Create a profile for Microsoft Azure Sentinel

  • Rversion finale: Australia
  • Mis à jour 12 mars 2026
  • 2 minutes de lecture

    • Create an incident profile in your ServiceNow AI Platform instance and determine the Microsoft Azure Sentinel incidents that are suitable for creating security incidents.

    Avant de commencer

    Important :

    Microsoft has extended the deprecation of the Azure Sentinel experience in the Azure portal from March 2026 to March 2027.

    If you are currently using the Azure Sentinel integration with Security Incident Response (SIR), we strongly recommend migrating to the new Defender portal integration as soon as possible. The Defender integration includes a built-in migration utility that automatically converts your existing Sentinel profiles into Defender profiles, while ensuring continuity of incidents created through Sentinel after the transition. For more information, see Microsoft Sentinel to Defender Migration Guide.

    Role required: sn_si.ingestion_profile_admin

    Remarque :
    Users with the sn_si.admin role can perform all operations available to a profile admin, as the sn_si.admin role inherits the required permissions by default.

    Pourquoi et quand exécuter cette tâche

    The integration enables you to create different types of incidents, such as unauthorized access attempts and malware. These incidents are created based on the profiles that you configure in the ServiceNow AI Platform instance. All incidents are initially created for a configured incident type in a profile. Created incidents can then be further filtered to specify which incidents create security incidents.

    All incidents that meet the selection criteria in your Microsoft Azure tenant, and are available over the Microsoft Azure Sentinel API, are initially ingested into your ServiceNow AI Platform instance.

    Procédure

    1. Navigate to All > Microsoft Azure Sentinel Integration > Azure Sentinel Incident Profile.
    2. Click New.
    3. On the form, fill in the fields.
      Tableau 1. Microsoft Azure Sentinel - Incident Ingestion Configuration form
      Field Description
      Name

      Name for the profile.

      This name helps you to identify the profile type and is also the default name for the security tag that is associated with this profile.
      Active

      Indicator that the profile is active.

      When the profile is active, it implies that the ServiceNow AI Platform is actively polling Azure Sentinel incidents and that corresponding security incidents are created in SIR when the filtering conditions are matched.
      Source Microsoft Azure tenant that you configured to ingest incidents. If you have multiple tenants configured, select the appropriate tenant for the incident types that you are planning to ingest for the profile.
      Order

      Flow priority. The value for this field indicates the order that flows are executed when two or more profiles share triggering conditions.

      The flow with the lowest number has the highest priority.

      To set the order of operation, enter a value. For example, 100, 200, 300, 400.

      The default is 100.
      Description Extra text to help you distinguish this profile from other profiles.
    4. To move to the Mapping section, click Continue.

    Que faire ensuite

    Map individual Microsoft Azure Sentinel incident fields to the fields on the ServiceNow AI Platform SIR security incident.