Need to fetch custom fields from sentinel to SIR Servicenow

Pooja P
Tera Contributor

‎03-24-2025 03:56 AM

Hi Team,

 

We have configures bidirectional integration for Microsoft Azure Sentinel and SIR ServiceNow ,there is a requirement to fetch custom field on sentinel called as site_name we want to map it to Business Unit of SIR record . while checking azure profile for mapping we can not see this custom field. we can not see this field on payload of import table.

Can we fetch the custom fields created on sentinel with anyway?

Urgent answers will be appreciated .

Thank you,

Pooja

0 Helpfuls
  • 601 Views
3 REPLIES 3

Viraj Hudlikar
Tera Sage

‎03-24-2025 06:43 AM

Hello @Pooja P 

 

Yes, you can fetch custom fields from Microsoft Azure Sentinel and map them to fields in ServiceNow's SIR module.

-> Ensure that the custom field site_name is included in the query output in Sentinel. You can use the parse_json function in KQL to extract values from JSON fields. If not sure with this try to get help from SME within your organization for same. Link

-> Customize alert details in Sentinel to include the site_name field. Link

-> I am not sure if mapping is done or not but if not then in ServiceNow, you need to map the site_name field from Sentinel to the Business Unit field in the SIR record. This can be done using transform maps or business rules. Link

 

If my response has helped you hit helpful button and if your concern is solved do mark my response as correct.

 

Thanks & Regards
Viraj Hudlikar.

0 Helpfuls

Pooja P
Tera Contributor
In response to Viraj Hudlikar

‎04-13-2025 11:49 PM

Hi @Viraj Hudlikar , thanl you for the answer , but below is the scenario in our case

 

1. Servicenow is trying to fetch entities that are available in Incident (sentinel) by checking incident id.

2. These custom fields are available in alerts (we need to fetch these values from sentinel from alerts from sentinel) Can you suggest for this please

0 Helpfuls

AJ_UK
Tera Contributor

‎05-02-2025 05:01 AM

If your integration is connected, look in the Azure Sentinel Incident Raws table, and look at the raw data coming in (in JSON form) If you can see the required field in there, then you should be able to identify where the field is visible (i.e. the JSON hierarchy) and using that information you should be able to write the Field Mapping in the Profile.
Have you also tried the 'ingest sample data' in the Profile mapping section - if it is present on all Incidents/Alerts/Entities then it may appear there.
If it is not in the Raw JSON data, then you would probably need to look at the Microsoft API references to see if it is a limitation there.

0 Helpfuls