Requesting optimal profile for Microsoft Azure Sentinel Incident Ingestion Integration store app

Kevin15 · ‎02-20-2024

My company has been using the store app "Microsoft Azure Sentinel Incident Ingestion Integration For Security Operations" to automatically ingest new incidents from Microsoft's Sentinel (SIEM) solution to our ServiceNow SecOps addon. The store app works fine and imports the new incidents to the [sn_si_incident] table as SIR records. However the records do not always contain all the information required for analysis so we have to fall back to Sentinel for any details.

My current setup uses a Azure Sentinel Incident profile for each product from which Sentinel can pull data through the data connectors (see the screenshot) and one for the self-created analytics rules in Sentinel itself. We use multiple profiles because each connected product can use different Entity fields. I think we would miss data if we only used one profile, but I might be wrong.

Im sure there is room for improvement and would like to know if the community has any tips or advice on how to create the most optimal profile for importing and enriching the SIR records created in ServiceNow, including stuff that might not be available out-of-the-box, but could be build in a scoped app.

Martin Dewit · ‎03-07-2024

Hi Kevin15,

I am in a similar situation. I would like to expand out my profiles to each type of data connector as well. There doesn't seem to be good process to do that.

Have you noticed any slowness or incident generation delay using 5+ profiles?
In each profile are you filtering for not the other products? (i.e. for DfE profile your filters are filtering out Cloud Apps, Identity, Sentinel, etc).
In your experience, does Sentinel aggregate all the entities from the original alerting product into the Sentinel Incident's entities?
I am also wondering why in the Sentinel API the Microsoft Defender data connectors are still using the old names (i.e. Defender Advanced Threat Protection vs Defender for Endpoint).

Scott43 · ‎12-15-2024

Hi Martin,

Any chance you can share your learnings and/or profiles from this?
We are in the process of building this up, and it seems strange they don't at least provide a single OOTB setup to guide us.

Kevin15 · ‎03-21-2024

Hi Martin,

Then I think Ill ask Microsoft Support for some tips. Regarding your questions:

Have you noticed any slowness or incident generation delay using 5+ profiles?
- No
In each profile are you filtering for not the other products? (i.e. for DfE profile your filters are filtering out Cloud Apps, Identity, Sentinel, etc).
- We specify the productname in the profile conditions so that it would only create incidents for that specific product and created a "catch-all" profile with the opposite condition so it would create incidents for any new products that we havent noticed yet
In your experience, does Sentinel aggregate all the entities from the original alerting product into the Sentinel Incident's entities?
- I have not noticed any issues. The "Azure Sentinel Incident Import" menu will show you the raw json body and it seems to contain all the entities from any alerts connected to the incident, however I admit that we dont correctly write those to the observable table or the SIR ticket in ServiceNow. My coworkers usually just logon to Sentinel.
I am also wondering why in the Sentinel API the Microsoft Defender data connectors are still using the old names (i.e. Defender Advanced Threat Protection vs Defender for Endpoint).
- Changing the names might impact any current profile. Im guessing any changes would be described in the change log in future updates

Scott43 · ‎11-24-2024

Hi Kevin,

Any chance you can share some of the Sentinel Field mappings you have created?
Specifically the Defender and Sentinel ones as we are interested in see what others have setup for their integration mapping.

Thanks.