Set a schedule to retrieve the incident data and to ingest the Microsoft Azure Sentinel incidents that match the criteria in the profile.

Before you begin

Role required: sn_si.ingestion_profile_admin

Note: Users with the sn_si.admin role can perform all operations available to a profile admin, as the sn_si.admin role inherits the required permissions by default.

About this task

You can plan how often you want to poll for future Microsoft Azure Sentinel incidents that match the incident profile configuration.

To enable automated incident ingestion, you must configure the scheduling and incident retrieval before you activate the profile. To define a specific date and time for the initial ingestion, enable set incident ingestion time. Subsequent ingestion is based on the polling interval period.

The polling interval is configured for each profile individually. The different polling intervals may impact the performance of the Microsoft Azure Sentinel incident integration. When scheduling, plan to balance the system load against the urgency of an incident. A one-minute default value is set for all profiles. You can modify this setting based on the urgency of the incident and the anticipated load on your system.

Any alerts that gets added to the incident in a particular polling interval there will be a process executed and then appended to the Azure Sentinel alerts related lists and worknote is also posted.

Procedure

  1. On the scheduling form, fill in the fields.

    Configure the schedule to define how and when you pull incidents from the Microsoft Azure tenant.

    Table 1. Scheduling form
    Field Description
    Ongoing incident ingestion Ongoing incident ingestion that the ServiceNow AI Platform instance pulls from the Microsoft Azure tenant for new incidents. Security incidents are created if triggered incidents are found and the incident generation filtering criteria matches.
    Polling increment (minutes) Polling frequency that is defined in minutes.
    Set incident ingestion time Incident ingestion that is based on the configured date and time.

    You can use this option to define a specific date and time for the initial ingestion. Subsequent ingestions are based on the polling interval period.
    Input incident ingestion time

    Date and time that you specify for the incident ingestion.
    One-Time Retrieval Select this checkbox to allow one-time retrieval of historical Azure Sentinel incidents and then do the reconciliation of the data. When you select this checkox, the application will pull all the open and closed Azure Sentinel incidents for the period upto 6 months approximately.

    When processing the data both ongoing incidents and historical data both are pulled, but the processing of the ongoing incidents takes precedence over historical pull and otherwise the historical pull may take some time based on the duration as well as the number of incidents that you are ingesting.

    Note: The retrieved historical Azure Sentinel incidents undergo de-duplication checks to prevent any duplicates within the Security Incident Response application.
    Since date The date since when the historical incidents are ingested from Azure Sentinel.
    Note: The incident data is approximately pulled from the past 6months.

    The scheduling page enables you to define how and when incidents are pulled from the Microsoft Azure tenant.

  2. To navigate to the Additional Options page, click Continue.