Schedule incident retrieval

  • 릴리스 버전: Australia
  • 업데이트 날짜 2026년 03월 12일
  • 소요 시간: 2분

    • Set a schedule that determines how frequently Microsoft Defender incidents are pulled into SIR to ensure timely and efficient ingestion.

    시작하기 전에

    Role required: sn_si.admin, sn_si.ingestion_profile_admin

    프로시저

    1. If you aren’t continuing from the previous section of the Filtering and Aggregation criteria, access the profile you’re defining.
      1. Navigate to All > Microsoft Defender Integration > Defender Incident Profiles.
      2. Select the profile that you’re continuing to define.
      3. Select Scheduling in the progress bar.
    2. On the form, fill in the fields.
      표 1. Scheduling form
      Field Description
      Ongoing incident ingestion Option to set ongoing incident ingestion that the ServiceNow AI Platform instance pulls from the Microsoft tenant for new incidents. Security incidents are created if triggered incidents are found and the incident generation filtering criteria matches.
      Polling increment (minutes) Polling frequency defined in minutes.
      Set incident ingestion time

      Option to add Date and time for the initial ingestion.
      Input incident ingestion time

      Date and time that you specify for the incident ingestion.
      One-Time Retrieval Option to enable one-time retrieval of historical Microsoft Defender incidents and followed by the reconciliation of the data.

      When processing the data, both ongoing incidents and historical data are pulled.

      주:
      The retrieved historical Microsoft Defender incidents undergo de-duplication checks to avoid any duplicates within the Security Incident Response application.
      Since date The date since historical incidents were ingested from Microsoft.

      Schedule incident retrieval

    3. Select Continue.

    다음에 수행할 작업

    Automate incident updates and closures