Azure Sentinel Integration - Configuration Item (CI) mapping

Michele Veroni
Tera Contributor

Hello!

 

Scenario: We have already implemented the SecOps integration with Sentinel and our current CMDB uses both IP or hostname as identifier

Question 1: What is the best "Azure Sentinel Source Fields" to map to the "ServiceNow Configuration Item" field? Like:

  • Host: properties(friendlyName)
  • Ip: properties(friendlyName)

Question 2: What is the matching logic behind this configuration?

 

Thanks

1 ACCEPTED SOLUTION

Martin Dewit
Kilo Sage

Hi Michele,

 

1. I currently use the ${Host: properties(hostName)}$ field to match to a hostname in the CMDB. It seems to work just fine. 

2. The Configuration Item field in the profile mapping uses the default OOB field translation script which calls several different SecOps related CI lookup scripts that you can look at if you'd like. You can find that script by navigating to Microsoft Azure Sentinel Integration > Azure Sentinel Field Translation [sn_sec_sentinel_field_translation]. You can also view it by clicking the f(x) button next to the entry field on the field mapping section for Configuration Item.

 

References: https://docs.servicenow.com/csh?topicname=map-azure-sentinel-incident-fields.html&version=latest 

View solution in original post

4 REPLIES 4

Martin Dewit
Kilo Sage

Hi Michele,

 

1. I currently use the ${Host: properties(hostName)}$ field to match to a hostname in the CMDB. It seems to work just fine. 

2. The Configuration Item field in the profile mapping uses the default OOB field translation script which calls several different SecOps related CI lookup scripts that you can look at if you'd like. You can find that script by navigating to Microsoft Azure Sentinel Integration > Azure Sentinel Field Translation [sn_sec_sentinel_field_translation]. You can also view it by clicking the f(x) button next to the entry field on the field mapping section for Configuration Item.

 

References: https://docs.servicenow.com/csh?topicname=map-azure-sentinel-incident-fields.html&version=latest 

@Martin Dewit - For affected user (in caseof 1 or many) what is being used to map from sentinel?

If you refer to the data source : Azure Sentinel Datasource | Data Source | ServiceNow and the transform script : onBefore | Transform Script | ServiceNow and based on this script include AzureSentinelProperties | Script Include | ServiceNow transform is creating an entry in 

sn_si_m2m_task_affected_user which implies that as task can have multiple affected users, but the actual affected user is mentioned as phishing user (service account)
VaranAwesomenow_0-1745858099742.png

If you are interested in the data model of Microsoft Azure Sentinel incident ingestion scoped app its available here: AwesomeNowScopedAppDesign/SecOps SIR Microsoft Azure Sentinel Incident Ingestion Integration.pdf at ...

AJ_UK
Tera Contributor

I also use ${Host: properties(hostName)}$ field for Configuration item which again seems to work well most of the time.
There is a CI matching routine within the ScriptInclude sn_sec_cmn.SecOpsCILocation that is used which searches across 4 CMDB Tables, that can take name, fqdn, mac address & ip address

For Affected User, I use ${Account: properties(additionaData(AccountName))]$ but much will depend on what is used as the UserID in ServiceNow vs AD. If you look at the Account Entity Fields in the Left hand Mapping window, then you should be able to pick out the applicable equivalent (hopefully!) If need be, run through a Translation script to trim or reformat to get a match to UserID. Note that the Account Entity is not always the 'Affected User' so sometimes this needs adjustment by the Analysts, but its a good start.