Review the Microsoft Azure Sentinel integration settings

  • Release version: Xanadu
  • Updated January 30, 2025
  • 2 minutes to read

    • Review the Microsoft Azure Sentinel integration settings so that you can modify the system properties to suit your environment.

    Before you begin

    Role required: sn_si.ingestion_profile_admin

    Note:
    Users with the sn_si.admin role can perform all operations available to a profile admin, as the sn_si.admin role inherits the required permissions by default.

    Procedure

    1. Navigate to All > Microsoft Azure Sentinel Integration > Azure Sentinel Integration Settings.
    2. Modify the following settings as required.
      Table 1. Microsoft Azure Sentinel Integration Settings
      Property Name Description
      Enforce a limit on the number of days for which sample data can be fetched.

      sn_sec_sentinel.max_num_of_days_for_sample_data

      		 Maximum number of days for which you can fetch sample data from the Microsoft Azure Sentinel environment.

      Type: integer

      Default value: 7
      Receive updates related to new alerts that are linked to SIR.

      sn_sec_sentinel.incident_updates

      Activate the option to receive incident updates.

      Type: Boolean

      Default value: True
      The delimiter character to split the values in Microsoft Azure Sentinel field mappings.

      sn_sec_sentinel.delimiter

      		 The delimiter character to split the values in Microsoft Azure Sentinel field mappings.

      Type: String

      Default value: ', ' (comma with space)
      Enforce a limit on the number of sample incidents that can be fetched.

      sn_sec_sentinel.max_num_of_sample_incident_per_call

      Maximum number of sample incidents that you fetch from the Microsoft Azure Sentinel environment for ingestion.

      Type: integer

      Default value: 5

      Sample maximum value: 20
      Enforce a limit on the number of sentinel incidents that can be aggregated to a single incident.

      sn_sec_sentinel.max_aggregations_per_si

      Incident aggregation limit for a security incident. For example, if there are 102 incidents, the first 100 are aggregated to security incident_1 and the remaining 2 to security incident_2.

      Type: integer

      Default value: 100
      Enforce a limit on the number of security incidents that can be created in a 24-hour period.

      sn_sec_sentinel.max_si_per_day

      Maximum number of security incidents that can be created in a 24-hour period in the ServiceNow AI Platform.

      Type: integer

      Default value: 1000
      Maximum pagination limit for fetching the incident data in one REST call.

      sn_sec_sentinel.max_page_size

      Pagination limit for fetching the incident data in one REST call from the Microsoft Azure Sentinel environment.

      Type: integer

      Default value: 100
      API version value for Incidents.

      sn_sec_sentinel.sentinel_security_incident_api_version

      		 The Microsoft API version for retrieving Sentinel incidents.

      Default value: 2021-10-01
      API version value for Alerts.

      sn_sec_sentinel.sentinel_security_alert_api_version

      		 The Microsoft API version for retrieving Sentinel alerts.

      Default value: 2021-10-01
      API version value for Entities.

      sn_sec_sentinel.sentinel_security_entities_api_version

      		 The Microsoft API version for retrieving Sentinel entities.

      Default value: 2021-10-01

      sn_sec_sentinel.logging.verbosity

      		 The log verbosity level of the application, meaning the name of the type of information. You can also update the value to the following options:
      • error
      • warn
      • info
      • debug

      Default value: info.
    3. Click Save.
      Your modified integration settings are applied in the next polling interval as defined in the profile.