- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-16-2024 04:00 AM
Hello!
Scenario: We have already implemented the SecOps integration with Sentinel and our current CMDB uses both IP or hostname as identifier
Question 1: What is the best "Azure Sentinel Source Fields" to map to the "ServiceNow Configuration Item" field? Like:
- Host: properties(friendlyName)
- Ip: properties(friendlyName)
Question 2: What is the matching logic behind this configuration?
Thanks
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-16-2024 04:39 AM
Hi Michele,
1. I currently use the ${Host: properties(hostName)}$ field to match to a hostname in the CMDB. It seems to work just fine.
2. The Configuration Item field in the profile mapping uses the default OOB field translation script which calls several different SecOps related CI lookup scripts that you can look at if you'd like. You can find that script by navigating to Microsoft Azure Sentinel Integration > Azure Sentinel Field Translation [sn_sec_sentinel_field_translation]. You can also view it by clicking the f(x) button next to the entry field on the field mapping section for Configuration Item.
References: https://docs.servicenow.com/csh?topicname=map-azure-sentinel-incident-fields.html&version=latest
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-16-2024 04:39 AM
Hi Michele,
1. I currently use the ${Host: properties(hostName)}$ field to match to a hostname in the CMDB. It seems to work just fine.
2. The Configuration Item field in the profile mapping uses the default OOB field translation script which calls several different SecOps related CI lookup scripts that you can look at if you'd like. You can find that script by navigating to Microsoft Azure Sentinel Integration > Azure Sentinel Field Translation [sn_sec_sentinel_field_translation]. You can also view it by clicking the f(x) button next to the entry field on the field mapping section for Configuration Item.
References: https://docs.servicenow.com/csh?topicname=map-azure-sentinel-incident-fields.html&version=latest
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-28-2025 12:03 AM
@Martin Dewit - For affected user (in caseof 1 or many) what is being used to map from sentinel?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-28-2025 09:35 AM - edited 04-28-2025 09:39 AM
If you refer to the data source : Azure Sentinel Datasource | Data Source | ServiceNow and the transform script : onBefore | Transform Script | ServiceNow and based on this script include AzureSentinelProperties | Script Include | ServiceNow transform is creating an entry in
If you are interested in the data model of Microsoft Azure Sentinel incident ingestion scoped app its available here: AwesomeNowScopedAppDesign/SecOps SIR Microsoft Azure Sentinel Incident Ingestion Integration.pdf at ...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-02-2025 04:53 AM
I also use ${Host: properties(hostName)}$ field for Configuration item which again seems to work well most of the time.
There is a CI matching routine within the ScriptInclude sn_sec_cmn.SecOpsCILocation that is used which searches across 4 CMDB Tables, that can take name, fqdn, mac address & ip address
For Affected User, I use ${Account: properties(additionaData(AccountName))]$ but much will depend on what is used as the UserID in ServiceNow vs AD. If you look at the Account Entity Fields in the Left hand Mapping window, then you should be able to pick out the applicable equivalent (hopefully!) If need be, run through a Translation script to trim or reformat to get a match to UserID. Note that the Account Entity is not always the 'Affected User' so sometimes this needs adjustment by the Analysts, but its a good start.