Sentinel Alert Enrichment

Ingests Microsoft Sentinel incidents, enriches them with CrowdStrike host data, and creates ServiceNow tickets with full context for the SOC team.

Maturity: L3+ (Enforced and up)  ·  See the 5-level maturity model for where this workflow fits in your program.

Time Saved

~20 minutes per alert of manual enrichment and ticket creation.

Connectors

| Connector | Operations | Risk Level | |-----------|-----------|------------| | Sentinel | incidents:read | Low — read-only | | CrowdStrike | hosts:read | Low — read-only | | ServiceNow | incidents:create | Low — creates tickets only |

How It Works

1. Query Sentinel for new or updated incidents.
2. Extract host identifiers from the incident entities.
3. Look up each host in CrowdStrike for OS, status, last seen, and detections.
4. Create a ServiceNow incident with combined Sentinel and CrowdStrike context.

ARX Governance

Risk Classification

• incidents:read (Sentinel) — Low. Read-only query.
• hosts:read (CrowdStrike) — Low. Read-only enrichment lookup.
• incidents:create (ServiceNow) — Low. Creates informational tickets.

HITL Gate Configuration

• No HITL gate required. All operations are read-only or create informational records.

Policy Rules

• incidents:read — permit — automated, no approval needed.
• hosts:read — permit — automated, no approval needed.
• incidents:create — permit — non-destructive ticket creation.

Audit Trail

• Sentinel incident ID, severity, and status.
• CrowdStrike host IDs and enrichment data retrieved.
• ServiceNow ticket number and creation timestamp.
• Full event log written to arx.audit_log.

> See arx.yaml for the full governance configuration.

Setup Instructions

1. Configure Sentinel, CrowdStrike, and ServiceNow connectors.
2. Set environment variables:

• SENTINEL_TENANT_ID, SENTINEL_CLIENT_ID, SENTINEL_CLIENT_SECRET
• SENTINEL_WORKSPACE_ID
• CS_CLIENT_ID, CS_CLIENT_SECRET
• SNOW_INSTANCE, SNOW_USERNAME, SNOW_PASSWORD

1. Deploy with arx deploy sentinel-alert-enrichment.

Schedule

Runs every 5 minutes.