Comparing Microsoft Azure Sentinel and Microsoft Graph Security API integrations with SIR

  • Release version: Washingtondc
  • Updated February 1, 2024
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Comparing Microsoft Azure Sentinel and Microsoft Graph Security API integrations with SIR

    This document outlines the differences between Microsoft Azure Sentinel and Microsoft Graph Security API integrations with the ServiceNow AI Platform. It helps customers choose the appropriate integration based on their security incident response requirements.

    Show full answer Show less

    Key Features

    • Microsoft Azure Sentinel:
      • Ingests incidents with entity information and automates security incident creation in SIR.
      • Automates incident status updates in SIR based on creation or closure.
    • Microsoft Graph Security API:
      • Ingests alerts from multiple security providers, including Azure Sentinel, in a standard schema.
      • Supports alert updates for selected security providers.

    Key Outcomes

    • Use Microsoft Azure Sentinel integration when preliminary investigations occur in Sentinel and subsequent actions are in SIR.
    • Use Microsoft Graph Security API integration for direct incident investigations in SIR with ingestion of alerts from Azure Sentinel.
    • Microsoft Azure Sentinel provides richer alert data compared to the Microsoft Graph Security API, although standalone alert retrieval is limited.
    • Alerts cannot be updated in Microsoft Azure Sentinel using the Microsoft Graph Security API integration.

    You can view the differences between Microsoft Azure Sentinel and Microsoft Graph Security API integrations and choose the right integration with your ServiceNow AI Platform instance.

    Microsoft Azure Sentinel - Incident Ingestion overview

    Microsoft Azure Sentinel is a cloud-based security information event management (SIEM) and security orchestration automated response (SOAR) solution. Microsoft Azure Sentinel delivers intelligent security analytics and threat intelligence across the enterprise. It provides a single solution for alert detection, threat visibility, proactive hunting, and threat response.

    Microsoft Graph Security API overview

    The Microsoft Graph Security API is an intermediary service (or broker) that provides a single programmatic interface for connecting multiple security providers (Native to Microsoft as well as ServiceNow Partners).

    The Microsoft Graph Security API integration addresses these issues by using the Microsoft Graph Security API to connect with different Microsoft security technologies like Azure Sentinel, Microsoft Defender Advanced Threat Protection, and Azure Advanced Threat Protection. Alerts from Microsoft Security providers are ingested and security incidents are automatically created in Security Incident Response.

    Summary of feature differences

    A visual comparision of Azure Sentinel and Graph API

    Table 1. Microsoft Azure Sentinel vs Microsoft Graph Security API
    Microsoft Azure Sentinel Microsoft Graph Security API
    Ingests Microsoft Azure Sentinel incidents along with entity information (when available) and automates security incident creation in SIR. Ingests alerts from multiple Security providers (including Azure Sentinel) in a standard schema and automates security incident creation in SIR.
    Automates Microsoft Azure Sentinel incident status updates for Security Incident Response so that you can create and close security incidents.
    Note:
    ServiceNow updates the status of Microsoft Azure Sentinel incidents based on the security incident creation or closure.
    		 Supports alert updates (alert status change and alert closure) for selected security providers.
    Note:
    For more information on the Microsoft Graph Security API supported security providers, view the Microsoft documentation.
    Use this integration if your scenario includes the following conditions:
    • Preliminary incident investigation is in Microsoft Azure Sentinel and subsequent investigation is in SIR
    • Ingest Microsoft Azure Sentinel incidents to SIR
    		 Use this integration if your scenario includes the following conditions:
    • Perform incident investigation in SIR.
    • Ingest Microsoft Azure Sentinel alerts in SIR.
    • Incidents are not created in Microsoft Azure Sentinel.
    Alert is an entity in Microsoft Azure Sentinel. You cannot retrieve standalone or specific alerts using the Microsoft Azure Sentinel Management API. You can only retrieve the alert data associated with an incident. The alert data available using this integration is richer than the alert data available using the Microsoft Graph Security API. The Microsoft Azure Sentinel normalized alert data is available. The Microsoft Azure Sentinel alert fields that are mapped internally in Microsoft Graph Security API, and are available in Microsoft Graph Security API, are available for use in this integration.
    You cannot update alerts in Microsoft Azure Sentinel using this integration.