Get started with Microsoft Azure Sentinel integration

  • Release version: Yokohama
  • Updated July 31, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Get started with Microsoft Azure Sentinel integration

    The Microsoft Azure Sentinel integration with ServiceNow enables seamless incident ingestion for the Security Incident Response (SIR) product. It is crucial to transition to the Defender portal integration by March 2027, as Microsoft will deprecate the Azure Sentinel experience in the Azure portal. The Defender portal offers a migration utility for converting existing Sentinel profiles, ensuring continuity of incident management.

    Show full answer Show less

    Key Features

    • Integration Setup: Activate the Microsoft Azure Sentinel - Incident Ingestion plug-in to connect with ServiceNow.
    • Required Roles: Ensure necessary roles such as Microsoft Azure application developer and tenant administrator are assigned for configuration.
    • Configuration Checklist: Follow a specific checklist to assign roles, verify application installations, and register your application in Azure.
    • Security Operations Applications: Install required applications like Security Incident Response and IntegrationHub in a specific order for a smooth setup.

    Key Outcomes

    By successfully integrating Microsoft Azure Sentinel with ServiceNow, you can improve incident management efficiency through automated data ingestion and streamlined processes. Proper role assignments and application configurations will ensure a functional and effective integration, enhancing your security operations capabilities.

    Activate and set up the Microsoft Azure Sentinel - Incident Ingestion for Security Operation plug-in to interface with your ServiceNow AI Platform instance and Security Incident Response product.

    Important:

    Microsoft has extended the deprecation of the Azure Sentinel experience in the Azure portal from March 2026 to March 2027.

    If you are currently using the Azure Sentinel integration with Security Incident Response (SIR), we strongly recommend migrating to the new Defender portal integration (store link of the defender integration) as soon as possible. The Defender integration includes a built-in migration utility that automatically converts your existing Sentinel profiles into Defender profiles, while ensuring continuity of incidents created through Sentinel after the transition. For more information, see XX.

    Before you can use the Microsoft Azure Sentinel integration, you must download it from the ServiceNow Store.

    Role required: Microsoft Azure application developer, Microsoft Azure tenant administrator.

    Review the following setup checklist and verify that you’ve completed all the tasks for a smooth integration.
    Table 1. Checklist
    Setup task Description
    Assign and verify the required ServiceNow AI Platform and Security Incident Response roles. The following roles are required for configuration and verification of the expected results:
    • The admin role installs the integration from the ServiceNow Store and assigns the sn_si.ingestion_profile_admin role.
    • The sn_si.ingestion_profile_admin role performs the following tasks:
      • Configures the integration.
      • Creates incident profiles.
      • Maps the Microsoft Azure Sentinel incident data fields to the security incident fields.
      • Schedules on-going incident ingestion.
      • Enables incident updates when a Security Incident Response incident is created or closed.
      • Assigns the security incident analyst (sn_si.analyst) role.
    Assign the Microsoft Azure required roles. The following roles are required in Microsoft Azure to register and configure your application:
    • Application developer for registering the application.
    • Tenant administrator for giving permissions to the application by calling the admin consent endpoint.
    Verify that the ServiceNow core applications that are required to support the integration are installed and activated before you configure this integration.

    The ServiceNow Integration Hub Starter Pack Installer [com.glide.hub.integrations] plugin is required.

    The Security Incident Response plugin (com.snc.security_incident) is required. This plugin automatically installs all the dependencies that are required to support the Security Incident Response product. Install and activate this plugin before you install and activate the other Security Operations applications that are required by the integration.

    Verify that the following Security Operations applications are installed and activated from the ServiceNow Store. If these applications aren’t already installed, you must install, and activate each application one at a time in the following order to ensure a smooth installation:

    1. Security Incident Response
    2. Security Incident Response UI
    3. ServiceNow IntegrationHub Runtime (com.glide.hub.integration.runtime)
    4. ServiceNow IntegrationHub Action Step - REST (com.glide.hub.action_step.rest)
    Register and configure your application in the Microsoft Azure portal. Register your application in the Microsoft Azure portal and grant your users with read and write access to the application.