Hey there,

It sounds like you already have explored the SecOps Field Translation for Azure Sentinel and SIR.

One observation here, if there is only one User value from the alert, you can certainly lookup the user record and set the singular [Affected User] field on the target SIR record.

However, when there are multiple users -> the SIR.[Affected User] field is a reference field, meaning it can only reference a single user.

There is a table that stores the relationship, between the SIR record and the "Affected Users" -> you can view this on the related lists, on Security Incidents.

In your Field Translation, you would have to continue with the logic you have above, but your end goal is to insert a record on the [sn_si_m2m_task_affected_user] table.   

• In this table, each record has both, a reference to the Security Incident (sn_si_incident) and the User (sys_user) tables
• Your end goal, is to insert a record here, for the SIR and for each User that you have 
• Then, when you view a Security Incident > scroll to related lists > you will see all the related/affected users

Depending on your ServiceNow admin skills - you might approach this by creating a new Script Include to store all of your Azure Sentinel lookup logic, in different functions. 

• This way, you have one central spot to store your functions for things like looking up CMDB CI values, stripping off data from certain string fields to clean them up and begin your lookups, looking up Users in the [sys_user] table, checking if Multiple Users are coming in the upstream alerts, and setting the values on the M2M table for that Security Incident, etc.
• Your Field Translation, would call the relevant function in your Script Include 
• Your Script Include could then either return a value (e.g. such as setting the SIR Affected User) or take care of inserting/updating records, such as in the M2M (many-to-many) case for handling multiple Users on a Security Incident 

The function below, takes an array of user values, and the target SIR record Sys_ID as an input.

• It calls another function to some massaging/parsing (e.g. checking by email if the alert has email, user ID if the alert has ID, etc) - that function returns the sys_id, of the User record in ServiceNow
• It performs an initial check to ensure the user is not already associated to the SIR, and if they are not, it creates an entry in the [sn_si_m2m_task_affected_user] table
• This is just to help ideate how you can approach this similarly in your Field Translation

 //Handle mapping users in various formatting 
 mapMultiUser: function(userArr, targetRecord) {
    for (var i = 0; i < userArr.length; i++) {
        // Check if object is valid and not empty due to string cutoff with comma at end
        if (userArr[i]) {
            var userSysID = this._locateUser(userArr[i]);
            // Check if found user already linked to SIR record, if not then add association
            if (userSysID) {
                var grTaskUser = new GlideRecord('sn_si_m2m_task_affected_user');
                grTaskUser.addQuery('user', userSysID);
                grTaskUser.addQuery('task', targetRecord.sys_id);
                grTaskUser.setLimit(1);
                grTaskUser.query();
                if (!grTaskUser.next()) {
                    var grInsertTaskUser = new GlideRecord('sn_si_m2m_task_affected_user');
                    grInsertTaskUser.initialize();
                    grInsertTaskUser.setValue('user', userSysID);
                    grInsertTaskUser.setValue('task', targetRecord.sys_id);
                    grInsertTaskUser.insert();
                }
            }
        }
    }
},