Bi-directional incidents sync between Microsoft Sentinel and ServiceNow

bekfro · ‎09-14-2023

I have installed the Microsoft Sentinel Bi-directional incidents sync between Microsoft Sentinel and ServiceNow.

A few things I'm having an issue with.

Comments from Sentinel are not displaying in ServiceNow (however ServiceNow work notes are appearing in Sentinel). I see a business rule with custom mappings, do we need to set comments up in this business rule?
We have the default Incident filter set to so the tag of "snow" will filter in Incidents. Not all Sentinel Incidents with this tag are coming into ServiceNow

Here's an example that didn't filter into servcienow:

Here's one that did:

Any help would be greatly appreciated.

Prabu Velayutha · ‎09-14-2023

@bekfro

The application uses the following business rules:

add_work_note_to_sentinel: sycnhronizes work notes to sentinel comments can you verify the configuration as shown in the screenshot below
information source: https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/what-s-new-introducing-microsoft-sent...

If my response helps to solve your issue kindly mark it as helpful & correct.

View solution in original post

Devi · ‎02-20-2024

We have to map assignment group, category as static values ad we updated the same in Custom Mapping business rule but still assignment group, category fields are populating as blank. can you please suggest what are the changes we have to do

Prabu Velayutha · ‎02-20-2024

@Devi What you have set on when to run tab before or after? do you have any specific conditions to meet for the BR to trigger? can you share the BR screenshot and also the script if any used to set the assignment group and category field values?

Devi · ‎02-22-2024

I have created new business rule in Sentinel Application and the table name is incident. Below is the screen shot of my business rule If in when to run condition if I am changing to before or after the business rule is getting triggered but the caller id and sentinel correlation id is getting as empty. I changed to async then it is working fine but the sla is behaving in different way. First it is getting assigned to Service Desk then through the script the incident assignment group is getting updated to SOC but the SOC sla is getting paused and SD SLA is showing as inprogress

Prabu Velayutha · ‎02-22-2024

Hi @Devi

Never user current.update() function, it have significant impact on performance and cause malfunction. Refer the KB below https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB0715782#:~:text=The%20current....

You can create a script include and call that function to update the required attributes.

or try this instead

var gr = new GlideRecord('incident');

gr.addQuery('number',current.number);

gr.query();

if (gr.next())

{

gr.setValue(gr.assignment_group='sysidvalue');

//include the remaining attributes you required as above

gr.update();

}

If my response helps to solve your issue. Kindly mark it as helpful & correct. It will be helpful for future readers!

iDNS · ‎07-11-2024

We have setup the Integration & also see updates going to Sentinel with Incident Numbers but we are unable to view any of those Incidents in ServiceNow. We have added all relevant access sn_si.admin but still nothing. Incident Metadatas has the Incident ID which is the sys_id but we cannot locate it. Any help please