My company has been using the store app "Microsoft Azure Sentinel Incident Ingestion Integration For Security Operations" to automatically ingest new incidents from Microsoft's Sentinel (SIEM) solution to our ServiceNow SecOps addon. The store app works fine and imports the new incidents to the [sn_si_incident] table as SIR records. However the records do not always contain all the information required for analysis so we have to fall back to Sentinel for any details.

My current setup uses a Azure Sentinel Incident profile for each product from which Sentinel can pull data through the data connectors (see the screenshot) and one for the self-created analytics rules in Sentinel itself. We use multiple profiles because each connected product can use different Entity fields. I think we would miss data if we only used one profile, but I might be wrong.

Im sure there is room for improvement and would like to know if the community has any tips or advice on how to create the most optimal profile for importing and enriching the SIR records created in ServiceNow, including stuff that might not be available out-of-the-box, but could be build in a scoped app.