Define filter and aggregation criteria

リリースバージョン: Australia

更新日 2026年03月12日

所要時間：6分

Define filter and aggregation conditions to control which Microsoft Defender incidents generate new security incidents and whether incoming incidents should be merged into existing ones. These conditions ensure accurate incident grouping and prevent unnecessary duplication.

始める前に

Role required: sn_si.admin, sn_si.ingestion_profile_admin

このタスクについて

Filtering helps you isolate security incidents and limit the number of security incidents that you create. If you set additional filtering criteria, only the required incidents are ingested without having to change the query or the triggered incident configuration.

Aggregation Conditions define additional incident field criteria that enable an incoming incident to be appended to an open security incident instead of creating one.

手順

If you aren’t continuing from the previous section of the Mapping criteria, access the profile you’re defining.
1. Navigate to All > Microsoft Defender Integration > Defender Incident Profiles.
2. Select the profile that you’re continuing to define.
3. Select Filtering and Aggregation in the progress bar.
Select Filter based on conditions check box to define the criteria that an incoming Microsoft Defender incident must satisfy so that a security incident is created.
In the Filter Conditions search field, specify the filter conditions that must be met.
These conditions must match the fields that are displayed on the Microsoft Defender Sample Incident Ingestion section for the Incident that you ingested. These fields are dynamic and change depending on the Incident that you ingest. The criteria that you enter are case-sensitive. Verify that the criteria you define match the values of the Incident.
Use the filter condition incident_id for the following fields with multiple values:
- Severity
- LastModifiedBy
- LastUpdateDateTime
- Keywords
Because the filter condition can retrieve only strings, you must use the incident_id filter condition for the preceding fields to confirm that the data is filtered correctly.
Select AND or OR.
- If AND is selected, all conditions must be matched.
- If OR is selected, either condition can be matched.
To set a second filter condition, select New Criteria.
Select Aggregation Conditions check box to define additional incident field criteria that enables an incoming incident to be appended to an open security incident instead of creating one.
In the Incident fields with matching values field, enter the field values that you want to match on existing security incidents in your ServiceNow AI Platform instance.
All field values that you selected in the multi selection input field must match so that the aggregation criterion is met and that this incoming incident can be appended to an existing security incident. This selection implies it’s an AND condition where fields, such as Observables and Configuration Items that may have multiple field values, are mapped to them. If only a subset of the values is matched, the Microsoft Incident aggregation conditions aren’t met and a new security incident is created.
Select Add New Criteria to add multiple field matching conditions.
The aggregation occurs if any one of the multi selection field conditions that you define are met. This selection implies the OR condition.
Select Log work note for new Incident to update the work note for a new incident when it’s added to a security incident.

The work note logs the creation of a new incident and includes a link to its details. The log work note also updates more details that you add to the work note field in your mapping section.
Select Continue.

次のタスク

Set a schedule to retrieve the incident data and ingested incidents that match the criteria in the profile. For more information, see Schedule incident retrieval.