiceNow side at which point it retrieves specific alerts and then created the SIR accordingly or ?

 

Thanks!

Hello Experts,

Somehow this logic app code doesn't allow me to use different Closure or Classification codes to have more clarity on why the incident on Azure sentinel was closed.

Only if I keep the classification as "Undetermined" it works other it won't.

Anyone facing the same issue. If yes, What could be the resolution?

New Contributor
 
Microsoft

...

 

that said, incident update Triger is in our roadmap but i still dont have ETA to share



 

@Yaniv Shasha any update on the ETA of an incident update trigger?

%3CLINGO-SUB%20id%3D%22lingo-sub-1668248%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Sentinel%20Incident%20Bi-directional%20sync%20with%20ServiceNow.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1668248%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20for%20sharing%20this%20details.%3C%2FP%3E%3CP%3Efor%20auto%20ticket%20creation%20do%20we%20need%20ServiceNow%20SecOps%20module%20license%20%3F%20or%20does%20it%20support%20with%20normal%20ITSM%20capability%20(without%20SecOps%2C%20Security%20module)%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1771828%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Sentinel%20Incident%20Bi-directional%20sync%20with%20ServiceNow%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1771828%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F185177%22%20target%3D%22_blank%22%3E%40Yaniv%20Shasha%3C%2FA%3E%26nbsp%3Bfor%20sharing%20this%20is%20a%20great%20article!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESome%20of%20the%20standard%20(OOTB)%20Analytics%20rules%20i.e.%20'Create%20incidents%20based%20on%20Microsoft%20Cloud%20App%20Security%20alerts'%2C%20'Create%20incidents%20based%20on%20Microsoft%20Defender%20Advanced%20Threat%20Protection%20alerts'%20don't%20have%20the%20option%20of%20setting%20an%20automated%20response%2C%20what%20would%20be%20the%20recommended%20approach%20for%20creating%20incidents%20when%20these%20alerts%20trigger%3F%20We're%20an%20MSP%20and%20ideally%20we'd%20want%20to%20create%20a%20corresponding%20ServiceNow%20incident%20for%20every%20incident%20(for%20every%20customer)%20created%20in%20Sentinel%20so%20our%20techs%20could%20work%20from%20a%20single%20source.%20Interested%20in%20your%20thoughts.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1796853%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Sentinel%20Incident%20Bi-directional%20sync%20with%20ServiceNow%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1796853%22%20slang%3D%22en-US%22%3E%3CP%3EVery%20interesting%20this%20article.%20Very%20detailed%20and%20complete.%3C%2FP%3E%3CP%3EI%20was%20left%20with%20a%20question%3A%20When%20inserting%20comments%20on%20the%20open%20ticket%20in%20Sentinel%2C%20does%20this%20information%20update%20the%20ticket%20in%20Service%20Now%3F%3C%2FP%3E%3CP%3EOr%20when%20commenting%20on%20Service%20Now%2C%20if%20those%20comments%20are%20posted%20on%20Sentinel.%3C%2FP%3E%3CP%3EThank%20you.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1797002%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Sentinel%20Incident%20Bi-directional%20sync%20with%20ServiceNow%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1797002%22%20slang%3D%22en-US%22%3E%3CP%20class%3D%22lia-align-left%22%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F733311%22%20target%3D%22_blank%22%3E%40luizao_lf%3C%2FA%3E%26nbsp%3B%20indeed%20currently%20we%20don't%20have%20incident%20update%20trigger%20(only%20create%20)%20i%20worked%20with%20some%20customers%20that%20implement%20pulling%20solution%20that%20scan%20the%20incident%20api%20and%20looks%20for%20last%20data%20modified%20and%20sync%20the%20changes%20to%20the%20remote%20ITSM%20system.%3C%2FP%3E%0A%3CP%20class%3D%22lia-align-left%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22lia-align-left%22%3Ethat%20said%2C%20incident%20update%20Triger%20is%20in%20our%20roadmap%20but%20i%20still%20dont%20have%20ETA%20to%20share%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1830167%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Sentinel%20Incident%20Bi-directional%20sync%20with%20ServiceNow%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1830167%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F185177%22%20target%3D%22_blank%22%3E%40Yaniv%20Shasha%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20having%20a%20problem%20and%20maybe%20you%20can%20help%20me.%3C%2FP%3E%3CP%3EI%20use%20alert%20aggregation%20to%20reduce%20noise.%20In%20the%20informed%20way%2C%20every%20time%20an%20alert%20is%20triggered%2C%20even%20if%20it%20is%20added%20to%20the%20already%20opened%20incident%20and%20does%20not%20create%20a%20new%20one%20in%20the%20sentinel%2C%20will%20an%20incident%20be%20created%20in%20Servive%20Now%3F%20If%20so%2C%20this%20way%20information%20would%20be%20inconsistent%2C%20because%20in%20the%20case%20of%203%20alerts%20grouped%20in%20the%20same%20incident%2C%20it%20would%20be%201%20incident%20in%20Sentinel%20and%203%20in%20Service%20Now.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnother%20point%20I%20realized%20is%20that%20the%20alerts%20from%20Microsoft%20tools%20(Defender%2C%20MCASb%20...)%20do%20not%20allow%20you%20to%20link%20the%20playbook%20for%20opening%20tickets%20in%20Service%20Now.%20Do%20you%20have%20any%20workaround%20for%20this%20situation%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1965870%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Sentinel%20Incident%20Bi-directional%20sync%20with%20ServiceNow%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1965870%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F185177%22%20target%3D%22_blank%22%3E%40Yaniv%20Shasha%3C%2FA%3E%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EInterested%20to%20know%20if%20there%20are%20there%20any%20plans%20to%20update%20this%20guide%20to%20reflect%20the%20changes%20to%20connector%20functionality%2C%20specifically%20Add%20Comment%20to%20Incident%20(V2)%20which%20has%20now%20been%20depreciated%20and%20replaced%20with%20Add%20Comment%20to%20Incident%20(Preview)%20which%20uses%26nbsp%3B%3CSTRONG%3EIncident%20ARM%20ID%20%3C%2FSTRONG%3Eto%20retrieve%20the%20incident%20to%20update%20where%20p%3CSPAN%3Ereviously%2C%20you%20had%20to%20supply%204%20fields%20in%20order%20to%20identify%20the%20incident%20to%20update.%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-sentinel%2Fwhat-s-new-azure-sentinel-logic-apps-connector-improvements-and%2Fba-p%2F1888416%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-sentinel%2Fwhat-s-new-azure-sentinel-logic-apps-connector-improvements-and%2Fba-p%2F1888416%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPaul%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1667771%22%20slang%3D%22en-US%22%3EAzure%20Sentinel%20Incident%20Bi-directional%20sync%20with%20ServiceNow%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1667771%22%20slang%3D%22en-US%22%3E%3CP%3EOne%20of%20the%20main%20SIEM%20use%20cases%20is%20incident%20management.%20Azure%20Sentinel%20offers%20robust%20features%20that%20help%20the%20analyst%20to%20manage%20the%20life%20cycle%20of%20security%20incidents%2C%20including%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EAlert%20grouping%20and%20fusion%3C%2FLI%3E%0A%3CLI%3EIncident%20triaging%20and%20management%3C%2FLI%3E%0A%3CLI%3EAn%20interactive%20investigation%20experience%3C%2FLI%3E%0A%3CLI%3EOrchestration%20and%20response%20using%26nbsp%3BLogic%20Apps%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIn%20some%20cases%2C%20customers%20maintain%20incidents%20in%20their%20IT%20Service%20Management%20(ITSM)%20systems%20for%20remediating%20security%20incidents%20across%20the%20organization.%20For%20organizations%20using%20ITSM%20systems%2C%20there%20is%20often%20a%20need%20for%20a%20bi-directional%20sync%20of%20Azure%20Sentinel%20incidents%20to%20their%20ITSM%20tool.%20When%20this%20integration%20occurs%2C%20a%20security%20incident%20created%20in%20Azure%20Sentinel%2C%20would%20also%20be%20created%20in%20the%20ITSM%20system.%20If%20this%20ticket%20is%20closed%20in%20the%20ITSM%20system%2C%20it%20will%20be%20closed%20in%20Azure%20Sentinel.%3C%2FP%3E%0A%3CP%3EIn%20this%20article%2C%20I%20demonstrate%20how%20to%20use%20Azure%20Sentinel%20Security%20Orchestration%2C%20Automation%20and%20Response%20(SOAR)%20capability%20and%20ServiceNow%E2%80%99s%20(SNOW)%20Business%20Rules%20feature%20to%20implement%20this%20bi-directional%20incident%20sync%20between%20the%20two%20systems.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22high_level.GIF%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F218327iA8A3D84B3CC9FEF1%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22high_level.GIF%22%20alt%3D%22high_level.GIF%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--1267563216%22%20id%3D%22toc-hId--1267563184%22%20id%3D%22toc-hId--1267563184%22%3ESend%20an%20Azure%20Sentinel%20incident%20into%20ServiceNow%20incident%20queue%3C%2FH2%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20playbook%2C%20available%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FAzure%2FAzure-Sentinel%2Ftree%2Fmaster%2FPlaybooks%2FOpen-SNOW-Ticket%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehere%3C%2FA%3E%3CSPAN%3E%20and%20presented%20below%3C%2FSPAN%3E%2C%20works%20as%20follows%3A%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3ETriggers%20automatically%20on%20a%20new%20Alert.%3C%2FLI%3E%0A%3CLI%3EGets%20relevant%20properties%20from%20the%20Incident.%3C%2FLI%3E%0A%3CLI%3EPopulates%20the%20workspace%20name%20variable.%3C%2FLI%3E%0A%3CLI%3ECreates%20a%20record%20of%20incident%20type%20in%20ServiceNow%20and%20populate%20the%20Azure%20Sentinel%20Incident%20properties%20into%20the%20SNOW%20incident%20record%20using%20the%20following%20mapping%3A%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CTABLE%3E%0A%3CTBODY%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22192%22%3E%3CP%3E%3CSTRONG%3EServiceNow%3C%2FSTRONG%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22150%22%3E%3CP%3E%3CSTRONG%3ESentinel%3C%2FSTRONG%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22192%22%3E%3CP%3E%3CSTRONG%3ENumber%3C%2FSTRONG%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22150%22%3E%3CP%3EIncident%20Unique%20ID%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22192%22%3E%3CP%3E%3CSTRONG%3EShort%20Description%20%3C%2FSTRONG%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22150%22%3E%3CP%3EDescription%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22192%22%3E%3CP%3E%3CSTRONG%3ESeverity%20%3C%2FSTRONG%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22150%22%3E%3CP%3ESeverity%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22192%22%3E%3CP%3E%3CSTRONG%3EAdditional%20comment%20%3C%2FSTRONG%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22150%22%3E%3CP%3EIncident%20Deep%20link%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3C%2FTBODY%3E%0A%3C%2FTABLE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22playbook2_numbers.GIF%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F218328i8EF04E74D663EDA0%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22playbook2_numbers.GIF%22%20alt%3D%22playbook2_numbers.GIF%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-1219949617%22%20id%3D%22toc-hId-1219949649%22%20id%3D%22toc-hId-1219949649%22%3EDeploying%20the%20solution%3C%2FH2%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3EDeploy%20the%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FAzure%2FAzure-Sentinel%2Ftree%2Fmaster%2FPlaybooks%2FOpen-SNOW-Ticket%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Eabove%20Logic%20APP%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3EAttached%20this%20logic%20app%20to%20every%20analytics%20rule%20that%20you%20want%20to%20sync%20to%20ServiceNow%2C%20by%20Selecting%20it%20on%20the%20automated%20response%20section.%20(%3CSTRONG%20style%3D%22font-family%3A%20inherit%3B%22%3Ecurrently%20you%20need%20to%20run%20this%20process%20for%20each%20analytics%20rule%20that%20you%20want%20to%20sync%3C%2FSTRONG%3E%3CSPAN%20style%3D%22font-family%3A%20inherit%3B%22%3E)%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22atach-playbook.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F218329iFE62C18272FEA00E%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22atach-playbook.png%22%20alt%3D%22atach-playbook.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EOnce%20an%20analytics%20rule%20generates%20a%20new%20incident%2C%20a%20new%20incident%20will%20pop-up%20on%20the%20ServiceNow%20incident%20Page.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22SNOW-Incident-View_visual.GIF%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F218330i5FAECD6EF1E271CB%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22SNOW-Incident-View_visual.GIF%22%20alt%3D%22SNOW-Incident-View_visual.GIF%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--587504846%22%20id%3D%22toc-hId--587504814%22%20id%3D%22toc-hId--587504814%22%3EClose%20Sentinel%20Incident%20When%20it%20closed%20in%20ServiceNow.%3C%2FH2%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EClosing%20the%20incident%20in%20Azure%20Sentinel%20when%20it%20is%20closed%20in%20ServiceNow%20requires%20two%20components%3A%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3EA%20Business%20Rule%20in%20ServiceNow%20that%20run%20custom%20JS%20code%20when%20the%20incident%20is%20closed.%3C%2FLI%3E%0A%3CLI%3EA%20Logic%20App%20in%20Azure%20Sentinel%20that%20waits%20to%20the%20Business%20Rule%20POST%20request.%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CH3%20id%3D%22toc-hId-103056628%22%20id%3D%22toc-hId-103056660%22%20id%3D%22toc-hId-103056660%22%3EStep%201%3A%20Deploy%20the%20Logic%20App%20on%20Azure%20Sentinel.%3C%2FH3%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20playbook%2C%20available%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FAzure%2FAzure-Sentinel%2Ftree%2Fmaster%2FPlaybooks%2FClose-SentinelIncident-fromSNOW%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Ehere%3C%2FA%3E%3CSPAN%3E%20and%20presented%20below%3C%2FSPAN%3E%2C%20works%20as%20follows%3A%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3ETriger%20when%20an%20HTTP%20POST%20request%20hits%20the%20endpoint%20(1)%3C%2FLI%3E%0A%3CLI%3EGet%20relevant%20properties%20from%20the%20ServiceNow%20Incident.%3C%2FLI%3E%0A%3CLI%3EClose%20the%20incident%20on%20Azure%20Sentinel%20(4)%3C%2FLI%3E%0A%3CLI%3EAdd%20comment%20with%20the%20name%20of%20the%20user%20who%20closed%20into%20an%20Azure%20sentinel%20incident%20comment%20(5)%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22playbook2_clean.GIF%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F218331i3BBFEFB635239762%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22playbook2_clean.GIF%22%20alt%3D%22playbook2_clean.GIF%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId--1704397835%22%20id%3D%22toc-hId--1704397803%22%20id%3D%22toc-hId--1704397803%22%3EStep%202%3A%20Configure%20the%20Logic%20App%3C%2FH3%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3ECopy%20the%20HTTP%20endpoint%20URL%20from%20the%20Logic%20App%20trigger%20part.%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%20class%3D%22lia-indent-padding-left-30px%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22copy_http_trigger.gif%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F218332i9649F5375216DC07%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22copy_http_trigger.gif%22%20alt%3D%22copy_http_trigger.gif%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-30px%22%3E2.%20In%20%E2%80%9Crun%20query%20and%20list%20results%E2%80%9D%20(2)%20authenticate%20with%20user%20that%20has%20%3CSTRONG%3Elog%20analytics%20read%20permission%3C%2FSTRONG%3E%20or%20%3CSTRONG%3EAzure%20Sentinel%20Reader%3C%2FSTRONG%3E%20role%20as%20a%20minimum%20requirement.%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-30px%22%3E3.%20In%20%E2%80%9Cget%20incident%20%E2%80%93%20bring%20fresh%20ETAG%E2%80%9D%20(3)%20authenticate%20to%20AAD%20APP%20with%20a%20user%20that%20has%20an%20%3CSTRONG%3EAzure%20Sentinel%20Reader%20role%3C%2FSTRONG%3E%2C%20or%20with%20a%20Managed%20identity%20with%20the%20same%20permission.%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-30px%22%3E4.%20On%20the%20close%20incident%20step%20(4)%20we%20will%20need%20to%20use%20a%20user%20that%20has%20an%20Azure%20Sentinel%20Responder%20role%20as%20the%20identity%20for%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-30px%22%3E5.%20On%20%E2%80%9Cadd%20comment%20to%20incident%E2%80%9D%20(5)%20use%20a%20user%20that%20has%20an%20%3CSTRONG%3EAzure%20Sentinel%20Contributor%20%3C%2FSTRONG%3Eaccount.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId-783114998%22%20id%3D%22toc-hId-783115030%22%20id%3D%22toc-hId-783115030%22%3EStep%203%3A%20ServiceNow%20Business%20Rule%3C%2FH3%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EWhat%20is%20Business%20Rule%3F%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EPer%20%3CA%20href%3D%22https%3A%2F%2Fdocs.servicenow.com%2Fbundle%2Forlando-application-development%2Fpage%2Fscript%2Fbusiness-rules%2Fconcept%2Fc_BusinessRules.html%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3EServiceNow%20documentation%3C%2FA%3E%2C%20a%3CEM%3E%20business%20rule%20is%20a%20server-side%20script%20that%20runs%20when%20a%20record%20is%20displayed%2C%20inserted%2C%20updated%2C%20or%20deleted%2C%20or%20when%20a%20table%20is%20queried.%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3ETo%20create%20the%20business%20rule%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3ELogin%20to%20your%20ServiceNow%20Instance.%3C%2FLI%3E%0A%3CLI%3EIn%20the%20left%20navigation%20type%20business%20rules%2C%20press%20N%3CSTRONG%3Eew%3C%2FSTRONG%3E%20to%20create%20a%20new%20business%20rule.%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20(For%20a%20business%20rule%20types%20and%20scopes%20refer%20to%20ServiceNow%20%3CA%20href%3D%22https%3A%2F%2Fdocs.servicenow.com%2Fbundle%2Forlando-application-development%2Fpage%2Fscript%2Fbusiness-rules%2Fconcept%2Fc_BusinessRulesInScopedApps.html%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Edocumentation%3C%2FA%3E)%3C%2FP%3E%0A%3COL%20start%3D%223%22%3E%0A%3CLI%3EGive%20the%20business%20rule%20a%20name%2C%20select%20%3CSTRONG%3EIncident%3C%2FSTRONG%3E%20as%20the%20table%2C%20and%20check%20the%20%3CSTRONG%3EActive%3C%2FSTRONG%3E%20and%20the%20%3CSTRONG%3EAdvanced%3C%2FSTRONG%3E%20checkboxes.%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22busniess_rule_clean.GIF%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F218333i32E08BCDD6C97D4A%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22busniess_rule_clean.GIF%22%20alt%3D%22busniess_rule_clean.GIF%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-30px%22%3E4.%20On%20the%20%E2%80%9CWhen%20to%20run%E2%80%9D%20tab%2C%20configure%20the%20controls%20as%20depicted%20on%20the%20screenshot%20below.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22busniess_rule_when_to_run.GIF%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F218334i199DDF88F5A683FA%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22busniess_rule_when_to_run.GIF%22%20alt%3D%22busniess_rule_when_to_run.GIF%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-30px%22%3E5.%20On%20the%20Advance%20tab%2C%20paste%20the%20above%20(like%20the%20picture%20below)%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Js_script.GIF%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F218336iC7C9420303CE540C%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Js_script.GIF%22%20alt%3D%22Js_script.GIF%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIn%20line%208%2C%20replace%20the%20URL%20with%20the%20URL%20that%20we%20copied%20from%20the%20webhook%20Logic%20App%20above%3B%20this%20will%20be%20the%20endpoint%20that%20the%20business%20rule%20will%20interact%20with.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-javascript%22%3E%3CCODE%3E%7B%0Avar%20ClosedUser%20%3D%20String(current.closed_by.name)%3B%0Avar%20Description%20%3D%20current.short_description.replace(%2F(%5Cr%5Cn%7C%5Cn%7C%5Cr%7C%5B'%22%5D)%2Fgm%2C%22%2C%20%22)%3B%0Avar%20number%20%3D%20String(current.number)%3B%0Avar%20request%20%3D%20new%20sn_ws.RESTMessageV2()%3B%0Avar%20requestBody%20%3D%20%7B%22Description%22%3A%20Description%20%2C%20%22number%22%3A%20number%20%2C%20%20%22ClosedBy%22%3AClosedUser%20%7D%3B%0Arequest.setRequestBody(JSON.stringify(requestBody))%3B%0Arequest.setEndpoint('https%3A%2F%2Fprod-65.eastus.logic.azure.com%3A443%2Fworkflows%2F9afa26062b1e4a0180d6ecefd26ab58e%2Ftriggers%2Fmanual%2Fpaths%2Finvoke%3Fapi-version%3D2016-10-01%26amp%3Bsp%3D%252Ftriggers%252Fmanual%252Frun%26amp%3Bsv%3D1.0%26amp%3Bsig%3Dgv1HMcDt8DanJmOe3UvG22uyU_nere4rTQF8XnInYog')%3B%0Arequest.setHttpMethod('POST')%3B%0Arequest.setRequestHeader(%22Accept%22%2C%22application%2Fjson%22)%3B%0Arequest.setRequestHeader('Content-Type'%2C'application%2Fjson')%3B%0Avar%20response%20%3D%20request.execute()%3B%0Avar%20responseBody%20%3D%20response.getBody()%3B%0Avar%20httpStatus%20%3D%20response.getStatusCode()%3B%0Avar%20parsedData%20%3D%20JSON.parse(responseBody)%3B%0Ags.log(response.getBody())%3B%0A%7D%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIn%20the%20above%20example%20I%20only%20send%20to%20sentinel%203%20properties%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CSTRONG%3EClosedBy%3C%2FSTRONG%3E%20%E2%80%93%20the%20username%20that%20closed%20the%20incident%20in%20Service%20Now%3C%2FLI%3E%0A%3CLI%3E%3CSTRONG%3EDescription%3C%2FSTRONG%3E%20%E2%80%93%20the%20incident%20description%3C%2FLI%3E%0A%3CLI%3E%3CSTRONG%3ENumber%3C%2FSTRONG%3E%20%E2%80%93%20the%20incident%20ID%2C%20originally%20received%20from%20Azure%20Sentinel.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3EYou%20can%20modify%20the%20business%20rule%20Java%20Script%20code%20and%20add%20other%20properties%20that%20can%20add%20value%20to%20your%20use%20case.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-772611894%22%20id%3D%22toc-hId-772611926%22%20id%3D%22toc-hId-772611926%22%3ESummary%3C%2FH2%3E%0A%3CP%3EOnce%20the%20user%20closes%20the%20incident%20in%20ServiceNow%2C%20the%20listener%20Logic%20App%20triggers%20and%20closes%20the%20incident%20in%20Azure%20Sentinel%2C%20adding%20a%20relevant%20comment%20as%20you%20can%20see%20below%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22closed_incident.GIF%22%20style%3D%22width%3A%20535px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F218337i38C09B8AC8528C35%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22closed_incident.GIF%22%20alt%3D%22closed_incident.GIF%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%20completes%20the%20process%20of%20implementing%20incident%20sync%20between%20Azure%20Sentinel%20and%20ServiceNow%20by%20leveraging%20a%20Logic%20App%20and%20a%20ServiceNow%20business%20rule.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThanks%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F293879%22%20target%3D%22_blank%22%3E%40Ofer_Shezaf%3C%2FA%3E%26nbsp%3Band%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F180860%22%20target%3D%22_blank%22%3E%40Kara%20Cole%3C%2FA%3E%26nbsp%3Bfor%20all%20the%20help%20during%20this%20blog%20creation.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-1667771%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22preview.GIF%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F219833iC9C66CD334B11128%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22preview.GIF%22%20alt%3D%22preview.GIF%22%20%2F%3E%3C%2FSPAN%3EIn%20some%20cases%2C%20customers%20maintain%20incidents%20in%20their%20IT%20Service%20Management%20(ITSM)%20systems%20for%20remediating%20security%20incidents%20across%20the%20organization.%20For%20organizations%20using%20ITSM%20systems%2C%20there%20is%20often%20a%20need%20for%20a%20bi-directional%20sync%20of%20Azure%20Sentinel%20incidents%20to%20their%20ITSM%20tool.%20When%20this%20integration%20occurs%2C%20a%20security%20incident%20created%20in%20Azure%20Sentinel%2C%20would%20also%20be%20created%20in%20the%20ITSM%20system.%20If%20this%20ticket%20is%20closed%20in%20the%20ITSM%20system%2C%20it%20will%20be%20closed%20in%20Azure%20Sentinel.%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1667771%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Sentinel%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2232749%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Sentinel%20Incident%20Bi-directional%20sync%20with%20ServiceNow%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2232749%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20not%20seen%20any%20detail%20has%20to%20how%20Azure%20is%20creating%20the%20Incidents%20in%20ServiceNow%20%3F%20Is%20there%20a%20Sentinel%20specific%20Plugin%20for%20ServiceNow%20that%20is%20used%20as%20the%20bridge%20or%20is%20it%20using%20native%20SN%20API%20directly%20to%20the%20security%20incident%20table%3F%20or%20Microsoft%20Graph%20API%20deployed%20on%20the%20ServiceNow%20side%20at%20which%20point%20it%20retrieves%20specific%20alerts%20and%20then%20created%20the%20SIR%20accordingly%20or%20%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks!%3C%2FP%3E%3C%2FLINGO-BODY%3E
Version history
Last update:
‎Dec 24 2020 03:58 AM
Updated by: