Define filters to apply for the Incident creation

  • リリースバージョン: Australia
  • 更新日 2026年03月12日
  • 所要時間:2分

    • Define and set filter conditions to filter the incoming  Microsoft DLP  events. Control which of these events should be created as DLP IR incidents on your ServiceNow instance.

    始める前に

    Role required: sn_dlir.admin(Create, edit, and delete)

    sn_dlir.analyst - View (read-only)

    このタスクについて

    This type of filtering helps you to isolate Microsoft DLP  events to limit the number of DLP IR incidents that you create. If the filtering criteria is set, only events that match the conditions are created as DLP incidents.

    手順

    1. Select the Filter based on conditions option.
    2. Using the lists and fields of the condition builder, set the filters in the Filter Conditions field.

      Define the criteria that an incoming Microsoft DLP event must satisfy so that a DLP incident is created.

      The options in the first field in the Filter Conditions match the fields that are available in the Microsoft DLP event. The criteria that you enter are case-sensitive. Verify that the criteria you define match the values of the event.

      Define filters to apply for the Incident creation.
    3. Add more conditions by clicking  AND  or  OR.
      • If  AND  is selected, all conditions must be matched.
      • If  OR  is selected, either condition can be matched.
    4. Click Continue and move to the Match Content Configuration section.
      Earlier, UserID was mapped only to the Source User field but, the UserID field is currently available as a lookup attribute for all Purview events, including Endpoint events.