SOLVED

Logicapp to sync incident status between sentinel to Servicenow.

%3CLINGO-SUB%20id%3D%22lingo-sub-2387484%22%20slang%3D%22en-US%22%3ELogicapp%20to%20sync%20incident%20status%20between%20sentinel%20to%20Servicenow.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2387484%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ELooking%20for%20some%20pointers%20on%20how%20to%20sync%20the%20incident%20status%20from%20sentinel%20to%20servicenow.%20If%20the%20incident%20is%20marked%20as%20%22Closed%22%20in%20sentinel%2C%20I%20would%20like%20to%20close%20it%20on%20the%20service%20now%20too.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESince%20the%20Sentinel%20triggers%20are%20either%20on%20Alert%20creation%20or%20Incident%20creation%2C%20neither%26nbsp%3Bwill%20fire%20when%20an%20incident%20is%20updated.%20Can%20you%20please%20share%20some%20info%20on%20how%20I%20can%20accomplish%20this%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%3CBR%20%2F%3ERamesh%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2387993%22%20slang%3D%22en-US%22%3ERe%3A%20Logicapp%20to%20sync%20incident%20status%20between%20sentinel%20to%20Servicenow.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2387993%22%20slang%3D%22en-US%22%3EHi%20you%20need%20to%20setup%20an%20incident%20bi-directional%20sync%20and%20it's%20documented%20here%20%3A%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-sentinel%2Fazure-sentinel-incident-bi-directional-sync-with-servicenow%2Fba-p%2F1667771%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-sentinel%2Fazure-sentinel-incident-bi-directional-sync-with-servicenow%2Fba-p%2F1667771%3C%2FA%3E%3CBR%20%2F%3EA%20playbook%20to%20close%20AS%20incident%20from%20snow%20is%20available%20here%20%3A%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FAzure%2FAzure-Sentinel%2Ftree%2Fmaster%2FPlaybooks%2FClose-SentinelIncident-fromSNOW%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgithub.com%2FAzure%2FAzure-Sentinel%2Ftree%2Fmaster%2FPlaybooks%2FClose-SentinelIncident-fromSNOW%3C%2FA%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2388400%22%20slang%3D%22en-US%22%3ERe%3A%20Logicapp%20to%20sync%20incident%20status%20between%20sentinel%20to%20Servicenow.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2388400%22%20slang%3D%22en-US%22%3EThanks%20for%20the%20quick%20response.%20I%20would%20like%20to%20create%20a%20logic%20app%20that%20will%20close%20the%20servicenow%20incident%20when%20the%20incident%20in%20Sentinel%20is%20marked%20as%20closed.%3CBR%20%2F%3E%3CBR%20%2F%3EAbove%20playbook%20will%20sync%2C%20when%20a%20close%20is%20triggered%20from%20Service%20now%20but%20not%20vice%20versa.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2388451%22%20slang%3D%22en-US%22%3ERe%3A%20Logicapp%20to%20sync%20incident%20status%20between%20sentinel%20to%20Servicenow.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2388451%22%20slang%3D%22en-US%22%3E%3CP%3ENo%20problem%3CBR%20%2F%3E%3CBR%20%2F%3EUnderstood%2C%20so%20i%20think%20here%20is%20a%20solution%20which%26nbsp%3B%3CSPAN%3Eynchronize%20Incident%20closure%20from%20Sentinel%20to%20ServiceNow.%20By%20implementing%20it%20you%20should%20be%20able%20to%20close%20an%20Incident%20in%20AS%26nbsp%3B%20and%20have%20it%20automatically%20close%20in%20SNow%3C%2FSPAN%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Feldar.cloud%2F2021%2F04%2F24%2Fazure-sentinel-incident-sync-with-servicenow%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttps%3A%2F%2Feldar.cloud%2F2021%2F04%2F24%2Fazure-sentinel-incident-sync-with-servicenow%2F%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2405689%22%20slang%3D%22en-US%22%3ERe%3A%20Logicapp%20to%20sync%20incident%20status%20between%20sentinel%20to%20Servicenow.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2405689%22%20slang%3D%22en-US%22%3EThank%20you%20so%20much%20for%20your%20help.%20I%20shall%20check%20this%20out.%3C%2FLINGO-BODY%3E
Occasional Contributor

Hello,

 

Looking for some pointers on how to sync the incident status from sentinel to servicenow. If the incident is marked as "Closed" in sentinel, I would like to close it on the service now too.

 

Since the Sentinel triggers are either on Alert creation or Incident creation, neither will fire when an incident is updated. Can you please share some info on how I can accomplish this? 

 

Thanks
Ramesh

7 Replies
Thanks for the quick response. I would like to create a logic app that will close the servicenow incident when the incident in Sentinel is marked as closed.

Above playbook will sync, when a close is triggered from Service now but not vice versa.
best response confirmed by naramesh (Occasional Contributor)
Solution

No problem

Understood, so i think here is a solution which ynchronize Incident closure from Sentinel to ServiceNow. By implementing it you should be able to close an Incident in AS  and have it automatically close in SNow
https://eldar.cloud/2021/04/24/azure-sentinel-incident-sync-with-servicenow/

Thank you so much for your help. I shall check this out.

@naramesh 

 

Hi all this is an interesting topic and something I am keen to know more about.  So.....

We have a situation whereby we create an incident in ServiceNow (SIR) from an incident in Sentinel.  which on a 1 on 1 basis is great.  We close the incident in SIR it closes in Sentinel and the main platform which provided the information. 

 

Then scenario 2

 

Incident is created in SIR.  Another Alert is triggered which by example M365D says is linked to this and creates a Multi Stage / Main incident consisting of the initial incident and any that follow. 

 

The problem being we dont want to close the first incident as that is being worked on. But Sentinel closes it (automatically) and states no entities and no alerts attached.  As these have been moved to the main incident which is now compiling all the alerts as they flow through.   

 

How do we get it to update the very first incident and not populate a new incident ID.  Or even overwrite the initial Incident in SIR with a new name, new information from the now main incident. 

 

hope that makes at least  some sense.   

 

@ibrahimambodji It seems the Logic App is no longer available, do you have the updated link? Thank you

Hello,

I'm trying to connect Logic Apps to ServiceNow and get/post information. Is there a guide that can help me do that?