May 26 2021 07:01 AM
Hello,
Looking for some pointers on how to sync the incident status from sentinel to servicenow. If the incident is marked as "Closed" in sentinel, I would like to close it on the service now too.
Since the Sentinel triggers are either on Alert creation or Incident creation, neither will fire when an incident is updated. Can you please share some info on how I can accomplish this?
Thanks
Ramesh
May 26 2021 08:27 AM
May 26 2021 10:41 AM
May 26 2021 10:58 AM - edited May 26 2021 11:01 AM
SolutionNo problem
Understood, so i think here is a solution which ynchronize Incident closure from Sentinel to ServiceNow. By implementing it you should be able to close an Incident in AS and have it automatically close in SNow
https://eldar.cloud/2021/04/24/azure-sentinel-incident-sync-with-servicenow/
Jun 01 2021 12:16 PM
Jun 10 2021 06:49 AM
Hi all this is an interesting topic and something I am keen to know more about. So.....
We have a situation whereby we create an incident in ServiceNow (SIR) from an incident in Sentinel. which on a 1 on 1 basis is great. We close the incident in SIR it closes in Sentinel and the main platform which provided the information.
Then scenario 2
Incident is created in SIR. Another Alert is triggered which by example M365D says is linked to this and creates a Multi Stage / Main incident consisting of the initial incident and any that follow.
The problem being we dont want to close the first incident as that is being worked on. But Sentinel closes it (automatically) and states no entities and no alerts attached. As these have been moved to the main incident which is now compiling all the alerts as they flow through.
How do we get it to update the very first incident and not populate a new incident ID. Or even overwrite the initial Incident in SIR with a new name, new information from the now main incident.
hope that makes at least some sense.
Sep 08 2021 10:01 AM
@ibnmbodji It seems the Logic App is no longer available, do you have the updated link? Thank you
Oct 05 2021 12:11 PM
Hello,
I'm trying to connect Logic Apps to ServiceNow and get/post information. Is there a guide that can help me do that?
May 26 2021 10:58 AM - edited May 26 2021 11:01 AM
SolutionNo problem
Understood, so i think here is a solution which ynchronize Incident closure from Sentinel to ServiceNow. By implementing it you should be able to close an Incident in AS and have it automatically close in SNow
https://eldar.cloud/2021/04/24/azure-sentinel-incident-sync-with-servicenow/