@Gary Bushey- We have the same problem. I was able to create a logic app that automatically creates Service Now tickets when alerts are fired, but had to do it via Microsoft Graph. There is no trigger in Logic apps for example when an incident is created in Azure Sentinel. Plus, if you create alert rules in Sentinel for Microsoft security services (Azure ATP, MCAS, WDATP,etc.) there is no functionality at the moment to attach a playbook to that rule.

Basically, what I'm trying to achieve via a logic app is the following:

- create an incident in SNOW when a new incident is created in Azure Sentinel

- close the incident in snow when the status of the Azure Sentinel incident is changed to Closed

- close the corresponding alert in MCAS, Azure ATP, WDATP, etc. when the Azure Sentinel incident is closed.

I managed to get this to work through a logic app but via the Microsoft Graph API (getting the alerts from Microsoft Graph Security), but I would rather do it via Azure Sentinel, so to have a unified single point of management for all Microsoft security tools and also integrate it via a logic app with the ITSM tool (Service Now).

If anyone has any ideas on how to achieve this it would be great.