Issue ingesting multiple affected users using Azure Sentinel Incident Ingestion Integration

guythompson
Tera Contributor

‎02-03-2025 07:47 AM

Hi
We're having a bit of trouble adding multiple affected users into SIR tickets using the Azure Sentinel Incident Ingestion Integration. We are able to ingest Sentinel Account entities (${Account: properties(displayName)}$) using a simple glide get query to find the username of the email address ingested but when we create a script using a for loop to make multiple queries no outputs in the destinationValue field are found. The script has been tested elsewhere in ServiceNow and works but doesn't seem to work in the integrations field translations. See current query below:
 
var usernamearray = [];
var affectedUser = "";
if(sourceValue != ""){
    splitvalues = sourceValue.split(", ");
    for (i in splitvalues){
    var gr = new GlideRecord('sys_user');
    gr.get('user_name', splitvalues[i]);
    usernamearray[i] = gr.sys_id;
    }
    affectedUser = usernamearray.join(", ");
}
destinationValue = affectedUser;
 
 
Any help would be appreciated.
0 Helpfuls
  • 1,116 Views
13 REPLIES 13

AJ_UK
Tera Contributor
In response to prit123

‎05-08-2025 04:16 AM

@guythompson , @prit123 
In order to get GlideRecords and log messages to work within Field Translation Scripts, you have to change a setting in the AzureSentinelMappingUtils within the GlideScopedEvaluator.
This allows greater scripting capabilities to be executed in the Field Translation Scripts, however it also means that security analyst/admin can then execute script across the platform, so it should be handled with caution! If you are just wanting to log/debug, then only do this in a non-prod instance.

 

In the Script Include AzureSentinelMappingUtils within the method _performDestinationTranslation

you will find a line (at about line 19) that says

evaluator.withEnforcedSecurity(true);

if this is changed to 
evaluator.withEnforcedSecurity(false);

then this will allow GlideRecords and Logging statements to be executed in the Field Translation Scripts (noting the above cautions!).

0 Helpfuls

WiproG
Tera Contributor

‎05-16-2025 01:26 AM

I have mapped the ${Account: properties(additionalData(accountName))}$ to Affected User, which has a User ID value that matches into ServiceNow. I also have it marked for update with the checkbox. But for some the Security Incidents, affected user is populated in Security incident record as well as in case of multiple affected user, records are created in m2m table. but some records are empty even user id is present and matching in sys_user (even single affected user). Please advise.

0 Helpfuls

AJ_UK
Tera Contributor
In response to WiproG

‎05-16-2025 05:49 AM

Hi @WiproG 

When there are multiple affected users, one of them is promoted to the Affected User field, but all should be populated into the related table.
If not always appearing, I would start with debugging the mapping process, and check whether you are getting null mapping outcomes, and then also debug your Translation Script to identify input/output

 

To Debug Null Translations, I insert this line:

if(orignalInputValue && !inputValue){gs.warn("Field translation Result is null for/"+ securityIncident.number + "/DestinationField/" +mapEntry.destination+"/With Input/"+orignalInputValue);}

into the AzureSentinelTransform Script Include in the performFieldMapping method, immediately after this line:

inputValue = AzureSentinelMappingUtils._performDestinationTranslation(this.PROPERTIES.TABLE.FIELD_TRANSLATION, inputValue, mapEntry.destination);

which for me is at line 232.

 

Then search the system log for Source =sn_sec_sentinel, Level = Warning, Message * Field translation Result is null.
You should then be able to cross reference the SIR number, with the destination field, with the input to the Field Translation Script

0 Helpfuls

WiproG
Tera Contributor
In response to AJ_UK

‎05-16-2025 08:22 AM

I don't have any field translation script for affected user under sentinel field translation. I am using direct mapping. 

WiproG_1-1747408683541.png

in this field, I am getting user id which is unique in sys_user. I believe it should work.

 

I have tried debug code as well as suggested but no  message

WiproG_2-1747408826736.png

 

WiproG_3-1747408913183.png

 

0 Helpfuls

AJ_UK
Tera Contributor
In response to WiproG

‎05-19-2025 12:34 AM

Hi @WiproG ,

There is a slight difference between giving a unique UserID value, and the meaning of the GlideRecord getUniqueValue()

see ServiceNow Docs: GlideRecord-getUniqueValue() which will return the primary key, which is usually the sys_id of the record.

Look also at the properties of the ServiceNow Docs GlideRecord - get(Objectname, Objectvalue) which is the method used in the Mapping Utils. " If only a single parameter is passed in, the method assumes that it is the sys_id of the desired record. If not found, it then tries to match the value against the display value."

So the Mapping will prefer to be passed the ServiceNow sys_id of the User, rather than a UserID even though that UserID may be unique.

This is why I run a GR in the Translation script to lookup from UserID to record sys_id.

 

You could also add logging lines in the translation script to confirm input values, number of records found matching the input value etc to check that you have got truely unique values coming in. Alternatively modify the Transform debug line if statement to remove the 

&& !inputValue

so that you are seeing all input and output values from translation script which should then show the scenarios when it is working and when it is not working.

I hope this is helpful! AJ

0 Helpfuls