SNOW Logic App Connector

%3CLINGO-SUB%20id%3D%22lingo-sub-1764313%22%20slang%3D%22en-US%22%3ESNOW%20Logic%20App%20Connector%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1764313%22%20slang%3D%22en-US%22%3E%3CP%3EIs%20it%20possible%20to%20generate%20SNOW%20tickets%20to%20the%20%22Events%22%20table%20as%20opposed%20to%20the%20the%20%22Incidents%22%20table%20using%20the%20built-in%20Logic%20App%20connector%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1764904%22%20slang%3D%22en-US%22%3ERE%3A%20SNOW%20Logic%20App%20Connector%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1764904%22%20slang%3D%22en-US%22%3EUse%20the%20SNOW%20playbook%20in%20the%20repo%20as%20an%20example.%20You%20can%20trigger%20using%20a%20log%20analytics%20query.%20Here%20is%20a%20similar%20example.%20%3CA%20href%3D%22https%3A%2F%2Fsecureinfra.blog%2F2020%2F09%2F23%2Fsentinel-email-notification-logic-app%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsecureinfra.blog%2F2020%2F09%2F23%2Fsentinel-email-notification-logic-app%2F%3C%2FA%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1771388%22%20slang%3D%22en-US%22%3ERE%3A%20SNOW%20Logic%20App%20Connector%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1771388%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F223807%22%20target%3D%22_blank%22%3E%40Andrew%20Blumhardt%3C%2FA%3E%26nbsp%3BI%20was%20using%20the%20playbook%20from%20the%20repo%20as%20a%20template.%20This%20question%20is%20more%20of%20a%20question%20on%20the%20SNOW%20side%20than%20Sentinel.%3CBR%20%2F%3E%3CBR%20%2F%3EThe%20way%20our%20SNOW%20works%20is%20that%20when%20a%20%22ticket%22%20comes%20in%20it%20starts%20in%20the%20Event%20table%20so%20that%20it%20can%20begin%20automated%20correlation%20then%20moves%20to%20the%20Alert%20table%20and%20then%20to%20the%20incident%20table.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20saw%20the%20Event%20table%20in%20the%20SNOW%20connector%20parameters%2C%20however%20there%20was%20issues%20with%20the%20playbook%20failing%20to%20run.%20But%20when%20I%20changed%20it%20to%20send%20to%20the%20Incidents%20table%2C%20it%20worked%20without%20issue.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Is it possible to generate SNOW tickets to the "Events" table as opposed to the the "Incidents" table using the built-in Logic App connector?

6 Replies
Use the SNOW playbook in the repo as an example. You can trigger using a log analytics query. Here is a similar example. https://secureinfra.blog/2020/09/23/sentinel-email-notification-logic-app/

@Andrew Blumhardt I was using the playbook from the repo as a template. This question is more of a question on the SNOW side than Sentinel.

The way our SNOW works is that when a "ticket" comes in it starts in the Event table so that it can begin automated correlation then moves to the Alert table and then to the incident table.

 

I saw the Event table in the SNOW connector parameters, however there was issues with the playbook failing to run. But when I changed it to send to the Incidents table, it worked without issue.

@leo_szalk The only Event table in Azure Sentinel holds the Windows Events that you get from using the Microsoft Monitoring Agent.  Not sure what the SNOW connector is referring to.

@Gary Bushey Let me kind of rephrase this.

 

So in the SNOW connector, specifically Create Record, I'm referring to the Record Type field. In it, there's an Events record type that I need to have the Sentinel incidents go to due to how we have SNOW configured. However, I've been running into issues having logic app send details to that specific record type. 

 

Reading through the documentation and some of the blogs, others have it set up to send to the SNOW Incidents record type. When I tried sending the Sentinel incident details to that record type, it worked. So my question is, is it possible to send it to the Events record type. We have a lot of automation and correlation rules set up in SNOW on the Events record type so it would need to send the details there as opposed to the Incident record type.

 

Hopefully that makes sense!

@leo_szalk OK.  I got it now.  Sorry, but I do not have enough Service Now knowledge to be able to assist you further.

Hi @leo_szalk

we're also writing Sentinel Incidents to the Incident table (we don't use the Events table as such) however I've just tested the 'event' record type on our Dev system and it created an event record within the ecc_event table without issue.

You may want to check that the ServiceNow roles you have assigned to the account that the logic app is using to create the incidents/events has sufficient permissions on the events table.

Hope that helps