Microsoft Sentinel Incident Bi-directional sync with ServiceNow

Published Sep 15 2020 02:38 AM 27.8K Views

One of the main SIEM use cases is incident management. Microsoft Sentinel offers robust features that help the analyst to manage the life cycle of security incidents, including:


  • Alert grouping and fusion​
  • Incident triaging and management​
  • An interactive investigation experience​
  • Orchestration and response using Logic Apps


In some cases, customers maintain incidents in their IT Service Management (ITSM) systems for remediating security incidents across the organization. For organizations using ITSM systems, there is often a need for a bi-directional sync of Microsoft Sentinel incidents to their ITSM tool. When this integration occurs, a security incident created in Microsoft Sentinel, would also be created in the ITSM system. If this ticket is closed in the ITSM system, it will be closed in Microsoft Sentinel.


In this article, I demonstrate how to use Microsoft Sentinel Security Orchestration, Automation and Response (SOAR) capability and ServiceNow’s (SNOW) Business Rules feature to implement this bi-directional incident sync between the two systems.




Send an Microsoft Sentinel incident into ServiceNow incident queue


The playbook, available here and presented below, works as follows:


  1. Triggers automatically on a new Alert.
  2. Gets relevant properties from the Incident.
  3. Populates the workspace name variable.
  4. Creates a record of incident type in ServiceNow and populate the Microsoft Sentinel Incident properties into the SNOW incident record using the following mapping:



Microsoft Sentinel


Incident Unique ID

Short Description




Additional comment

Incident Deep link




Deploying the solution


  1. Deploy the above Logic APP
  2. Attached this logic app to every analytics rule that you want to sync to ServiceNow, by Selecting it on the automated response section. (currently you need to run this process for each analytics rule that you want to sync)




Once an analytics rule generates a new incident, a new incident will pop-up on the ServiceNow incident Page.





Close Microsoft Sentinel Incident When it closed in ServiceNow.


Closing the incident in Microsoft Sentinel when it is closed in ServiceNow requires two components:


  1. A Business Rule in ServiceNow that run custom JS code when the incident is closed.
  2. A Logic App in Microsoft Sentinel that waits to the Business Rule POST request.

Step 1: Deploy the Logic App on Microsoft Sentinel.


The playbook, available here and presented below, works as follows:


  1. Triger when an HTTP POST request hits the endpoint (1)
  2. Get relevant properties from the ServiceNow Incident.
  3. Close the incident on Microsoft Sentinel (4)
  4. Add comment with the name of the user who closed into an Microsoft sentinel incident comment (5)



Step 2: Configure the Logic App


  1. Copy the HTTP endpoint URL from the Logic App trigger part.



2. In “run query and list results” (2) authenticate with user that has log analytics read permission or Microsoft Sentinel Reader role as a minimum requirement.

3. In “get incident – bring fresh ETAG” (3) authenticate to AAD APP with a user that has an Microsoft Sentinel Reader role, or with a Managed identity with the same permission.

4. On the close incident step (4) we will need to use a user that has an Microsoft Sentinel Responder role as the identity for

5. On “add comment to incident” (5) use a user that has an Microsoft Sentinel Contributor account.


Step 3: ServiceNow Business Rule


What is Business Rule?


Per ServiceNow documentation, a business rule is a server-side script that runs when a record is displayed, inserted, updated, or deleted, or when a table is queried.


To create the business rule:


  1. Login to your ServiceNow Instance.
  2. In the left navigation type business rules, press New to create a new business rule.

      (For a business rule types and scopes refer to ServiceNow documentation)

  1. Give the business rule a name, select Incident as the table, and check the Active and the Advanced checkboxes.


4. On the “When to run” tab, configure the controls as depicted on the screenshot below.




5. On the Advance tab, paste the above (like the picture below)




In line 8, replace the URL with the URL that we copied from the webhook Logic App above; this will be the endpoint that the business rule will interact with.




var ClosedUser = String(;
var Description = current.short_description.replace(/(\r\n|\n|\r|['"])/gm,", ");
var number = String(current.number);
var request = new sn_ws.RESTMessageV2();
var requestBody = {"Description": Description , "number": number ,  "ClosedBy":ClosedUser };
var response = request.execute();
var responseBody = response.getBody();
var httpStatus = response.getStatusCode();
var parsedData = JSON.parse(responseBody);





In the above example I only send to sentinel 3 properties:


  • ClosedBy – the username that closed the incident in Service Now
  • Description – the incident description
  • Number – the incident ID, originally received from Azure Sentinel.

You can modify the business rule Java Script code and add other properties that can add value to your use case.



Once the user closes the incident in ServiceNow, the listener Logic App triggers and closes the incident in Microsoft Sentinel, adding a relevant comment as you can see below:




This completes the process of implementing incident sync between Microsoft Sentinel and ServiceNow by leveraging a Logic App and a ServiceNow business rule.


Thanks @Ofer_Shezaf and @Kara Cole for all the help during this blog creation.

Occasional Contributor

Thanks for sharing this details.

for auto ticket creation do we need ServiceNow SecOps module license ? or does it support with normal ITSM capability (without SecOps, Security module)

Senior Member

Thanks @Yaniv Shasha for sharing this is a great article!


Some of the standard (OOTB) Analytics rules i.e. 'Create incidents based on Microsoft Cloud App Security alerts', 'Create incidents based on Microsoft Defender Advanced Threat Protection alerts' don't have the option of setting an automated response, what would be the recommended approach for creating incidents when these alerts trigger? We're an MSP and ideally we'd want to create a corresponding ServiceNow incident for every incident (for every customer) created in Sentinel so our techs could work from a single source. Interested in your thoughts.

Occasional Contributor

Very interesting this article. Very detailed and complete.

I was left with a question: When inserting comments on the open ticket in Sentinel, does this information update the ticket in Service Now?

Or when commenting on Service Now, if those comments are posted on Sentinel.

Thank you.

Occasional Contributor

I also have the same doubts about the @Paul Sells


@luizao_lf  indeed currently we don't have incident update trigger (only create ) i worked with some customers that implement pulling solution that scan the incident api and looks for last data modified and sync the changes to the remote ITSM system.


that said, incident update Triger is in our roadmap but i still dont have ETA to share

Occasional Contributor

@Yaniv Shasha 

I'm having a problem and maybe you can help me.

I use alert aggregation to reduce noise. In the informed way, every time an alert is triggered, even if it is added to the already opened incident and does not create a new one in the sentinel, will an incident be created in Servive Now? If so, this way information would be inconsistent, because in the case of 3 alerts grouped in the same incident, it would be 1 incident in Sentinel and 3 in Service Now.


Another point I realized is that the alerts from Microsoft tools (Defender, MCASb ...) do not allow you to link the playbook for opening tickets in Service Now. Do you have any workaround for this situation?

Senior Member

Hi @Yaniv Shasha  


Interested to know if there are there any plans to update this guide to reflect the changes to connector functionality, specifically Add Comment to Incident (V2) which has now been depreciated and replaced with Add Comment to Incident (Preview) which uses Incident ARM ID to retrieve the incident to update where previously, you had to supply 4 fields in order to identify the incident to update.





Occasional Visitor

I have not seen any detail has to how Azure is creating the Incidents in ServiceNow ? Is there a Sentinel specific Plugin for ServiceNow that is used as the bridge or is it using native SN API directly to the security incident table? or Microsoft Graph API deployed on the ServiceNow side at which point it retrieves specific alerts and then created the SIR accordingly or ?



Hello Experts,

Somehow this logic app code doesn't allow me to use different Closure or Classification codes to have more clarity on why the incident on Azure sentinel was closed.

Only if I keep the classification as "Undetermined" it works other it won't.

Anyone facing the same issue. If yes, What could be the resolution?

New Contributor



that said, incident update Triger is in our roadmap but i still dont have ETA to share


@Yaniv Shasha any update on the ETA of an incident update trigger?


Microsoft Team,


Do we have an ETA for the incident update trigger?



Pavan K

Occasional Contributor

@pavankemi Microsoft told me today but I'm not seeing it yet, unless that's US time and it's still to come. I'm GMT. I feel that it's imminent...


Version history
Last update:
‎Nov 02 2021 06:10 PM
Updated by: