Cohesity Create or Update ServiceNow incident
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
This playbook creates and updates the incident in the ServiceNow platform.
| Attribute | Value |
|---|---|
| Type | Playbook |
| Solution | CohesitySecurity |
| Source | View on GitHub |
Logic App Connectors
This playbook uses 4 Logic App connectors / built-in actions:
| Connector / Action | Type | Connections | Actions |
|---|---|---|---|
azuresentinel |
Managed | 1 | 0 |
microsoftsentinel |
Managed | 0 | 1 |
service-now |
Managed | 1 | 0 |
service-now_1 |
Managed | 0 | 3 |
Action parameters (URLs, paths, function IDs)
microsoftsentinel (Managed)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Update_incident | put | /Incidents |
— |
service-now_1 (Managed)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Create_Record | post | /api/now/v2/table/@{encodeURIComponent('incident')} |
— |
| Update_Record_-_Incident_closed | put | /api/now/v2/table/@{encodeURIComponent('incident')}/@{encodeURIComponent(variables('SNOW System ID'))} |
— |
| Update_Record_-_incident_not_closed | put | /api/now/v2/table/@{encodeURIComponent('incident')}/@{encodeURIComponent(variables('SNOW System ID'))} |
— |
Additional Documentation
📄 Source: Cohesity_CreateOrUpdate_ServiceNow_Incident/readme.md
Summary
This playbook creates a ticket on ServiceNow's Now Platform. It can be also used for updating the ServiceNow ticket or closing it. For example, an automation rule can be created to close the ServiceNow ticket by running this playbook when the corresponding Sentinel ticket is closed.
Prerequisites
- Create an account on ServiceNow's Now Platform.
Deployment instructions
- Click on the "Deploy to Azure" button to deploy the playbook. This step directs you to deploy an ARM Template wizard.
- Fill in the required parameters:
- Playbook Name: Enter the playbook name here.
Post-Deployment instructions
- Make sure the user that runs the playbook has the role Microsoft Sentinel Playbook Operator assigned. To assign the role,
- Under the Subscriptions tab from the Home page, choose your subscription name.
- Choose the Access Control (IAM) option from the left pane.
- Click on Add > Add Role Assignment and add Microsoft Sentinel Playbook Operator to the user.
- Enter and authorize ServiceNow credentials in the playbook (read more about editing connections here)
- Go to Logic Apps and choose your app (playbook).
- Select Development Tools\API Connections.
- Select a connection you'd like to authorize.
- Click on General\Edit API Connection.
- Enter path to your ServiceNow instance, e.g. dev12345.service-now.com
- Enter username.
- Enter password.
- Click Save.
Note: You can get the credentials at your ServiceNow instance by going to My account\Instance Action\Manage instance password.
Alternatively, you can follow these steps to achieve the same goal. This would be especially useful if the previous steps didn’t work for you.
- Go to Logic Apps.
- Click on the playbook and press Edit.
- Choose ServiceNow block.
- Click on Change Connection.
- Click on the "!" icon to enter ServiceNow credentials or choose a different, previously authorized, connection with the correct credentials.
- Press Save button to save changes in your playbook.
- If it doesn't work, repeat the steps but either choose a different connection or fix possible authorization errors, e.g. wrong user/password or incorrect path to the instance, for the chosen one.
- For the playbook to run, there is a need to assign the Microsoft Sentinel Responder role to the playbook's managed identity.
- Under the Subscriptions tab from the Home page, choose your subscription name.
- Choose the Access Control (IAM) option from the left pane.
- Click on Add > Add Role Assignment and add Microsoft Sentinel Responder managed identity role to the playbook.
- (Recommendation) You can create an automation rule to close the corresponding ServiceNow ticket when the corresponding Sentinel ticket is closed.
- In Microsoft Sentinel | Automation press +Create\Automation Rule.
- Enter an automation rule name of your choice.
- In Trigger choose When incident is updated.
- Set the following conditions using AND rule
- Analytic rule name contains All.
- Tag contains SNOW System ID.
- Status changed to Closed.
- In Actions choose to run this playbook.
- Click Apply.
References
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊