You can view the differences between Microsoft Azure Sentinel and Microsoft Graph Security API integrations and choose the right integration with your ServiceNow AI Platform instance.

Microsoft Azure Sentinel - Incident Ingestion overview

Microsoft Azure Sentinel is a cloud-based security information event management (SIEM) and security orchestration automated response (SOAR) solution. Microsoft Azure Sentinel delivers intelligent security analytics and threat intelligence across the enterprise. It provides a single solution for alert detection, threat visibility, proactive hunting, and threat response.

Microsoft Graph Security API overview

The Microsoft Graph Security API is an intermediary service (or broker) that provides a single programmatic interface for connecting multiple security providers (Native to Microsoft as well as ServiceNow Partners).

The Microsoft Graph Security API integration addresses these issues by using the Microsoft Graph Security API to connect with different Microsoft security technologies like Azure Sentinel, Microsoft Defender Advanced Threat Protection, and Azure Advanced Threat Protection. Alerts from Microsoft Security providers are ingested and security incidents are automatically created in Security Incident Response.

Summary of feature differences

A visual comparision of Azure Sentinel and Graph API

Table 1. Microsoft Azure Sentinel vs Microsoft Graph Security API
Microsoft Azure SentinelMicrosoft Graph Security API
Ingests Microsoft Azure Sentinel incidents along with entity information (when available) and automates security incident creation in SIR. Ingests alerts from multiple Security providers (including Azure Sentinel) in a standard schema and automates security incident creation in SIR.
Automates Microsoft Azure Sentinel incident status updates for Security Incident Response so that you can create and close security incidents.
Note: ServiceNow updates the status of Microsoft Azure Sentinel incidents based on the security incident creation or closure.
 Supports alert updates (alert status change and alert closure) for selected security providers.
Note: For more information on the Microsoft Graph Security API supported security providers, view the Microsoft documentation.
Use this integration if your scenario includes the following conditions:
  • Preliminary incident investigation is in Microsoft Azure Sentinel and subsequent investigation is in SIR
  • Ingest Microsoft Azure Sentinel incidents to SIR
 Use this integration if your scenario includes the following conditions:
  • Perform incident investigation in SIR.
  • Ingest Microsoft Azure Sentinel alerts in SIR.
  • Incidents are not created in Microsoft Azure Sentinel.
Alert is an entity in Microsoft Azure Sentinel. You cannot retrieve standalone or specific alerts using the Microsoft Azure Sentinel Management API. You can only retrieve the alert data associated with an incident. The alert data available using this integration is richer than the alert data available using the Microsoft Graph Security API. The Microsoft Azure Sentinel normalized alert data is available. The Microsoft Azure Sentinel alert fields that are mapped internally in Microsoft Graph Security API, and are available in Microsoft Graph Security API, are available for use in this integration.
You cannot update alerts in Microsoft Azure Sentinel using this integration.