Manual handoffs between security operations teams and IT teams often slow down incident response, as information moves across separate security and ITSM tools. This results in lost context, duplicated updates, limited visibility, and critical actions that depend on manual coordination.
The Atomicwork–Microsoft Sentinel integration reduces this friction by bringing Sentinel incidents, alerts, and threat intelligence directly into ITSM workflows, enabling security and IT teams to work from a single system of record while preserving native controls and context.
Capabilities
IT teams can automate Microsoft Sentinel operations directly within Atomicwork workflows, including:
Viewing and retrieving Sentinel incidents and incident details
Creating, updating, and synchronizing incidents between Atomicwork and Sentinel
Fetching alerts associated with Sentinel incidents for investigation context
Managing Threat Intelligence (TI) indicators such as IPs, URLs, domains, and file hashes
Appending or replacing tags on threat indicators for classification and enrichment
Retrieving threat indicator metrics for reporting and analytics
Discovering Sentinel subscriptions, resource groups, and workspaces for correct scoping
This enables end-to-end automation for security and IT collaboration, including SOC-to-ITSM incident flow, threat intelligence management, SLA enforcement, and security-driven change and remediation workflows.
Permissions
To set up the integration, you need the following roles:
Atomicwork: You need to org admin access in Atomicwork.
Microsoft Sentinel: Any organizational user can initiate the connection. If the user is not an admin, an administrator must approve the requested permissions
Atomicwork requests the following permissions to connect to Microsoft Sentinel:
Permission | Purpose |
Access Azure Resource Manager as organization users | To discover and interact with Azure subscriptions, resource groups, and Sentinel workspaces required for scoping incidents and resources. |
Sign in and read user profile | To authenticate the user and associate Sentinel actions with the correct user in Atomicwork. |
Setup
In the Atomicwork portal:
Navigate to Settings > App Store > Microsoft Sentinel and click Connect.
You will be redirected to Microsoft Single Sign-On (SSO) to authenticate and review the permissions required for Atomicwork to access Microsoft Sentinel resources.
If you are not an admin, you will be prompted to request admin approval for the required permissions.
Once an administrator reviews and approves the request in Microsoft, return to the Atomicwork portal and click Connect again from the Microsoft Sentinel app.
Once the second Connect step is completed, your account will be successfully connected to Microsoft Sentinel.
Note: The connection is not completed automatically after admin approval. You must initiate the Connect flow again to finalize the setup.
Supported actions
List Incidents - Retrieves a list of all security incidents from the selected Sentinel workspace.
Get Incident - Fetches detailed information for a specific Sentinel incident, including incident metadata, status, severity, classification, and related details.
Create Incident - Creates a new security incident in Sentinel with the specified title, severity, status, and related fields.
Update Incident - Updates one or more fields of an existing Sentinel incident, such as title, severity, status, owner, or classification.
Delete Incident - Deletes a Sentinel incident from the selected workspace.
Typically used for cleanup or advanced automation scenarios.Get Alerts of Incident - Retrieves all alerts associated with a specific Sentinel incident, providing additional context for investigation.
List Threat Indicators - Retrieves all threat intelligence indicators stored in Sentinel, such as IP addresses, URLs, domains, and file hashes.
Get Threat Indicator - Fetches detailed information for a specific threat indicator, including patterns, tags, expiration, and activity metadata.
Create Threat Indicator - Creates a new threat intelligence indicator in Sentinel with the specified type, value, tags, and metadata.
Delete Threat Indicator - Deletes an existing threat indicator from Sentinel.
Append Indicator Tags - Adds new tags to an existing threat indicator without removing any existing tags.
Replace Indicator Tags - Replaces all existing tags on a threat indicator with a new set of tags.
Get Indicator Metrics - Retrieves usage and activity metrics for a threat indicator, such as last seen activity and match information.
List Subscriptions - Retrieves all Azure subscriptions accessible to the authenticated user.
List Resource Groups - Retrieves all Azure resource groups available under the selected subscription.
List Workspaces - Retrieves all Log Analytics workspaces under the selected subscription. These workspaces are used to scope Sentinel incidents and threat intelligence operations.
Example usecases
Integrating Microsoft Sentinel with Atomicwork allows teams to automate critical security and IT coordination workflows:
SOC-to-IT incident handoff: When Microsoft Sentinel identifies a high-severity incident, you can automatically create or update a corresponding Atomicwork incident, attaching alerts and threat context. This ensures IT teams receive actionable information immediately.
Coordinated response for active incidents: As an incident progresses, updates made by IT teams in Atomicwork — such as status changes, ownership updates, or resolution notes — can be automatically synchronized back to Sentinel. This keeps SOC dashboards accurate and eliminates parallel tracking in spreadsheets or chat threads.
Alert-driven investigation workflows: During triage, automatically fetch all alerts associated with a Sentinel incident directly within Atomicwork. This allows teams to assess scope, impacted users or assets, and attack patterns easily.
Threat intelligence lifecycle management: Create new threat indicators (IOCs), automatically tag them as Malicious, Blocked, or False Positive, and retire outdated indicators from ITSM workflows. This helps standardize how threat intelligence is reviewed, maintained, and governed.
Severity-based routing and escalation: Automatically route incidents to the appropriate SOC or IT queues based on Sentinel severity, apply different SLAs, or trigger escalations.