The Microsoft Graph Security API alert ingestion integration has a bi-directional interface that allows for both alerts to create security incidents, as well as an ability to update the alerts once the security incident is created and/or closed with relevant incident details such as SIR incident number, assignment group, SIR incident URL, and so on. This section is the final portion of the profile configuration set-up that provides optional capabilities to update the alerts.

Before you begin

Role required: sn_si.admin
Note: The initial and closure alert statuses are updated only if this functionality is supported by the service provider. For details, see the Microsoft Graph Security API documentation and the security provider documentation.

Procedure

  1. If the Additional Options page on the progress bar is not displayed, select Additional Options.
  2. Follow the instructions below to complete the configuration for updating alerts when the security incident is created.
    Option or FieldDescription
    Update alerts upon SIR Incident Creation Select this option if you want to update the alert status and add additional comments when a security incident is created from the alert. This can occur for both the initial triggering alerts that create the security incident, as well as aggregated alerts.
    Initial Alert Status Update Select an initial alert status from the list. This status will be set for all alerts when a security incident is created for an ingested alert. This includes alerts that create new incidents and alerts that are ingested and aggregated to an existing open incident.
    Note: Based on the alert status selected here, the alert status used by the security providers will be correspondingly updated.
    Initial Comments posted back to Alert Based on the stage you have selected, default comments are displayed. You can modify the default text and use the ${field name}$ format to add or modify any fields available in the security incident form.
    Close out alerts upon SIR Incident Closure Select this option if you want to use the automated alert closure option. This can occur for both the initial triggering alerts that create the security incident, as well as aggregated alerts. Alert status will be updated in the security provider with the status and closure comments after SIR incident is closed in the ServiceNow AI Platform.
    Closure Alert Status Update Select an alert status from the list. Select the status value to be set for all alerts when a security incident is closed for an ingested alert.
    Closure Comments Posted back to Alert The default closure comments are displayed here. You can edit the default text and use the ${field name}$ format to add or modify any fields available in the security incident form.
  3. Click Finish to complete the configuration and move the profile to the Waiting state.
    A confirmation dialog is displayed. You have successfully completed the setup and configuration for the integration. Activate this profile to pull alerts from the Microsoft Azure tenant based on your scheduling. A maximum of 1000 security incidents can be created within a 24 hour period.