Azure Sentinel Integration - Configuration Item (CI) mapping

Michele Veroni · ‎10-16-2024

Hello!

Scenario: We have already implemented the SecOps integration with Sentinel and our current CMDB uses both IP or hostname as identifier

Question 1: What is the best "Azure Sentinel Source Fields" to map to the "ServiceNow Configuration Item" field? Like:

Host: properties(friendlyName)
Ip: properties(friendlyName)

Question 2: What is the matching logic behind this configuration?

Thanks

Martin Dewit · ‎10-16-2024

Hi Michele,

1. I currently use the ${Host: properties(hostName)}$ field to match to a hostname in the CMDB. It seems to work just fine.

2. The Configuration Item field in the profile mapping uses the default OOB field translation script which calls several different SecOps related CI lookup scripts that you can look at if you'd like. You can find that script by navigating to Microsoft Azure Sentinel Integration > Azure Sentinel Field Translation [sn_sec_sentinel_field_translation]. You can also view it by clicking the f(x) button next to the entry field on the field mapping section for Configuration Item.

References: https://docs.servicenow.com/csh?topicname=map-azure-sentinel-incident-fields.html&version=latest

View solution in original post

Martin Dewit · ‎10-16-2024

Hi Michele,

1. I currently use the ${Host: properties(hostName)}$ field to match to a hostname in the CMDB. It seems to work just fine.

2. The Configuration Item field in the profile mapping uses the default OOB field translation script which calls several different SecOps related CI lookup scripts that you can look at if you'd like. You can find that script by navigating to Microsoft Azure Sentinel Integration > Azure Sentinel Field Translation [sn_sec_sentinel_field_translation]. You can also view it by clicking the f(x) button next to the entry field on the field mapping section for Configuration Item.

References: https://docs.servicenow.com/csh?topicname=map-azure-sentinel-incident-fields.html&version=latest

prit123 · ‎04-28-2025

@Martin Dewit - For affected user (in caseof 1 or many) what is being used to map from sentinel?

VaranAwesomenow · ‎04-28-2025

sn_si_m2m_task_affected_user which implies that as task can have multiple affected users, but the actual affected user is mentioned as phishing user (service account)

If you are interested in the data model of Microsoft Azure Sentinel incident ingestion scoped app its available here: AwesomeNowScopedAppDesign/SecOps SIR Microsoft Azure Sentinel Incident Ingestion Integration.pdf at ...

Checkout Varan awesomenow youtube channel for more learning videos!

AJ_UK · ‎05-02-2025

I also use ${Host: properties(hostName)}$ field for Configuration item which again seems to work well most of the time.
There is a CI matching routine within the ScriptInclude sn_sec_cmn.SecOpsCILocation that is used which searches across 4 CMDB Tables, that can take name, fqdn, mac address & ip address

For Affected User, I use ${Account: properties(additionaData(AccountName))]$ but much will depend on what is used as the UserID in ServiceNow vs AD. If you look at the Account Entity Fields in the Left hand Mapping window, then you should be able to pick out the applicable equivalent (hopefully!) If need be, run through a Translation script to trim or reformat to get a match to UserID. Note that the Account Entity is not always the 'Affected User' so sometimes this needs adjustment by the Analysts, but its a good start.