Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Updating records from SNOW to Sentinel

Brass Contributor

Hello Experts,

 

 I was just wondering if there is a way to get the records from SNOW to update in Sentinel.

For eg : Now that every time an alert is triggered in Sentinel, a ticket is created in SNOW, however when the alert is resolved  the same is not replicated. Is there a way to achieve this that when a ticket is resolved in SNOW, Sentinel incident status will change to Closed/Resolved.

 

Also when MCAS is forwarding the alerts to Sentinel, will the resolution of the alert be updated in MCAS as well when it has been resolved in Sentinel?

 

Thanks a lot in advance for all your help.

 

3 Replies

@Pranesh1060 There is not a trigger that gets fired when an Incident is updated.  There is not currently an automated way to have an Azure Sentinel Incident updated when a MCAS alert is resolved (I did not find a MCAS connector in Logic Apps to write one either).

 

You may be able  to use the Security Graph to do this as listed in this article: https://techcommunity.microsoft.com/t5/Azure-Sentinel/Ingesting-Office-365-Alerts-with-Graph-Securit...

 

You can add the idea to Azure Sentinel Feedback: https://feedback.azure.com/forums/920458-azure-sentinel

@Gary Bushey- We have the same problem. I was able to create a logic app that automatically creates Service Now tickets when alerts are fired, but had to do it via Microsoft Graph. There is no trigger in Logic apps for example when an incident is created in Azure Sentinel. Plus, if you create alert rules in Sentinel for Microsoft security services (Azure ATP, MCAS, WDATP,etc.) there is no functionality at the moment to attach a playbook to that rule.

Basically, what I'm trying to achieve via a logic app is the following:

- create an incident in SNOW when a new incident is created in Azure Sentinel

- close the incident in snow when the status of the Azure Sentinel incident is changed to Closed

- close the corresponding alert in MCAS, Azure ATP, WDATP, etc. when the Azure Sentinel incident is closed.

I managed to get this to work through a logic app but via the Microsoft Graph API (getting the alerts from Microsoft Graph Security), but I would rather do it via Azure Sentinel, so to have a unified single point of management for all Microsoft security tools and also integrate it via a logic app with the ITSM tool (Service Now).

If anyone has any ideas on how to achieve this it would be great.

 

@Cristian Calinescu 

I am trying to do similar setup. I am setting up MCAS and other Azure security product`s alert monitoring in Sentinel. I would like to implement something like this where if an alert is closed in Sentinel, it gets automatically closed on respective tool (or multiple tools) as well. 

Can you please elaborate how did you manage to do it?