SIR form after an incident ingestion
After the ServiceNow AI Platform ingests the Microsoft Azure Sentinel incident, a security incident is created and the updates are made to that security incident record.
Microsoft has extended the deprecation of the Azure Sentinel experience in the Azure portal from March 2026 to March 2027.
If you are currently using the Azure Sentinel integration with Security Incident Response (SIR), we strongly recommend migrating to the new Defender portal integration as soon as possible. The Defender integration includes a built-in migration utility that automatically converts your existing Sentinel profiles into Defender profiles, while ensuring continuity of incidents created through Sentinel after the transition. For more information, see Microsoft Sentinel to Defender Migration Guide.
Work notes
A work note is posted when an incident is aggregated and if you have configured the Log work note for new incident option in the Incident Aggregation Criteria. The following example shows the work notes in SIR.
When you click the incident number, you can view the internal incident import record that contains the raw incident data. The following example shows the raw incident data in SIR.
When you click the Click here link, you can view the record in the Microsoft Azure Sentinel environment. The following example shows the record in the Microsoft Azure Sentinel environment.
Aggregated Sentinel Incidents
View Aggregated Sentinel Incidents: View the incidents that are aggregated to the security incident. Navigate to .
Create security incident: Select an incident from the list, click the Actions menu, and then click Create security incident. This option creates a new security incident for the incident and this incident is de-aggregated from the parent security incident.
Azure Sentinel Alerts
To view the alerts that are associated with the Sentinel Incident that triggered the security incident, navigate to .