This post presents a shared effort which includes @SebastianMolendijk , @Ely_Abramovitch, @Lior Tamir.
Case Management is an important activity for any SOC team. Seamless integration of SIEM and ITSM applications enables easier case management. We are announcing public preview of our new integration between Microsoft Sentinel and ServiceNow, which provides bi-directional sync between both products. This integration available as a Microsoft Sentinel solution for ServiceNow in content hub enables analysts and SOC managers to utilize both tools as part of their incident handling workflows while maintaining bi-directional sync between the products.
Microsoft Sentinel has incident management capabilities with advanced investigational features to enable SOC workflows. There are companies today that currently rely on ServiceNow as part of their security incidents handling and reporting workflows. These companies utilize ServiceNow to better connect to the wider organization, for assignment to professionals outside of the SOC for remediation flows and for supplement capabilities such as custom reporting. We are continuously working on improving the analysts E2E experience by seamlessly integrating with the non-Microsoft solutions used by the SOC team.
The Microsoft Sentinel solution for ServiceNow runs on the Now platform as an app, and only requires access to the Microsoft Sentinel Management API to synchronize incidents. This solution can be accessed from Microsoft Sentinel content hub as illustrated below, Azure Marketplace and ServiceNow store.
In this blog post, we’ll guide you through its key features, and provide the link to the installation and configuration documentation.
Note: - Traditional Azure Logic app integration or the existing solution does not cleanly support bi-directional synchronization.
This solution is a ServiceNow application and fully relies on the Microsoft Sentinel Management API to provide bi-directional sync between both platforms.
To provide access to Sentinel, create a Service Principal in Azure Active Directory and assign the required "Azure Sentinel Responder” permissions.
For more details, please refer this link
This completes the Azure configuration part.
To identify the incidents created from Microsoft Sentinel incidents, create a user. This user will be used as the “caller_id” property, when creating new records.
2. Click on the” New” button
3. Provide the required details, select "Web service access only" select and click on “Submit”
This will create the user needed, once the needed prerequisites are taken care of the installation steps can be started.
The application is now installed.
Once the application is installed it needs to be configured with the details to connect to the Microsoft Sentinel Management API.
All configuration steps are accessible through the Microsoft Sentinel menu.
The “Workspaces Configuration” section table contains the Microsoft Sentinel workspaces configuration.
Find in this section a default workspace to configure or create new configurations to access multiple workspaces.
Open the current row to edit its configuration. This will need the workspace name, its subscription and resource group.
In addition to the workspace values (available in Microsoft Sentinel), provide the Caller ID “sys_id” value created before in ServiceNow, review the OAuth Provider (configured at next step) and click on the Update button. The incidents synchronization will not start until workspace is enabled:
Note: In addition to the workspace configuration, there are the following properties:
NOTE: This value is case sensitive!
This table is used to map the Sentinel severity to the ServiceNow value, when creating or updating AzureSentinel incidents.
Note that in this case, because Sentinel has four different severities values, while we have only three in ServiceNow, both “Informational” and “Low” have been assigned the value 3:
The environment's values can be viewed using the following technique
This table is used to map the Sentinel state/status to the ServiceNow value, when creating or updating Microsoft Sentinel incidents.
Note that Sentinel has probably less states than ServiceNow, so select the initial ServiceNow value used by the application.
View the environment's values using the following technique:
This table is used to map the ServiceNow severity to the Microsoft Sentinel value, when updating ServiceNow incidents and synchronizing the changes to Microsoft Sentinel.
Review the values to validate that they map to the environment's configuration.
In addition to the configuration stored in the tables, the app keeps some information in system properties.
Review the default values and change it to match your environment.
The available properties are:
This table is used to map Sentinel and ServiceNow closure codes and should match the closure codes used when closing incidents.
To verify the values, open the "Closure code" section in the Microsoft Sentinel menu.
Update the provided values with needed environment ones (the label column is used to describe the value, while the ServiceNowCode column is used to match the system resolution code). Find the closure code by looking at the "Resolution code" values in incidents:
IMPORTANT: in this table, the last column, “SourceIsSentinel” contains Boolean values to define which values should be used in ServiceNow when a close status has been set in Sentinel incidents.
There should be only one “true” row per Sentinel possible status:
This table allows custom mapping between the owner's username (userprincipal property) in Azure AD and Microsoft Sentinel, and ServiceNow incidents. To create such mapping, follow the steps below:
If another incident table is configured to store Sentinel incidents, the changes must reflect to the two business rules being triggered by changes. Additional filters can be added if needed if needed.
If running versions older than Rome, verify that the "When to run" value is using async and not async_alway:
If running versions older than
The application uses the following business rules:
Try out this Microsoft Sentinel solution for ServiceNow and share your feedback via any of the channels listed in the resources.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.