Oct 09 2020 07:18 AM
Is it possible to generate SNOW tickets to the "Events" table as opposed to the the "Incidents" table using the built-in Logic App connector?
Oct 09 2020 09:05 AM
Oct 12 2020 06:10 AM
@Andrew Blumhardt I was using the playbook from the repo as a template. This question is more of a question on the SNOW side than Sentinel.
The way our SNOW works is that when a "ticket" comes in it starts in the Event table so that it can begin automated correlation then moves to the Alert table and then to the incident table.
I saw the Event table in the SNOW connector parameters, however there was issues with the playbook failing to run. But when I changed it to send to the Incidents table, it worked without issue.
Oct 12 2020 06:21 AM
@leo_szalk The only Event table in Azure Sentinel holds the Windows Events that you get from using the Microsoft Monitoring Agent. Not sure what the SNOW connector is referring to.
Oct 12 2020 06:28 AM
@Gary Bushey Let me kind of rephrase this.
So in the SNOW connector, specifically Create Record, I'm referring to the Record Type field. In it, there's an Events record type that I need to have the Sentinel incidents go to due to how we have SNOW configured. However, I've been running into issues having logic app send details to that specific record type.
Reading through the documentation and some of the blogs, others have it set up to send to the SNOW Incidents record type. When I tried sending the Sentinel incident details to that record type, it worked. So my question is, is it possible to send it to the Events record type. We have a lot of automation and correlation rules set up in SNOW on the Events record type so it would need to send the details there as opposed to the Incident record type.
Hopefully that makes sense!
Oct 12 2020 09:08 AM
@leo_szalk OK. I got it now. Sorry, but I do not have enough Service Now knowledge to be able to assist you further.
Oct 13 2020 09:23 AM