Now Available: Microsoft Defender Incident ingestion integration for Security Operations

We are excited to announce the general availability of the Microsoft Defender Incident ingestion integration with ServiceNow Security Incident Response (SIR). This integration brings unified, bi-directional alert and incident synchronization between Microsoft's modern security operations hub and SIR thus enabling your SOC to work faster without context-switching between platforms. You can find the integration in the store here.

Alongside this launch, we are also releasing a migration utility to help existing customers who have integrated Microsoft Sentinel on Azure Portal with SIR to move to this new Defender Portal integration with minimal disruption.

Why you should migrate?

Microsoft extended the original July 2026 deadline to March 31, 2027 based on customer feedback, giving organizations additional runway. However, Microsoft has made clear that all new capabilities are being delivered exclusively in the Defender Portal. 

How does the migration utility help?

To ease the transition for our existing customers, we have built a migration Utility, available post you install the Microsoft Defender Incident ingestion integration app. The utility handles the most complex parts of the migration for you as below - 

1. run pre-migration assessment to validate your transition of your Microsoft Sentinel environment to the Defender portal
2. Profile migration from your Sentinel integration to the newly authenticated Defender portal integration 
3. Incident mapping to help identifies active Sentinel incidents associated with the migrated profile and prepare corresponding mappings with the Defender incidents to ensure continuity with any update on those incidents

We have published a detailed KB article which you can access here.

If you have any issues or need more information, please contact our support team or reach out to your account team; we'll be happy to help.