ServiceNow integration with the new built-in Auto-close rules leaves Incidents in Resolved state #13584
Description
Describe the bug
The ServiceNow - Sentinel bi-directional integration does not pick up the following case:
- Alert is created "Email reported by user as malware or phish"
- Incident is created by the Alert
- Alert is suppressed (state = "Resolved") by newly enabled, built-in "Auto-Resolve - Email reported by user as malware or phish"
- The Incident is set as "Resolved"
- ServiceNow integration picks up the Incident and creates the Incident record already resolved
- Auto investigation still starts as expected
- If the auto investigation has a result, that changes the Alert state back to "New", the Incident is also changed to "Active"/"New"
- Some time passes during the investigation and in the meantime the integration property
modifiedIncidentsLastSyncchanges to new date value - The ServiceNow - Sentinel integration does not make the change to the ServiceNow incident
If we modify the modifiedIncidentsLastSync parameter to include the date of the Sentinel Incident change date, we see the left behind Incidents are synced to ServiceNow.
To Reproduce
Steps to reproduce the behavior:
- Have the built-in "Auto-Resolve - Email reported by user as malware or phish" rule enabled (auto enabled on 2026-02-04)
- Have the ServiceNow - Sentinel bi-directional integration set up
Expected behavior
All incident records connected by the integration are kept in sync.
Screenshots
Desktop (please complete the following information):
- N/A
Smartphone (please complete the following information):
- N/A