Automate incident updates and closures

  • Release version: Zurich
  • Updated January 17, 2026
  • 2 minutes to read

    • Automate incident updates and closures based on the incident status. The Microsoft Defender integration has a bi-directional interface that enables incidents to create security incidents and to update the incidents after the security incident is created or closed.

    Before you begin

    Role required: sn_si.admin, sn_si.ingestion_profile_admin

    Procedure

    1. If you aren’t continuing from the previous section of the Scheduling process, access the profile you’re defining.
      1. Navigate to All > Microsoft Defender Integration > Defender Incident Profiles.
      2. Select the profile that you’re continuing to define.
      3. Select Additional Options in the progress bar.
    2. On the form, fill in the fields.
      Table 1. Automating Incident Updates form
      Category Field Description
      Incident Creation Updates Update Defender Incident status upon SIR Incident Creation Option to use the automated incident update functionality. The Defender incident status is updated with the comments after the SIR incident is created in the ServiceNow AI Platform.
      Initial incident status update Initial incident status that is updated in the Microsoft Defender environment.

      Options include: Active, In Progress, and Redirected.
      Initial comments posted back to Incident Initial comments that are posted to the incident in the Defender environment.
      Incident Closure Updates Close Defender Incident upon SIR Incident Closure Option to use the automated incident status update functionality. Incidents will be closed in Defender with the comments given after the SIR incident is closed in the ServiceNow AI Platform.
      Closure Incident Status Update Status update in Defender when the security incident is closed in SIR.
      Closure Comments Posted back to incident Comments posted to the incident in Defender when the security incident is closed in SIR.
      Incident classification

      Option to automatically update Microsoft Defender Incident Classification based on SIR Close Code.

      When a SIR is closed in ServiceNow, the selected SIR Close Code will automatically determine and update the Incident Classification field in the corresponding Microsoft Defender incident.

      Options include:
      • Default incident classification.
      • Incident classification-SIR close code mapping.
      Defender Pull Closed Incidents Pull Closed Incidents Option to fetch closed incidents during ongoing ingestion and one-time retrieval. Closed SIR incidents won’t be updated with new data from Defender.
      Defender Incident Comments and SIR Work notes synchronization Update SIR work notes with Defender incident comments Option to synchronize Security Incident work notes to Defender incident comments.

      Work notes added to the Security Incidents in ServiceNow appears with the prefix- Comment from Defender ID.
      Update Defender incident comments with SIR work notes Option to update your SIR work notes in the Defender incident comments.

      The comment in Microsoft Defender appears with the prefix- Comment from ServiceNow.

      Options for automating incidents

    3. Select Finish.
    4. Activate the profile.
      1. Select the Name section of the progress bar.
      2. Select the Active check box.
      3. Select Continue.