One of the main SIEM use cases is incident management. Microsoft Sentinel offers robust features that help the analyst to manage the life cycle of security incidents, including:
In some cases, customers maintain incidents in their IT Service Management (ITSM) systems for remediating security incidents across the organization. For organizations using ITSM systems, there is often a need for a bi-directional sync of Microsoft Sentinel incidents to their ITSM tool. When this integration occurs, a security incident created in Microsoft Sentinel, would also be created in the ITSM system. If this ticket is closed in the ITSM system, it will be closed in Microsoft Sentinel.
In this article, I demonstrate how to use Microsoft Sentinel Security Orchestration, Automation and Response (SOAR) capability and ServiceNow’s (SNOW) Business Rules feature to implement this bi-directional incident sync between the two systems.
The playbook, available here and presented below, works as follows:
ServiceNow |
Microsoft Sentinel |
Number |
Incident Unique ID |
Short Description |
Description |
Severity |
Severity |
Additional comment |
Incident Deep link |
Once an analytics rule generates a new incident, a new incident will pop-up on the ServiceNow incident Page.
Closing the incident in Microsoft Sentinel when it is closed in ServiceNow requires two components:
The playbook, available here and presented below, works as follows:
2. In “run query and list results” (2) authenticate with user that has log analytics read permission or Microsoft Sentinel Reader role as a minimum requirement.
3. In “get incident – bring fresh ETAG” (3) authenticate to AAD APP with a user that has an Microsoft Sentinel Reader role, or with a Managed identity with the same permission.
4. On the close incident step (4) we will need to use a user that has an Microsoft Sentinel Responder role as the identity for
5. On “add comment to incident” (5) use a user that has an Microsoft Sentinel Contributor account.
What is Business Rule?
Per ServiceNow documentation, a business rule is a server-side script that runs when a record is displayed, inserted, updated, or deleted, or when a table is queried.
To create the business rule:
(For a business rule types and scopes refer to ServiceNow documentation)
4. On the “When to run” tab, configure the controls as depicted on the screenshot below.
5. On the Advance tab, paste the above (like the picture below)
In line 8, replace the URL with the URL that we copied from the webhook Logic App above; this will be the endpoint that the business rule will interact with.
{
var ClosedUser = String(current.closed_by.name);
var Description = current.short_description.replace(/(\r\n|\n|\r|['"])/gm,", ");
var number = String(current.number);
var request = new sn_ws.RESTMessageV2();
var requestBody = {"Description": Description , "number": number , "ClosedBy":ClosedUser };
request.setRequestBody(JSON.stringify(requestBody));
request.setEndpoint('https://prod-65.eastus.logic.azure.com:443/workflows/9afa26062b1e4a0180d6ecefd26ab58e/triggers/manual/paths/invoke?api-version=2016-10-01&sp=%2Ftriggers%2Fmanual%2Frun&sv=1.0&sig=gv1HMcDt8DanJmOe3UvG22uyU_nere4rTQF8XnInYog');
request.setHttpMethod('POST');
request.setRequestHeader("Accept","application/json");
request.setRequestHeader('Content-Type','application/json');
var response = request.execute();
var responseBody = response.getBody();
var httpStatus = response.getStatusCode();
var parsedData = JSON.parse(responseBody);
gs.log(response.getBody());
}
In the above example I only send to sentinel 3 properties:
You can modify the business rule Java Script code and add other properties that can add value to your use case.
Once the user closes the incident in ServiceNow, the listener Logic App triggers and closes the incident in Microsoft Sentinel, adding a relevant comment as you can see below:
This completes the process of implementing incident sync between Microsoft Sentinel and ServiceNow by leveraging a Logic App and a ServiceNow business rule.
Thanks @Ofer_Shezaf and @karacole for all the help during this blog creation.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.