Install and Configure

  • Release version: Australia
  • Updated March 12, 2026
  • 1 minute to read

    • Install and Configure Microsoft Defender integration from the ServiceNow® Store to control how incidents are retrieved, processed, and converted into security incidents within SIR.

    Before you begin

    Role required: sn_si.admin, sn_si.ingestion_profile_admin

    Note:
    Users with the sn_si.admin role can perform all operations available to a profile admin because this role inherits the required permissions by default.

    Procedure

    1. Download Microsoft Defender integration from the ServiceNow® Store and install it.
    2. Navigate to All > Security Operations > Integrations > Integration Configurations.
    3. Search for Microsoft Defender-Incident Ingestion Configuration tile, and select Configure.
    4. On the form, fill in the fields.
      Field Description
      Name Name of the Microsoft Defender integration.
      Cloud Environment Isolated instance of Microsoft Defender cloud services configured to meet specific requirements such as data residency, security, compliance, and regulatory standards.

      Options include: GLOBAL, US-GOV-GCC-HIGH, US-GOV-DOD, CHINA
      Tenant ID Microsoft Defender Tenant ID.

      Instance from which all the incidents in the Microsoft portal are retrieved.
      Client ID Client ID of the application registered in the Microsoft portal.
      Roles required in Defender include:
      • SecurityIncident.Read.All
      • SecurityIncident.ReadWrite
      Client Secret Client secret of your registered application in the Microsoft portal.
    5. Select Submit.
      The configured integration tile displays.

    What to do next

    Create an incident profile