Comparing Microsoft Azure Sentinel and Microsoft Graph Security API integrations with SIR

  • Release version: Zurich
  • Updated July 31, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Comparing Microsoft Azure Sentinel and Microsoft Graph Security API integrations with SIR

    This document compares Microsoft Azure Sentinel and Microsoft Graph Security API integrations with ServiceNow's Security Incident Response (SIR) to help customers select the most suitable option for their AI Platform instance. Notably, Microsoft has extended the deprecation of Azure Sentinel in the Azure portal to March 2027, urging users to migrate to the Defender portal for continued support.

    Show full answer Show less

    Key Features

    • Microsoft Azure Sentinel: A cloud-based SIEM and SOAR solution that automates incident creation in SIR, updates incident statuses, and offers rich alert data.
    • Microsoft Graph Security API: Acts as a broker to connect multiple security providers, standardizing alert ingestion and automating incident creation in SIR.

    Key Outcomes

    Customers should consider the following when choosing between integrations:

    • Use Azure Sentinel if preliminary investigations start in it and continue in SIR.
    • Choose Microsoft Graph Security API if incident investigations are conducted solely in SIR, or if you need to ingest alerts from various security providers.

    For existing Azure Sentinel users, migrating to the Defender portal is highly recommended, as it ensures continuity of incident management and provides a migration utility for seamless transition.

    You can view the differences between Microsoft Azure Sentinel and Microsoft Graph Security API integrations and choose the right integration with your ServiceNow AI Platform instance.

    Important:

    Microsoft has extended the deprecation of the Azure Sentinel experience in the Azure portal from March 2026 to March 2027.

    If you are currently using the Azure Sentinel integration with Security Incident Response (SIR), we strongly recommend migrating to the new Defender portal integration as soon as possible. The Defender integration includes a built-in migration utility that automatically converts your existing Sentinel profiles into Defender profiles, while ensuring continuity of incidents created through Sentinel after the transition. For more information, see Microsoft Sentinel to Defender Migration Guide.

    Microsoft Azure Sentinel - Incident Ingestion overview

    Microsoft Azure Sentinel is a cloud-based security information event management (SIEM) and security orchestration automated response (SOAR) solution. Microsoft Azure Sentinel delivers intelligent security analytics and threat intelligence across the enterprise. It provides a single solution for alert detection, threat visibility, proactive hunting, and threat response.

    Microsoft Graph Security API overview

    The Microsoft Graph Security API is an intermediary service (or broker) that provides a single programmatic interface for connecting multiple security providers (Native to Microsoft as well as ServiceNow Partners).

    The Microsoft Graph Security API integration addresses these issues by using the Microsoft Graph Security API to connect with different Microsoft security technologies like Azure Sentinel, Microsoft Defender Advanced Threat Protection, and Azure Advanced Threat Protection. Alerts from Microsoft Security providers are ingested and security incidents are automatically created in Security Incident Response.

    Summary of feature differences

    A visual comparision of Azure Sentinel and Graph API

    Table 1. Microsoft Azure Sentinel vs Microsoft Graph Security API
    Microsoft Azure Sentinel Microsoft Graph Security API
    Ingests Microsoft Azure Sentinel incidents along with entity information (when available) and automates security incident creation in SIR. Ingests alerts from multiple Security providers (including Azure Sentinel) in a standard schema and automates security incident creation in SIR.
    Automates Microsoft Azure Sentinel incident status updates for Security Incident Response so that you can create and close security incidents.
    Note:
    ServiceNow updates the status of Microsoft Azure Sentinel incidents based on the security incident creation or closure.
    		 Supports alert updates (alert status change and alert closure) for selected security providers.
    Note:
    For more information on the Microsoft Graph Security API supported security providers, view the Microsoft documentation.
    Use this integration if your scenario includes the following conditions:
    • Preliminary incident investigation is in Microsoft Azure Sentinel and subsequent investigation is in SIR
    • Ingest Microsoft Azure Sentinel incidents to SIR
    		 Use this integration if your scenario includes the following conditions:
    • Perform incident investigation in SIR.
    • Ingest Microsoft Azure Sentinel alerts in SIR.
    • Incidents are not created in Microsoft Azure Sentinel.
    Alert is an entity in Microsoft Azure Sentinel. You cannot retrieve standalone or specific alerts using the Microsoft Azure Sentinel Management API. You can only retrieve the alert data associated with an incident. The alert data available using this integration is richer than the alert data available using the Microsoft Graph Security API. The Microsoft Azure Sentinel normalized alert data is available. The Microsoft Azure Sentinel alert fields that are mapped internally in Microsoft Graph Security API, and are available in Microsoft Graph Security API, are available for use in this integration.
    You cannot update alerts in Microsoft Azure Sentinel using this integration.