Automating Azure ITSM Connector with Service Now

As part of Azure Monitor, Microsoft has built an integration with different ITSM systems as part of something called ITSM Connector. There are four main systems that are supported as of now.

  • ServiceNow
  • System Center Service Manager
  • Provance
  • Cherwell

Microsoft has also built a new integration for Secure Export (Azure Monitor ITSM Connector for ServiceNow ITOM with Secure Export | Azure updates | Microsoft Azure) but this is specifically for ServiceNow and BMC. This new integration uses Webhooks and Azure AD-based authentication to the ITSM tool instead of using a local username and password to the ITSM tool to provide a more secure authentication mechanism.

Diagram that shows how the ITSM tool communicates with Azure A D, Azure alerts, and an action group.

The ITSM connector is currently an add-on solution to Log Analytics. Which then has an integration that plugs into Service Now to provide automated alert rules to Service Now.

Now the setup of the Log Analytics solution is pretty straightforward if you deploy using the UI, which can be seen here –> IT Service Management Connector in Log Analytics – Azure Monitor | Microsoft Docs

However, if you want to deploy this integration using Terraform well then, I needed to do some investigation to put the final pieces together. When you are setting up this ITSM connector you also need to link it to an Action Group as well to provide the incident creation.

These are the parts that you need to configure

  • Setting up Log Analytics
  • Add ITSM Connector Solution
  • Add ITSM Connector integration (needs to be configured using the UI)
  • Create Action Groups
  • Create Alert Rules based upon Log Analytics Queries or Events.

As of now the only thing that we need to define using the UI is the ITSM Connector (also mentioned in the documentation as well) the rest of this guide is only for when you need to set up Log Analytics solution and the connector with alerting rules using Terraform

1: Setup Log Analytics (in an resource group)

resource "azurerm_resource_group" "example" {
  name     = "monitoring-resources"
  location = "westeurope"
resource "azurerm_log_analytics_workspace" "examplela" {
  name                = "nvsummit-workspace-demo"
  location            = azurerm_resource_group.example.location
  resource_group_name =
  sku                 = "PerGB2018"

2: Install the ITSM Connector to the existing Log Analytics Workspace

resource "azurerm_log_analytics_solution" "example_la_itsm" {
  solution_name         = "ServiceDesk"
  location              = azurerm_resource_group.example.location
  resource_group_name   =
  workspace_resource_id =
  workspace_name        =
  plan {
    publisher = "Microsoft"
    product   = "OMSGallery/ServiceDesk"

3: Setup the ITSM Connector, which needs to be done using the UI. Go into the newly created Log Analytics and under ITSM connection.

4: Setup the Azure Monitor Action Group which links together the Connection_ID (which you get from the previous task) and workspace ID which is the Log Analytics Workspace (also the JSON template for setting up the Ticket Configuration)
resource "azurerm_monitor_action_group" "exampleag" {
  name                = " itsm_action_group"
  resource_group_name =
  short_name          = "ITSMAG"
  itsm_receiver {
    name                 = "createorupdateticket"
    workspace_id         = "workspace_id"
    connection_id        = "connection_id"
    ticket_configuration = "{\"PayloadRevision\":1,\"WorkItemType\":\"Incident\",\"UseTemplate\":false,\"WorkItemData\":\"{\\\"u_template_applied\\\":\\\"OMS Incident\\\"}\",\"CreateOneWIPerCI\":false,\"CreateOneWIPerLog\":false}"
    region               = "westeurope"

5: Once the Action Group is in place, we can create monitoring rules based upon Log Analytics Kusto Queries, which then references the action that is created. Note: that the kusto query here is just an example to showcase how to set up the integration and is a bad example of a monitoring rule.

data "azurerm_monitor_action_group" "exampleag" {
  resource_group_name =
  name                =
resource "azurerm_monitor_scheduled_query_rules_alert" "qrules" {
  name                = "awesomerule1"
  location            = azurerm_resource_group.example2.location
  resource_group_name =
  action {
    action_group = []
  data_source_id =
  description    = "Alert when caller IP from known source"
  enabled        = true
  # Count all requests with server error result code grouped into 5-minute bins
  query       = <<-QUERY
| where TimeGenerated > ago(24h) 
| where CallerIpAddress == ""
  severity    = 1
  frequency   = 5
  time_window = 30
  trigger {
    operator = "GreaterThan"
    threshold = 3

Using this approach, you can easily automate monitoring rules with Terraform which will then automatically create an incident in Service Now.



Leave a Reply

Scroll to Top