Review the Microsoft Azure Sentinel integration settings

  • Release version: Zurich
  • Updated July 31, 2025
  • 2 minutes to read

    • Review the Microsoft Azure Sentinel integration settings so that you can modify the system properties to suit your environment.

    Before you begin

    Important:

    Microsoft has extended the deprecation of the Azure Sentinel experience in the Azure portal from March 2026 to March 2027.

    If you are currently using the Azure Sentinel integration with Security Incident Response (SIR), we strongly recommend migrating to the new Defender portal integration as soon as possible. The Defender integration includes a built-in migration utility that automatically converts your existing Sentinel profiles into Defender profiles, while ensuring continuity of incidents created through Sentinel after the transition. For more information, see Microsoft Sentinel to Defender Migration Guide.

    Role required: sn_si.ingestion_profile_admin

    Note:
    Users with the sn_si.admin role can perform all operations available to a profile admin, as the sn_si.admin role inherits the required permissions by default.

    Procedure

    1. Navigate to All > Microsoft Azure Sentinel Integration > Azure Sentinel Integration Settings.
    2. Modify the following settings as required.
      Table 1. Microsoft Azure Sentinel Integration Settings
      Property Name Description
      Enforce a limit on the number of days for which sample data can be fetched.

      sn_sec_sentinel.max_num_of_days_for_sample_data

      		 Maximum number of days for which you can fetch sample data from the Microsoft Azure Sentinel environment.

      Type: integer

      Default value: 7
      Receive updates related to new alerts that are linked to SIR.

      sn_sec_sentinel.incident_updates

      Activate the option to receive incident updates.

      Type: Boolean

      Default value: True
      The delimiter character to split the values in Microsoft Azure Sentinel field mappings.

      sn_sec_sentinel.delimiter

      		 The delimiter character to split the values in Microsoft Azure Sentinel field mappings.

      Type: String

      Default value: ', ' (comma with space)
      Enforce a limit on the number of sample incidents that can be fetched.

      sn_sec_sentinel.max_num_of_sample_incident_per_call

      Maximum number of sample incidents that you fetch from the Microsoft Azure Sentinel environment for ingestion.

      Type: integer

      Default value: 5

      Sample maximum value: 20
      Enforce a limit on the number of sentinel incidents that can be aggregated to a single incident.

      sn_sec_sentinel.max_aggregations_per_si

      Incident aggregation limit for a security incident. For example, if there are 102 incidents, the first 100 are aggregated to security incident_1 and the remaining 2 to security incident_2.

      Type: integer

      Default value: 100
      Enforce a limit on the number of security incidents that can be created in a 24-hour period.

      sn_sec_sentinel.max_si_per_day

      Maximum number of security incidents that can be created in a 24-hour period in the ServiceNow AI Platform.

      Type: integer

      Default value: 1000
      Maximum pagination limit for fetching the incident data in one REST call.

      sn_sec_sentinel.max_page_size

      Pagination limit for fetching the incident data in one REST call from the Microsoft Azure Sentinel environment.

      Type: integer

      Default value: 100
      API version value for Incidents.

      sn_sec_sentinel.sentinel_security_incident_api_version

      		 The Microsoft API version for retrieving Sentinel incidents.

      Default value: 2021-10-01
      API version value for Alerts.

      sn_sec_sentinel.sentinel_security_alert_api_version

      		 The Microsoft API version for retrieving Sentinel alerts.

      Default value: 2021-10-01
      API version value for Entities.

      sn_sec_sentinel.sentinel_security_entities_api_version

      		 The Microsoft API version for retrieving Sentinel entities.

      Default value: 2021-10-01

      sn_sec_sentinel.logging.verbosity

      		 The log verbosity level of the application, meaning the name of the type of information. You can also update the value to the following options:
      • error
      • warn
      • info
      • debug

      Default value: info.
    3. Click Save.
      Your modified integration settings are applied in the next polling interval as defined in the profile.