Integrate Azure Monitor as an authenticated data source

  • Release version: Xanadu
  • Updated August 1, 2024
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Integrate Azure Monitor as an authenticated data source

    This integration enables ServiceNow customers to connect Microsoft Azure Monitor with ServiceNow Event Management by configuring Azure Monitor as an authenticated data source. The integration allows Azure Monitor alert messages to be securely sent to the ServiceNow AI Platform instance, where they are authenticated, parsed, and inserted as events to support proactive monitoring and incident management.

    Show full answer Show less

    Authentication Methods

    • OAuth Authentication: Provides enterprise-grade security by authenticating Azure Monitor alerts using Azure Monitor V1 or V2 access tokens. This method leverages Azure Active Directory and is suitable for secure, large-scale environments.
    • Basic Webhook Authentication: Offers a simpler authentication approach without requiring Azure Active Directory. This method is ideal for smaller or distributed teams such as SRE or DevOps.

    Prerequisites and Setup Requirements

    • The ServiceNow user involved must have the evtmgmtintegration role assigned.
    • The Event Management Connectors plugin must be installed on the ServiceNow AI Platform instance; it is available from the ServiceNow Store.
    • Azure Cloud Discovery must be performed to ensure alerts are correctly linked to configuration items within ServiceNow.

    Event Rules and Field Mappings

    Out-of-the-box event rules and field mappings are provided to handle Azure Monitor events effectively:

    • Event Rules: A general Azure Monitor event rule is included to process all incoming alerts.
    • Event Field Mappings: Mappings based on Azure resource types to ServiceNow citype are preconfigured, with the ability to add custom mappings as needed.

    Starting with the Xanadu release, unused out-of-the-box event rules now have the option to apply additional matching rules, enabling more sophisticated event filtering and automation.

    Severity Mapping

    Azure alert severities are translated into ServiceNow event severities as follows:

    • Fired monitorCondition:
      • Azure Sev0 → ServiceNow Critical (severity 1)
      • Azure Sev1 → ServiceNow Major (severity 2)
      • Azure Sev2 and Sev3 → ServiceNow Warning (severity 4)
      • Azure Sev4 → ServiceNow OK (severity 5)
    • Resolved monitorCondition: Any Azure severity maps to ServiceNow CLEAR (severity 0)

    Additional Integration Capabilities

    • Basic Authentication Integration: Enables connecting Azure Monitor via standard webhooks for simpler setups.
    • REST API Key Integration: Supports secure communications using API key tokens for automated data exchange.
    • OAuth Token Integration: Supports authenticating Azure V1 or V2 tokens for secure enterprise integration.
    • Azure Monitor Bi-directional Connector: Facilitates sending alert state changes from ServiceNow Event Management back to the Azure Portal, enabling synchronized alert status between platforms.

    What This Enables for ServiceNow Customers

    By integrating Azure Monitor as an authenticated data source, customers can automate and secure the ingestion of Azure alerts into ServiceNow Event Management. This enhances visibility into Azure infrastructure issues, supports faster incident response, and enables bi-directional alert synchronization for consistent monitoring across Azure and ServiceNow platforms.

    Integrate Microsoft Azure with Event Management by adding the Azure Monitor as an authenticated data source.

    You can configure the Event Management environment for the collection of events from Azure Monitor by setting your ServiceNow AI Platform instance as the rest endpoint.
    Once the endpoint is configured, when an Azure Monitor alert message arrives, Event Management:
    • Authenticates the Azure Monitor alert message with the relevant ServiceNow user, using OAuth configuration or a standard webhook.
    • Extracts information from the original Azure Monitor alert message to populate required event fields and inserts the event into the ServiceNow AI Platform database.
    • Captures specified content in the Additional Information field of the event form.

    What authentication is used

    There are two methods of authentication:
    • OAuth authentication: Provides enterprise-grade authentication to keep your enterprise environment safe. Authentication is performed using Azure Monitor V1 or V2 access tokens. For more information, see Integrate Azure Monitor with OAuth authentication.
    • Basic webhook authentication: Provides a basic standard of authentication, without the need for Azure Active Directory. This authentication can be especially useful for distributed small teams, such as SRE or DevOps teams. For more information, see Integrate Azure Monitor with basic authentication.

    What to know before you begin

    You can use your integrated Azure Monitor as a data source only after you have verified the following:

    • For both methods of authentication, the relevant ServiceNow sys_user is assigned the evt_mgmt_integration role.
    • The Event Management Connectors plugin is installed in the ServiceNow AI Platform instance. You can download the plugin from the ServiceNow Store website.
    • Azure Cloud Discovery must be performed to ensure that the created alerts are bound to the configuration items in the ServiceNow AI Platform. For more information, see Azure Cloud Discovery.

    Event Rules and Event Field mappings

    These event rules and event field mappings are provided with the base system:

    Module Description
    Event Rules Azure Monitor: A general event rule to handle all Azure Monitor events.
    Event Field Mappings Azure Monitor - ci_type: To map ci_type of events based on resourceType field. A base set of mapping pairs are provided.
    These are the mappings provided with the base system in Azure Monitor - ci_type:
    Figure 1. Transform Value Pairs
    Azure Mapping Pairs
    Note:
    You can add new mapping pairs to the Event Field Mapping - Azure Monitor - ci_type as per the requirement, to map events to the respective ci_type based on resourceType.
    Starting from the Xanadu release, the OOTB (Out-Of-The-Box) event rules provided with the connector, which you have not previously used (i.e., neither activated, deactivated, nor modified), will now have the Apply additional matching rules check box set to true. Previously, this check box was disabled. This change allows you to execute more event rules or automation using the same filter conditions for the events.
    Note:
    This feature applies only to active event rules.

    If you want to send alert state changes on the ServiceNow instance from the ServiceNow alerts to the Azure Portal, you need to enable the Azure Monitor Bi-directional connector. For more information, see Configure Azure Monitor Bi-directional connector.

    Severity mapping from Azure severity to ServiceNow event severity

    Azure severity condition ServiceNow event severity
    When an Azure alert monitorCondition is Fired
    Azure Sev0 ServiceNow Critical (severity "1")
    Azure Sev1 ServiceNow Major (severity "2")
    Azure Sev2 and Sev3 ServiceNow Warning (severity "4")
    Azure Sev4 ServiceNow OK (severity "5")
    When an Azure alert monitorCondition is resolved
    Any Azure severity ServiceNow CLEAR (severity "0")