![]() In “run query and list results” (2) authenticate with user that has log analytics read permission or Microsoft Sentinel Reader role as a minimum requirement.ģ. Copy the HTTP endpoint URL from the Logic App trigger part.Ģ.Add comment with the name of the user who closed into an Microsoft sentinel incident comment (5).Close the incident on Microsoft Sentinel (4).Get relevant properties from the ServiceNow Incident.Triger when an HTTP POST request hits the endpoint (1).Step 1: Deploy the Logic App on Microsoft Sentinel. A Logic App in Microsoft Sentinel that waits to the Business Rule POST request.A Business Rule in ServiceNow that run custom JS code when the incident is closed.Once an analytics rule generates a new incident, a new incident will pop-up on the ServiceNow incident Page.Ĭlose Microsoft Sentinel Incident When it closed in ServiceNow.Ĭlosing the incident in Microsoft Sentinel when it is closed in ServiceNow requires two components: ( currently you need to run this process for each analytics rule that you want to sync ) ![]() Attached this logic app to every analytics rule that you want to sync to ServiceNow, by Selecting it on the automated response section.Creates a record of incident type in ServiceNow and populate the Microsoft Sentinel Incident properties into the SNOW incident record using the following mapping:.Gets relevant properties from the Incident.The playbook, available here and presented below, works as follows: Send an Microsoft Sentinel incident into ServiceNow incident queue In this article, I demonstrate how to use Microsoft Sentinel Security Orchestration, Automation and Response (SOAR) capability and ServiceNow’s (SNOW) Business Rules feature to implement this bi-directional incident sync between the two systems. If this ticket is closed in the ITSM system, it will be closed in Microsoft Sentinel. When this integration occurs, a security incident created in Microsoft Sentinel, would also be created in the ITSM system. For organizations using ITSM systems, there is often a need for a bi-directional sync of Microsoft Sentinel incidents to their ITSM tool. In some cases, customers maintain incidents in their IT Service Management (ITSM) systems for remediating security incidents across the organization. Orchestration and response using Logic Apps.An interactive investigation experience.Microsoft Sentinel offers robust features that help the analyst to manage the life cycle of security incidents, including: One of the main SIEM use cases is incident management.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |