Azure Sentinel Incident Field Mapping

Karlie01
Tera Contributor

‎10-15-2024 08:35 AM

Hi all,

 

I have installed Microsoft Azure Sentinel Incident Ingestion Integration For Security Operations.

 

I have mapped the ${Account: properties(accountName)}$ from the Account Entity Fields to the Affected user within the Azure Sentinel Incident Profile.

 

The accountName is listed as an Employee number but I need this as a Name. I have attempted this within the Azure Sentinel Field Translation but it's not populating the Name.  

 

var user = new GlideRecord('sys_user');

user.addQuery('employee_number', sourceValue);

user.query();

 

while (user.next()) {

 

    destinationValue = user.sys_id;

 

}

 

Any help would be much appreciated.

0 Helpfuls
  • 1,508 Views
5 REPLIES 5

vamshi krishna4
Giga Guru

‎10-23-2024 06:01 AM

i saw many incidents in sentinel which has multiple account entities, but in servicenow i checked the checkbox next to affected user mapping which should add the affected users in the related list in incident form, but i think its not working as expected

0 Helpfuls