Define schedule for Microsoft Graph Security API integration

リリースバージョン: Australia

更新日 2026年03月12日

所要時間：7分

Verify the default settings for alert retrieval or modify the scheduling as needed. This step permits you to filter your alert retrieval based on a date range.

始める前に

Role required: sn_si.admin

このタスクについて

You also choose how often you will poll for future alerts that match the alert profile configuration. For automated alert ingestion profiles, before the profile is activated, you verify and modify the scheduling and alert retrieval. This step is needed for scheduled alert profiles.

As a user with the sn_si.admin role, you configure these polling intervals on a per-profile basis. The performance of the Microsoft Graph Security API alert ingestion integration is impacted by the different polling intervals. When scheduling, you may prefer to balance system load against incident urgency. A five-minute default value is set for any profile, but you may prefer to modify this setting based on the urgency of the incident and the anticipated load on your system.

手順

If the Scheduling page on the progress bar is not displayed, select Scheduling.

Choose one to schedule how and when alerts are pulled from the Microsoft Azure tenant.

Option	Description
Ongoing Alert Ingestion selected	Based on the default setting, the ServiceNow AI Platform instance pulls from the Microsoft Azure tenant for new alerts every five minutes. Security incidents are created if triggered alerts are found and incident generation filtering criteria are matched. To balance alert ingestion against server load, and to pull the most current data, five minutes is the setting you may prefer. However, this value can be modified as needed.
Ongoing Alert Ingestion selected Set initial alert ingestion time	Initial ingestion time If you want to schedule the initial ingestion at a specific time, follow these steps: Select the Ongoing Alert Ingestion and Set initial alert ingestion time fields. Specify the time in the Input initial alert ingestion time field. The initial ingestion will take place at the time specified here. Subsequent ingestions will be based on the schedule defined in the Polling increment (minutes) field. As an example for scheduling, if you have a daily alert job that runs once a day at 4 AM local time, you can set up the corresponding alert profile in your ServiceNow AI Platform instance to run at 4:05 AM local time to capture the alert right away and create a security incident. Enter 04 05 00 in the Initial alert ingestion field. In the Increment (Minutes) field, enter 1440 (24 hours) to schedule the next alert ingestion for 24 hours from the initial alert ingestion. Both the initial alert ingestion time and next alert ingestion time are displayed in the fields. To configure the settings in this example, follow these steps: Select the Ongoing Alert Ingestion option. In the Polling Increment (minutes) field, enter 1440 (24 hours). Click the Set Initial alert ingestion time option to enable editing for the Initial alert ingestion time and Next alert ingestion (estimated) time fields. In the Initial alert ingestion time field, enter 04 05 00. In the Next alert ingestion (estimated) time field, the time of the next alert ingestion is displayed.
One Time Retrieval field selected	One-Time Retrieval Use this configuration if you want a one-time pull to ingest historical alerts. When this setting is configured, a profile is used once to retrieve alerts from historical events that are based on a date range. To the right of the Since date field, click the calendar icon. In the calendar that is displayed, select the date that you want to start pulling alerts. Starting with the Since date value, alerts are retrieved up through the current date. Note that you can pull as far back as seven days from the current date. This functionality is not intended to retrieve significant amounts of historical alerts but rather a minimal amount of in-flight alerts that are being actively worked at the time of profile activation. After the alerts are pulled, this setting will not retrieve more alerts for this profile going forward from the current date. This setting populates the security incident with all the alerts that are found for the range you enter.

Option

Description

Ongoing Alert Ingestion selected

Based on the default setting, the ServiceNow AI Platform instance pulls from the Microsoft Azure tenant for new alerts every five minutes. Security incidents are created if triggered alerts are found and incident generation filtering criteria are matched. To balance alert ingestion against server load, and to pull the most current data, five minutes is the setting you may prefer. However, this value can be modified as needed.

Ongoing Alert Ingestion selected
Set initial alert ingestion time

Initial ingestion time

If you want to schedule the initial ingestion at a specific time, follow these steps:

Select the Ongoing Alert Ingestion and Set initial alert ingestion time fields.
Specify the time in the Input initial alert ingestion time field.

The initial ingestion will take place at the time specified here. Subsequent ingestions will be based on the schedule defined in the Polling increment (minutes) field.

As an example for scheduling, if you have a daily alert job that runs once a day at 4 AM local time, you can set up the corresponding alert profile in your ServiceNow AI Platform instance to run at 4:05 AM local time to capture the alert right away and create a security incident.

Enter 04 05 00 in the Initial alert ingestion field. In the Increment (Minutes) field, enter 1440 (24 hours) to schedule the next alert ingestion for 24 hours from the initial alert ingestion. Both the initial alert ingestion time and next alert ingestion time are displayed in the fields.

To configure the settings in this example, follow these steps:

Select the Ongoing Alert Ingestion option.
In the Polling Increment (minutes) field, enter 1440 (24 hours).
Click the Set Initial alert ingestion time option to enable editing for the Initial alert ingestion time and Next alert ingestion (estimated) time fields.
In the Initial alert ingestion time field, enter 04 05 00. In the Next alert ingestion (estimated) time field, the time of the next alert ingestion is displayed.

One Time Retrieval field selected

One-Time Retrieval

Use this configuration if you want a one-time pull to ingest historical alerts.

When this setting is configured, a profile is used once to retrieve alerts from historical events that are based on a date range. To the right of the Since date field, click the calendar icon. In the calendar that is displayed, select the date that you want to start pulling alerts. Starting with the Since date value, alerts are retrieved up through the current date. Note that you can pull as far back as seven days from the current date. This functionality is not intended to retrieve significant amounts of historical alerts but rather a minimal amount of in-flight alerts that are being actively worked at the time of profile activation.

After the alerts are pulled, this setting will not retrieve more alerts for this profile going forward from the current date. This setting populates the security incident with all the alerts that are found for the range you enter.

Click Continue to navigate to the Additional Options page.