Microsoft Sentinel and ServiceNow Bidirectional Sync - Incidents updating after closure

bekfro
Kilo Sage

‎10-17-2023 08:03 AM

I have the Microsoft Sentinel Plugin installed for the bi-directional sync of incidents:

bekfro_0-1697553906666.png

We are seeing an issue where sentinel is updating ServiceNow Incidents after the close.  Multiple times. (Like hundreds of times)

 

We have an Incident state of Resolve this pauses the SLA for 5 days to allow the customer to reopen the incident. 

the state is 6. 

I have the ServiceNow State to Sentinels set so resolve = Closed:

bekfro_1-1697554564076.png

And Sentinel Stat to ServiceNow the Same 

bekfro_2-1697554609072.png

 

However we are seeing the incident get updated quite frequently 

 

bekfro_3-1697554744964.png

 

 

The state of the Incident is bouncing back and fourth between closed and resolved resolve and closed....

bekfro_4-1697554807500.png

 

Labels:
0 Helpfuls
  • 333 Views
1 REPLY 1

Mary9
Tera Guru

‎10-17-2023 10:19 AM

The issue seems to be in the Sentinel State to ServiceNow table. I believe you can only map 1 ServiceNow state to a Sentinel State. See documentation below:

 

Verify the “Sentinel State to ServiceNow” table mapping

"This table is used to map the Sentinel state/status to the ServiceNow value, when creating or updating Microsoft Sentinel incidents.
Note that Sentinel has probably less states than ServiceNow, so you must select the initial ServiceNow value used by the application."

0 Helpfuls