ServiceNow Integration (part 2)

By Ashwin Venugopal -

 

To read part 1, please click here





Adding Dynamic Content

Now, to enter the values into the fields, we will add the dynamic content provided by the previous actions in the first stage. You can use the following table to fill the fields:

Field

Value

Short

description

         Text: Sentinel Incident #

          Dynamic content: Number from the incident

          Text: -

          Dynamic content: Title from the incident

Description

Description from the incident

Secure notes

Entities from the alert

After filling those fields, the addition of the dynamic content will be completed.

Adding Static Content

Now you can fill the drop-down entries in ServiceNow by simply correcting the text to be passed through which always matches a value in the respective drop-down list. You can use the following values for filling the hardcode values while making sure the text entered matches exactly:

Field

Value

Priority

2 - High

Business impact

2 - High

Subcategory

Inbound Dos

Risk score override

True

Score

SIEM

Category

Denial of Service

 After filling these fields, the static content is ready to go.

Adding an Expression

Now you can also enter an expression and assuming that you have worked with Microsoft Excel formulas, you will be familiar with logic app expressions as they are almost same. Azure Logic Apps contains easy ways to create these formulas and the following steps can be used to complete the process:

  • You can click on the Risk score or press the Expression tab for Dynamic content popup.
  • If you want feed a dynamic value, you can readily move back to the Dynamic content tab and search as well as select the value, while you can switch back to the Expression tab to add more expressions.
  • There is also an if statement embedded inside another if statement as well as two equal expressions.
  • Lastly, you have to modify the Add comment to incident (V2) (Preview) rule in order to add the ServiceNow number to your Microsoft Sentinel incident. 

 Now your playbook is complete and you can allot it to an Microsoft Sentinel analytics scheduled rule.








To read part 1, please click here


Comments

Post a Comment

Popular posts from this blog

Query, Visualize, & Monitor Data in Azure Sentinel

By Ashwin Venugopal -
Image
  Azure Sentinel Workbooks Several ready for use templates are provided by the Azure Sentinel that can be used to create your own workbook and then modify them as needed for Contoso. Most of the data connectors it uses to ingest data come with their own workbooks, but better insight can be obtained by simply looking into the data that is being ingested by using tables and visualizations, including bar and pie charts. You can also make your own workbook easily by using this data from the beginning instead of using the predefined templates. Workbook Page You can easily access the workbook page from the Azure Sentinel from the navigation pane which consists of the: Workbook header- You can add a new workbook and review the saved workbooks as well as templates that are available on the workbook page. Templates section- You can access existing workbook templates on the Templates tab. You can save some of the workbooks for quick access and they will appear on the My Workbooks tab.  From the
Read more

Threat Hunting in Microsoft Sentinel (part 1)

By Ashwin Venugopal -
Image
  To read part 2, please click  here To read part 3, please click  here Introducing the Microsoft Sentinel Hunting Page Threat hunting is a series activities performed while investigating and as there are no guidelines to perform it, the available tools on the Microsoft Sentinel can be introduced to perform better in your investigations. Firstly, you have to choose the Hunting link in the Microsoft Sentinel navigation menu to get to the Hunting page which is divided into the following sections: The header bar- It is located at the top of the page as usual and contains Refresh as well as timespan drop down menu. The New Query button can help you with creating a new query and the Run all queries button can run all the hunting queries in the background while also updating the hunting query list section with the number of results found.  The summary bar- Here, you can view the total number of queries available to run, the total number of bookmarks, the number of results from running live
Read more

Planning for Implementing SAP Solutions on Azure (Part 2 of 5)

By Ashwin Venugopal -
Image
  To read part 1 please click  here To read part 3 please click  here To read part 4 please click  here To read part 5 please click  here Load Balancing The load balancer uses probe ports to determine as well as route the traffic to an active DBMS node, but of there's any failover then the most common SAP application architecture can automatically reconnect against the private virtual IP address without the need for the SAP application to reconfigure it, while the load balancer redirect the traffic against the private virtual IP address without any need for the SAP application to reconfigure. The loaf balancer also offers an option of DirectServerReturn which if configured, can help in directing the traffic from the DBMS VM to the SAP application layer directly to the application layer without routing through the load balancer. But, if it isn't configured, then the return traffic to the SAP application layer is routed through the load balancer. You can also use Azure Load Balan
Read more