Activate and set up the Microsoft Azure Sentinel - Incident Ingestion for Security Operation plug-in to interface with your ServiceNow AI Platform instance and Security Incident Response product.

Before you can use the Microsoft Azure Sentinel integration, you must download it from the ServiceNow Store.

Role required: Microsoft Azure application developer, Microsoft Azure tenant administrator.

Review the following setup checklist and verify that you’ve completed all the tasks for a smooth integration.
Table 1. Checklist
Setup task Description
Assign and verify the required ServiceNow AI Platform and Security Incident Response roles. The following roles are required for configuration and verification of the expected results:
  • The admin role installs the integration from the ServiceNow Store and assigns the sn_si.ingestion_profile_admin role.
  • The sn_si.ingestion_profile_admin role performs the following tasks:
    • Configures the integration.
    • Creates incident profiles.
    • Maps the Microsoft Azure Sentinel incident data fields to the security incident fields.
    • Schedules on-going incident ingestion.
    • Enables incident updates when a Security Incident Response incident is created or closed.
    • Assigns the security incident analyst (sn_si.analyst) role.
Assign the Microsoft Azure required roles. The following roles are required in Microsoft Azure to register and configure your application:
  • Application developer for registering the application.
  • Tenant administrator for giving permissions to the application by calling the admin consent endpoint.
Verify that the ServiceNow core applications that are required to support the integration are installed and activated before you configure this integration.

The ServiceNow Integration Hub Starter Pack Installer [com.glide.hub.integrations] plugin is required.

The Security Incident Response plugin (com.snc.security_incident) is required. This plugin automatically installs all the dependencies that are required to support the Security Incident Response product. Install and activate this plugin before you install and activate the other Security Operations applications that are required by the integration.

Verify that the following Security Operations applications are installed and activated from the ServiceNow Store. If these applications aren’t already installed, you must install, and activate each application one at a time in the following order to ensure a smooth installation:

  1. Security Incident Response
  2. Security Incident Response UI
  3. ServiceNow IntegrationHub Runtime (com.glide.hub.integration.runtime)
  4. ServiceNow IntegrationHub Action Step - REST (com.glide.hub.action_step.rest)
Register and configure your application in the Microsoft Azure portal. Register your application in the Microsoft Azure portal and grant your users with read and write access to the application.