Integrate Azure Monitor as an authenticated data source

  • Release version: Yokohama
  • Updated January 30, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Integrate Azure Monitor as an authenticated data source

    This integration enables ServiceNow Event Management to collect and process alert events from Microsoft Azure Monitor by configuring ServiceNow AI Platform as the REST endpoint. When Azure Monitor sends alert messages, Event Management authenticates them, extracts relevant data to populate event fields, and stores the events in the ServiceNow AI Platform database. Additional alert content is captured in the event's Additional Information field.

    Show full answer Show less

    Authentication Methods

    • OAuth authentication: Uses Azure Monitor V1 or V2 access tokens for enterprise-grade security, suitable for large organizational environments.
    • Basic webhook authentication: Provides a simpler authentication method without requiring Azure Active Directory, ideal for smaller teams like SRE or DevOps.

    Prerequisites and Requirements

    • The ServiceNow user integrating Azure Monitor must have the evtmgmtintegration role assigned.
    • The Event Management Connectors plugin must be installed on the ServiceNow AI Platform instance; it is available from the ServiceNow Store.
    • Azure Cloud Discovery must be performed to bind Azure alerts to configuration items in ServiceNow.

    Event Rules and Field Mappings

    • The base system provides an Azure Monitor event rule to handle all incoming Azure Monitor events.
    • Event field mappings translate Azure resource types into ServiceNow configuration item types (citype), with predefined mappings that can be extended as needed.
    • From the Xanadu release onward, out-of-the-box event rules not previously modified have an “Apply additional matching rules” option enabled, allowing more complex automation and filtering.

    Severity Mapping

    Azure alert severities are mapped to ServiceNow event severities as follows:

    • Azure Sev0 (Fired condition) → ServiceNow Critical (severity 1)
    • Azure Sev1 (Fired condition) → ServiceNow Major (severity 2)
    • Azure Sev2 & Sev3 (Fired condition) → ServiceNow Warning (severity 4)
    • Azure Sev4 (Fired condition) → ServiceNow OK (severity 5)
    • Any resolved Azure alert → ServiceNow CLEAR (severity 0)

    Additional Integration Options

    • Basic authentication integration: Configure Azure Monitor webhook with a standard authentication approach.
    • API key integration: Use a REST API key token for secure communication and automation between Azure and ServiceNow.
    • OAuth integration: Authenticate Azure Monitor alerts using OAuth tokens for enhanced security.
    • Azure Monitor Bi-directional connector: Enables sending alert state changes from ServiceNow back to the Azure Portal, creating two-way synchronization of alert statuses.

    Integrate Microsoft Azure with Event Management by adding the Azure Monitor as an authenticated data source.

    You can configure the Event Management environment for the collection of events from Azure Monitor by setting your ServiceNow AI Platform instance as the rest endpoint.
    Once the endpoint is configured, when an Azure Monitor alert message arrives, Event Management:
    • Authenticates the Azure Monitor alert message with the relevant ServiceNow user, using OAuth configuration or a standard webhook.
    • Extracts information from the original Azure Monitor alert message to populate required event fields and inserts the event into the ServiceNow AI Platform database.
    • Captures specified content in the Additional Information field of the event form.

    What authentication is used

    There are two methods of authentication:
    • OAuth authentication: Provides enterprise-grade authentication to keep your enterprise environment safe. Authentication is performed using Azure Monitor V1 or V2 access tokens. For more information, see Integrate Azure Monitor with OAuth authentication.
    • Basic webhook authentication: Provides a basic standard of authentication, without the need for Azure Active Directory. This authentication can be especially useful for distributed small teams, such as SRE or DevOps teams. For more information, see Integrate Azure Monitor with basic authentication.

    What to know before you begin

    You can use your integrated Azure Monitor as a data source only after you have verified the following:

    • For both methods of authentication, the relevant ServiceNow sys_user is assigned the evt_mgmt_integration role.
    • The Event Management Connectors plugin is installed in the ServiceNow AI Platform instance. You can download the plugin from the ServiceNow Store website.
    • Azure Cloud Discovery must be performed to ensure that the created alerts are bound to the configuration items in the ServiceNow AI Platform. For more information, see Discovery for Microsoft Azure Cloud.

    Event Rules and Event Field mappings

    These event rules and event field mappings are provided with the base system:

    Module Description
    Event Rules Azure Monitor: A general event rule to handle all Azure Monitor events.
    Event Field Mappings Azure Monitor - ci_type: To map ci_type of events based on resourceType field. A base set of mapping pairs are provided.
    These are the mappings provided with the base system in Azure Monitor - ci_type:
    Figure 1. Transform Value Pairs
    Azure Mapping Pairs
    Note:
    You can add new mapping pairs to the Event Field Mapping - Azure Monitor - ci_type as per the requirement, to map events to the respective ci_type based on resourceType.
    Starting from the Xanadu release, the OOTB (Out-Of-The-Box) rules provided with the connector, which you have not previously used (i.e., neither activated, deactivated, nor modified), will now have the Apply additional matching rules check box set to true. Previously, this check box was disabled. This change allows you to execute more event rules or automation using the same filter conditions for the connector.
    Note:
    This feature applies only to active event rules.

    If you want to send alert state changes on the ServiceNow instance from the ServiceNow alerts to the Azure Portal, you need to enable the Azure Monitor Bi-directional connector. For more information, see Configure Azure Monitor Bi-directional connector.

    Severity mapping from Azure severity to ServiceNow event severity

    Azure severity condition ServiceNow event severity
    When an Azure alert monitorCondition is Fired
    Azure Sev0 ServiceNow Critical (severity "1")
    Azure Sev1 ServiceNow Major (severity "2")
    Azure Sev2 and Sev3 ServiceNow Warning (severity "4")
    Azure Sev4 ServiceNow OK (severity "5")
    When an Azure alert monitorCondition is resolved
    Any Azure severity ServiceNow CLEAR (severity "0")