Azure Sentinel News
  • Home
    • Home – Layout 1
    • Home – Layout 2
    • Home – Layout 3
  • Security and Compliance
  • SOC
  • Threat Intelligence
  • Security Ochestration & Automated Response
  • SOAR
  • Security Operations
  • Artificial Intelligence
No Result
View All Result
  • Home
    • Home – Layout 1
    • Home – Layout 2
    • Home – Layout 3
  • Security and Compliance
  • SOC
  • Threat Intelligence
  • Security Ochestration & Automated Response
  • SOAR
  • Security Operations
  • Artificial Intelligence
No Result
View All Result
Azure Sentinel News
No Result
View All Result
Home SIEM

Azure Sentinel Incident Bi-directional sync with ServiceNow

Azure Sentinel News Editor by Azure Sentinel News Editor
November 26, 2020
in SIEM
0
Microsoft renames and unifies more products under Microsoft Defender brand
6.4kViews
731 Shares Share on Facebook Share on Twitter

One of the main SIEM use cases is incident management. Azure Sentinel offers robust features that help the analyst to manage the life cycle of security incidents, including:

  • Alert grouping and fusion​
  • Incident triaging and management​
  • An interactive investigation experience​
  • Orchestration and response using Logic Apps

In some cases, customers maintain incidents in their IT Service Management (ITSM) systems for remediating security incidents across the organization. For organizations using ITSM systems, there is often a need for a bi-directional sync of Azure Sentinel incidents to their ITSM tool. When this integration occurs, a security incident created in Azure Sentinel, would also be created in the ITSM system. If this ticket is closed in the ITSM system, it will be closed in Azure Sentinel.

In this article, I demonstrate how to use Azure Sentinel Security Orchestration, Automation and Response (SOAR) capability and ServiceNow’s (SNOW) Business Rules feature to implement this bi-directional incident sync between the two systems.

High level flow of the solution

Send an Azure Sentinel incident into ServiceNow incident queue

The playbook, available here and presented below, works as follows:

  1. Triggers automatically on a new Alert.
  2. Gets relevant properties from the Incident.
  3. Populates the workspace name variable.
  4. Creates a record of incident type in ServiceNow and populate the Azure Sentinel Incident properties into the SNOW incident record using the following mapping:

ServiceNow

Sentinel

Number

Incident Unique ID

Short Description

Description

Severity

Severity

Additional comment

Incident Deep link

Deploying the solution

  1. Deploy the above Logic APP
  2. Attached this logic app to every analytics rule that you want to sync to ServiceNow, by Selecting it on the automated response section. (currently you need to run this process for each analytics rule that you want to sync)

Once an analytics rule generates a new incident, a new incident will pop-up on the ServiceNow incident Page.

Close Sentinel Incident When it closed in ServiceNow.

Closing the incident in Azure Sentinel when it is closed in ServiceNow requires two components:

  1. A Business Rule in ServiceNow that run custom JS code when the incident is closed.
  2. A Logic App in Azure Sentinel that waits to the Business Rule POST request.

Step 1: Deploy the Logic App on Azure Sentinel.

The playbook, available here and presented below, works as follows:

  1. Triger when an HTTP POST request hits the endpoint (1)
  2. Get relevant properties from the ServiceNow Incident.
  3. Close the incident on Azure Sentinel (4)
  4. Add comment with the name of the user who closed into an Azure sentinel incident comment (5)

Step 2: Configure the Logic App

  1. Copy the HTTP endpoint URL from the Logic App trigger part.

2. In “run query and list results” (2) authenticate with user that has log analytics read permission or Azure Sentinel Reader role as a minimum requirement.

3. In “get incident – bring fresh ETAG” (3) authenticate to AAD APP with a user that has an Azure Sentinel Reader role, or with a Managed identity with the same permission.

4. On the close incident step (4) we will need to use a user that has an Azure Sentinel Responder role as the identity for

5. On “add comment to incident” (5) use a user that has an Azure Sentinel Contributor account.

Step 3: ServiceNow Business Rule

What is Business Rule?

Per ServiceNow documentation, a business rule is a server-side script that runs when a record is displayed, inserted, updated, or deleted, or when a table is queried.

To create the business rule

  1. Login to your ServiceNow Instance.
  2. In the left navigation type business rules, press New to create a new business rule.

      (For a business rule types and scopes refer to ServiceNow documentation)

  1. Give the business rule a name, select Incident as the table, and check the Active and the Advanced checkboxes.

4. On the “When to run” tab, configure the controls as depicted on the screenshot below.

5. On the Advance tab, paste the above (like the picture below)

In line 8, replace the URL with the URL that we copied from the webhook Logic App above; this will be the endpoint that the business rule will interact with.

{
var ClosedUser = String(current.closed_by.name);
var Description = current.short_description.replace(/(\r\n|\n|\r|['"])/gm,", ");
var number = String(current.number);
var request = new sn_ws.RESTMessageV2();
var requestBody = {"Description": Description , "number": number ,  "ClosedBy":ClosedUser };
request.setRequestBody(JSON.stringify(requestBody));
request.setEndpoint('https://prod-65.eastus.logic.azure.com:443/workflows/9afa26062b1e4a0180d6ecefd26ab58e/triggers/manual/paths/invoke?api-version=2016-10-01&sp=%2Ftriggers%2Fmanual%2Frun&sv=1.0&sig=gv1HMcDt8DanJmOe3UvG22uyU_nere4rTQF8XnInYog');
request.setHttpMethod('POST');
request.setRequestHeader("Accept","application/json");
request.setRequestHeader('Content-Type','application/json');
var response = request.execute();
var responseBody = response.getBody();
var httpStatus = response.getStatusCode();
var parsedData = JSON.parse(responseBody);
gs.log(response.getBody());
}

In the above example I only send to sentinel 3 properties:

  • ClosedBy – the username that closed the incident in Service Now
  • Description – the incident description
  • Number – the incident ID, originally received from Azure Sentinel.

You can modify the business rule Java Script code and add other properties that can add value to your use case.

Summary

Once the user closes the incident in ServiceNow, the listener Logic App triggers and closes the incident in Azure Sentinel, adding a relevant comment as you can see below:

This completes the process of implementing incident sync between Azure Sentinel and ServiceNow by leveraging a Logic App and a ServiceNow business rule.

Thanks @Ofer_Shezaf and @Kara Cole for all the help during this blog creation.

Reference: https://techcommunity.microsoft.com/t5/azure-sentinel/azure-sentinel-incident-bi-directional-sync-with-servicenow/ba-p/1667771

Azure Sentinel News Editor

Azure Sentinel News Editor

Related Posts

What’s new: Microsoft Teams connector in Public Preview
SIEM

Changes in How Running Hunting Queries Works in Azure Sentinel

February 11, 2021
Microsoft suspends 18 Azure accounts tied to China-based hackers
SIEM

Azure Sentinel can now Analyze All Available Azure Active Directory Log Files

February 8, 2021
With new release, CrowdStrike targets Google Cloud, Azure and container adopters
SIEM

How to Setup a Managed Identity for the Azure Sentinel Logic App Connector

January 21, 2021
Next Post
Microsoft improves Azure’s security to protect your business

How to align your Analytics with time windows in Azure Sentinel using KQL (Kusto Query Language)

New Recorded Future and Microsoft Azure Partnership Brings Security Intelligence to Cloud Environments

What’s New: Cross-workspace Analytics Rules

Microsoft is quietly becoming a cybersecurity powerhouse

What’s new: Azure DDoS Protection connector in Public Preview for Azure Sentinel

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Follow Us

  • 21.8M Fans
  • 81 Followers

Recommended

Mimecast® Email Security for Azure Sentinel is now available in the Microsoft Azure Marketplace

The Insight and Microsoft partnership offers clients access to powerful IoT solutions, cloud capabilities and managed services

3 months ago
With new release, CrowdStrike targets Google Cloud, Azure and container adopters

Azure Sentinel: Performing Additional Security Monitoring of High-Value Accounts

3 months ago
Microsoft renames and unifies more products under Microsoft Defender brand

Azure Sentinel Incident Bi-directional sync with ServiceNow

3 months ago
Security Unlocked—A new podcast exploring the people and AI that power Microsoft Security solutions

Azure Sentinel Ninja Training: The July 2020 update

3 months ago

Instagram

    Please install/update and activate JNews Instagram plugin.

Categories

  • AI & ML
  • Artificial Intelligence
  • Incident Response
  • IR
  • KQL
  • Security and Compliance
  • Security Ochestration & Automated Response
  • Security Operations
  • SIEM
  • SOAR
  • SOC
  • Threat Intelligence
  • Uncategorized

Topics

anomaly automation Azure Azure DevOps Azure Security Center Azure Sentinel Azure Sentinel API Azure Sentinel Connector BlueVoyant Call cybersecurity Detection file GitHub Hunting Huntingy IAC incident response Incident Triage infrastructure as code Investigation jupyter LAQueryLogs MDR Microsoft microsoft 365 mssp Multitenancy Notebooks Pester Playbooks PowerShell python Records Security Sentinel Sharing SIEM signin Supply Chain teams Threat hunting Watchlists Workbooks XDR
No Result
View All Result

Highlights

New Items of Note on the Azure Sentinel GitHub Repo

Tuning the MCAS Analytics Rule for Azure Sentinel: System Alerts and Feature Deprecation

New Search Capability for Azure Sentinel Incidents

Follow-up: Microsoft Tech Talks Practical Sentinel : A Day in the Life of a Sentinel Analyst

Changes in How Running Hunting Queries Works in Azure Sentinel

Azure Sentinel can now Analyze All Available Azure Active Directory Log Files

Trending

What’s new: Microsoft Teams connector in Public Preview
IR

How to Generate Azure Sentinel Incidents for Testing

by Azure Sentinel News Editor
February 26, 2021
0

Do you want to generate an Incident in Azure Sentinel for testing/demoing? Here’s a couple easy ways...

What’s new: Microsoft Teams connector in Public Preview

Azure Sentinel Notebooks Loses It’s Preview Tag

February 25, 2021
Microsoft’s newest sustainable datacenter region coming to Arizona in 2021

The Holy Grail of Azure Sentinel Data Connections: The Azure Service Diagnostic Setting

February 22, 2021
Microsoft’s newest sustainable datacenter region coming to Arizona in 2021

New Items of Note on the Azure Sentinel GitHub Repo

February 18, 2021
Microsoft’s newest sustainable datacenter region coming to Arizona in 2021

Tuning the MCAS Analytics Rule for Azure Sentinel: System Alerts and Feature Deprecation

February 17, 2021

We bring you the best, latest and perfect Azure Sentinel News, Magazine, Personal Blogs, etc. Visit our landing page to see all features & demos.
LEARN MORE »

Recent News

  • How to Generate Azure Sentinel Incidents for Testing February 26, 2021
  • Azure Sentinel Notebooks Loses It’s Preview Tag February 25, 2021
  • The Holy Grail of Azure Sentinel Data Connections: The Azure Service Diagnostic Setting February 22, 2021

Categories

  • AI & ML
  • Artificial Intelligence
  • Incident Response
  • IR
  • KQL
  • Security and Compliance
  • Security Ochestration & Automated Response
  • Security Operations
  • SIEM
  • SOAR
  • SOC
  • Threat Intelligence
  • Uncategorized

[mc4wp_form]

Copyright © 2020 - Azure Sentinel News

No Result
View All Result
  • Home
  • Security and Compliance
  • SOC
  • Threat Intelligence
  • Security Ochestration & Automated Response
  • SOAR
  • Security Operations
  • Artificial Intelligence

Copyright © 2020 Azure Sentinel News