Automate the incident updates and closures by the SIR incident status
Automate the incident updates and closures by the SIR incident status. The Microsoft Azure Sentinel integration has a bi-directional interface that enables both incidents to create security incidents and to update the incidents after the security incident is created or closed.
Before you begin
Role required: sn_si.ingestion_profile_admin
Procedure
-
On the form, fill in the details.
Follow the instructions to complete the configuration for updating incidents when you create or close a security incident in SIR.
Table 1. Automating Incident Updates form Category Field Description Incident Creation Updates Update Azure Sentinel Incidents Status upon SIR Incident creation Option that enables you to use the automated incident update functionality. The Microsoft Azure Sentinel incident status is updated in Microsoft Azure incident with the comments after the SIR incident is created in the ServiceNow AI Platform. Initial incident status update Initial incident status that is updated in the Microsoft Azure Sentinel environment. You can select New or Active as the status. Initial comments posted back to Incident Initial comments that are posted to the incident in the Microsoft Azure Sentinel environment. Edit the default text that is displayed in the comments section by adding or modifying the substitution variables using the format ${field name}$ for any field on the SIR incident form.
Incident Closure Updates Close Azure Sentinel incidents upon SIR Incident Closure Option that enables you to use the automated incident status update functionality. Microsoft Azure Sentinel incidents are closed in the Microsoft Azure incident with the comments given after the SIR incident is closed in the ServiceNow AI Platform. Closure incident status update Status update in the Microsoft Azure Sentinel incident when the incident is closed in SIR. Closure Comments Posted back to incident Comments that are posted to the incident in the Microsoft Azure Sentinel incident when the incident is closed in SIR. Edit the default text that is displayed in the comments section by adding or modifying the substitution variables using the format ${field name}$ for any field on the SIR incident form.
Incident classification and closing reason Method for the incident classification and closing reason that is used to close the incident in the Microsoft Azure Sentinel environment. Select the Default incident classification and closing reason method to close the incident in the Microsoft Azure Sentinel environment. When you select this method, you must define the Default incident classification and closing reason. When you close an incident in SIR, the incident status in Azure Sentinel is also closed with the specified Default incident classification and closing reason.
Select the Incident classification and closing reason-SIR close code mapping method to close the incidents and to map the classification reasons with the SIR close codes. You can map multiple SIR close codes to a single classification reason. After you close an incident in SIR using the close code, the incident status in Azure Sentinel is also closed with the mapped incident classification and closing reason.
If the classification reason and SIR close codes are not mapped, or a match is not found, then the incident is closed using the default classification reason as 'Undetermined' in the Microsoft Azure Sentinel environment.
Azure Sentinel Incident Comments and SIR Work notes synchronization Update SIR work notes with Azure Sentinel incident comments Option that you can select to update your Microsoft Azure Sentinel comments in the SIR work notes. The comment in the SIR work notes appears with the prefix Comment from Sentinel. The comment also contains the Sentinel ID, Analyst details, and the Time stamp. Update Azure Sentinel incident comments with SIR work notes Option that you can select to update your SIR work notes in the Microsoft Azure Sentinel incident comments. The comment in Microsoft Azure Sentinel appears with the prefix Comment from ServiceNow. The following example shows the configuration options that are available for automating incident updates.