Azure Sentinel Integration

designitsecure · ‎01-21-2025

Hello,

When using the Microsoft Azure Sentinel Incident Ingestion Integration For Security Operations is it possible to update security incidents when you make changes to the mapping in the profile? For example, if I update the profile to include a field like "description" to populate with a field from Sentinel I would like all of the existing incidents to update with that information.

Currently, (before we move to Production) we have to clear everything out and rerun it.

Thanks!

JesseBarath · ‎01-31-2025

On the sentinel profile, in the mapping section, there are checkboxes next to each of the field mappings. Selecting the checkbox is supposed to force the integration to keep updating that field if the source data changes.

AJ_UK · ‎05-12-2025

Hi @designitsecure

You may be able to use the 'One-Time Retrieval' capability to re-ingest all incidents since the given date.

See: Schedule the Microsoft Azure Sentinel incident retrieval

That way it will re-ingest all the incidents, and if you have the 'update' checkbox ticked, then it should update the values to the latest value. Note that depending on the number of incidents involved that this may or may not be feasible, as all incidents will be re-processed, and all fields marked as 'Update' will be updated, not just the field you have added.

If you are testing in Pre-Prod, then using this method to re-ingest say 100 incidents to see what changes can be quite useful, as you can trigger it a number of times to go back to the same date time and re-ingest again.