Set the filtering conditions for security incidents

Release version: Xanadu

Updated June 30, 2025

1 minute to read

Set the filtering conditions so that security incidents are created only when the filtering conditions match.

Before you begin

Role required: sn_si.ingestion_profile_admin

Note:

Users with the sn_si.admin role can perform all operations available to a profile admin, as the sn_si.admin role inherits the required permissions by default.

About this task

This type of filtering helps you to isolate security incidents and limits the number of security incidents that you create. If you set additional filtering criteria, only the required detections are ingested without having to change the query or the triggered detection configuration.

Procedure

To define the criteria that an incoming CrowdStrike Next-Gen detection must satisfy so that a security incident is created, select Filter based on conditions.
The options in the first field in the Filter Conditions match the fields that are displayed on the CrowdStrike Next-Gen Sample detection Ingestion section for the detection that you ingested. These fields are dynamic and change depending on the detection that you ingest. The criteria that you enter is case-sensitive. Verify that the criteria that you define matches the values of the detection.
Use the filter condition detection_id for the following fields with multiple values:
- composite_id
- host_names
- seconds_to_resolved
- seconds_to_triaged
Because the filter condition can retrieve only strings, you must use the detection_id filter condition for the above fields to ensure that the data is filtered correctly.
Using the lists and fields of the conditions builder, set the filters for the first row.
To add more conditions, click AND or OR.
- If AND is selected, all conditions must be matched.
- If OR is selected, either condition can be matched.
To set a second filter condition, click New Criteria.