Microsoft Azure Sentinel is a cloud-based Security Information Event Management (SIEM) and Security Orchestration Automated Response (SOAR) solution. You can use the Microsoft Azure Sentinel integration to ingest Azure Sentinel incidents and automatically create security incidents in Security Incident Response.

Request apps on the Store

Visit the ServiceNow Store website to view all the available apps and for information about submitting requests to the store. For cumulative release notes information for all released apps, see the ServiceNow Store version history release notes.

Overview

See the following diagram to learn how Microsoft Azure Sentinel integrates with the ServiceNow AI Platform Security Operations applications.

How Azure Sentinel integrates with the Now Platform.

Key features

Use the key features of this integration to do the following actions:
  • Discover Microsoft Azure Sentinel incidents that are candidates for security incidents and automate the creation of these security incidents.
  • Map Microsoft Azure Sentinel incident and entity fields to SIR security incident fields.
  • Filter Microsoft Azure Sentinel incidents.
  • Aggregate incidents to existing open security incidents so that you don't have to create duplicate security incidents.
  • Automate Microsoft Azure Sentinel incident status updates for Security Incident Response so that you can create and close security incidents.
    Note: ServiceNow updates the status of Microsoft Azure Sentinel incidents based on the security incident creation or closure. This update also includes comments of aggregated incidents and new incidents.
  • Schedule incident ingestion to create security incidents periodically.
  • Synchronize Microsoft Azure Sentinel incident comments with SIR Work notes.

Learn about this integration

Document identifier Document title
Microsoft product documentation website Microsoft Product Documentation website
ServiceNow product documentation website ServiceNow Product Documentation website