Microsoft Azure Sentinel and Security Incident Response integration is now available on store!

Hareesh Namavar · ‎06-17-2021

Microsoft Azure Sentinel and Security Incident Response integration is now available on store!

The much-awaited Microsoft Azure Sentinel and Security Incident Response integration is live on ServiceNow store!

Summary of the integration

The Microsoft Azure Sentinel Incident Ingestion Integration for Security Operations allows you to discover Microsoft Azure Sentinel API incidents that are candidates for security incidents and automate the creation of security incidents and enable automated response actions.

Overview

Key features

This integration includes the following key features:

Discover Microsoft Azure Sentinel incidents that are candidates for security incidents and automate the creation of security incidents.
Mapping of Microsoft Azure Sentinel incident and entity fields to SIR security incident fields.
Filtering of Microsoft Azure Sentinel incidents.
Aggregation of similar incidents to existing open security incidents so that you don't have to create duplicate security incidents.
Automatic Microsoft Azure Sentinel incident status update for SIR security incident creation and closure.
Scheduled ingestion of incidents that create security incidents periodically.
Synchronisation of Microsoft Azure Sentinel incident comments with SIR Work notes.

Supported Platform versions: Quebec and Paris

Link to the app on the store: https://store.servicenow.com/sn_appstore_store.do#!/store/application/2e79ad6cfe4220103a962200674b7b...

Link to product documentation:

https://docs.servicenow.com/bundle/quebec-security-management/page/product/secops-integration-sir/se...

High level demo of the integration:

https://www.youtube.com/watch?v=LEWqi98fv3o

Comparing Microsoft Azure Sentinel and Microsoft Graph Security API integrations with SIR

You can view the differences between Microsoft Azure Sentinel and Microsoft Graph Security API integrations and choose the right integration with your Now Platform instance.

Microsoft Azure Sentinel Incident Ingestion  integration overview

Microsoft Azure Sentinel is a cloud-based security information event management (SIEM) and security orchestration automated response (SOAR) solution. 

The Microsoft Azure Sentinel Incident Ingestion integration allows you to automatically fetch incidents from Azure Sentinel and convert them into security incidents and enable automated response actions.

Microsoft Graph Security API integration  overview

The Microsoft Graph Security API is an intermediary service (or broker) that provides a single programmatic interface for connecting multiple security providers (Native to Microsoft as well as ServiceNow Partners).

The Microsoft Graph Security API integration addresses these issues by using the Microsoft Graph Security API to connect with different Microsoft security technologies like Azure Sentinel, Microsoft Defender Advanced Threat Protection, and Azure Advanced Threat Protection.

Alerts from Microsoft Security providers are ingested, and security incidents are automatically created in Security Incident Response.

Comparison between Microsoft Azure Sentinel  and Microsoft Graph Security API integrations

Microsoft Azure Sentinel integration

Microsoft Graph Security API integration

Ingests Microsoft Azure Sentinel incidents along with entity information (when available) and automates security incident creation in SIR.

Ingests alerts from multiple Security providers (including Azure Sentinel) in a standard schema and automates security incident creation in SIR.

Supports bi-directional updates which include incident closure, incident status change (New), and synchronising comments.

Supports alert updates (alert status change and alert closure) for selected security providers.

Note: For more information on the Microsoft Graph Security API supported security providers, view the Microsoft documentation.

Use this integration if your scenario includes the following conditions:

Preliminary incident investigation is in Microsoft Azure Sentinel and subsequent investigation is in SIR.
Ingest Microsoft Azure Sentinel incidents to SIR .

Use this integration if your scenario includes the following conditions:

Perform incident investigation in SIR.
Ingest Microsoft Azure Sentinel alerts in SIR.
Incidents are not created in Microsoft Azure Sentinel.

Alert is an entity in Microsoft Azure Sentinel. You cannot retrieve standalone or specific alerts using the Microsoft Azure Sentinel Management API. You can only retrieve the alert data associated with an incident.

The Microsoft Azure Sentinel normalised alert data is available. The Microsoft Azure Sentinel alert fields that are mapped internally in Microsoft Graph Security API, and are available in Microsoft Graph Security API, are available for use in this integration.

You cannot update alerts in Microsoft Azure Sentinel using this integration.

Jerzy Pa_ka · ‎06-07-2023

@Hareesh Namavar "Supports bi-directional updates which include incident closure, incident status change (New), and synchronising comments. " Is it really bi-directional as we can't find any option to auto close incidents in SN if they are closed in Sentinel

Hareesh Namavar · ‎06-07-2023

Hi,

The integration is bi-directional with respect to the use cases that it was built for.

We do not close our security incidents from a third-party product ( not a recommended practice). We expect analysts to be working on SIR using it as a single pane of glass and a system of record. Imagine a scenario where an analyst is working on a security incident in SIR (in analysis/containment/any phase) and the incident gets closed abruptly.

The right way to configure the integration on the SIR side is to ingest only those incidents that are escalated from Azure Sentinel and the ones that aren't worked on the Sentinel side.

Moreover, the fields (questionnaire, close code, closing reason, etc.) we have to fill in before closing a security incident can’t be accurately mapped to Azure Sentinel incidents. This affects the reporting and analysis on our side. There could be child or aggregated incidents associated with an incident and these would get closed automatically too (May not be a best practice). There could be ongoing collaboration across various teams (Ex: ITSM, Risk, Vulnerability, Threat Intelligence, etc.) and the tasks associated with them would get closed automatically too!

Our product documentation clearly explains the bi-directional support provided as part of the integration:

-Update the state of Sentinel incident whenever a security incident is created

-Close the Azure Sentinel incident whenever a security incident is closed in SIR

-Comments from Azure Sentinel incident are synched to work notes of SIR

-Work notes of the SIR incident are synched to the Azure Sentinel incident.

Jerzy Pa_ka · ‎06-07-2023

@Hareesh Namava Ok, second question When we Ingest Incidents from Sentinel i cant find any option to get all worknotes on Security incident creation in SIR (from Sentinel) sync is working but only after creation of servicenow incident. Is there any option to pull worknotes from sentinel created before creation of SIR incident ?

Hareesh Namavar · ‎06-07-2023

Aug store release update of the integration will provide you with the ability to map the Azure Sentinel incident "Comments" entity and its associated fields to SIR fields. Your use case can be accomplished with this update!

pratiksha5 · ‎01-16-2024

Hi, I am not able to find the subscription information. What customer should be subscribed to use the application?

Martin Dewit · ‎01-16-2024

@pratiksha5 Could you clarify what you mean by subscription information? To be able to use the integration, you will need the Security Incident Response application which requires a license/subscription. I believe this Sentinel integration is free to install and use. During the Sentinel integration set up process, a "subscription ID" is required from your Registered Azure app for ServiceNow.

Sourin1 · ‎02-15-2024

Hello,

I'm new to this module and process. Just wanted to know few things, if anybody can answer these, that would be a great help.

- How can I migrate the existing playbooks present in sentinel to my servicenow SIR? Do I need to do this? Or should I follow the existing playbooks provided by ServiceNow.

- How orchestration coming into picture here? Lets say for a security incident of category phishing email, in the eradication phase I want to find and delete the emails from user mailbox. I see there is a button for search and delete, but how this work in the backend?

- For a use case where I want to block an IP or quarantine an email or deactivate an user account, how these can be achieved? Should I include these capabilities in my playbook or there is other way to do it. What is the best practice or how this is generally done?

- What is the difference between these two modules, Capabilities (Flow) and Capabilities?

Thanks,

Sourin

vamshi krishna4 · ‎11-07-2024

Hi @Hareesh Namavar ,

Hope you are doing well.

Need some information on the below questions:

We have mapped Account entity to the affected user from Sentinel, but sentinel incident can have multiple account entities associated with it, in this scenario the affected user is not getting populated with either of them. We have checked the checkbox for updates in the sentinel profile for affected user so any additional affected users can be added in the related list of the users in the security incident, but it not working as expected.
For the same effected user, when a incident is created in the sentinel it does not have a account entity and it was created in ServiceNow without affected user, but later account entity was added to the sentinel incident but it is not reflected in the affected user field in sir ServiceNow.

Thanks in advance.

Regards,

Vamshi