Create an incident profile

  • Release version: Yokohama
  • Updated January 5, 2026
  • 1 minute to read

    • Determine the Microsoft Defender incidents that are suitable for creating security incidents by creating an incident profile in your ServiceNow AI Platform® instance.

    Before you begin

    Role required: sn_si.admin, sn_si.ingestion_profile_admin

    Procedure

    1. Navigate to All > Microsoft Defender Integration > Defender Incident Profiles.
    2. Select New to create a new profile.
    3. On the form, fill in the fields.
      Table 1. Defender Profile form
      Field Description
      Name

      Name of the profile.

      This name is also the default name for the security tag associated with this profile.
      Active

      Option to make the profile active.

      When a profile is active, the ServiceNow AI Platform® actively polls incidents and corresponding security incidents are created in Microsoft ServiceNow AI Platform® when the filtering conditions are matched.
      Source Microsoft tenant that you configured to ingest incidents. If you have multiple tenants configured, select the appropriate tenant for the incident types you are planning to ingest for the profile.
      Order Priority in which the profiles are executed when two or more profiles share triggering conditions. Priority values are provided as 100 (the default value), 200, 300, and so on.

      The profile with the lowest number has the highest priority.
      Description Optional description of the profile.

      Create an incident profile

    4. Select Continue.

      The initial incident profile is created with basic information. Saving the profile at this point enables you to continue with defining the profile in case you’re interrupted.

    5. Optional: Continue with the profile definition process immediately.
      1. Select the profile you created.
      2. Select Mapping in the progress bar.

    What to do next

    Map incident fields