Schedule the AWS Security Hub finding retrieval

  • Release version: Yokohama
  • Updated July 31, 2025
  • 2 minutes to read

    • Set a schedule to retrieve the finding data and to ingest the AWS Security Hub findings that match the criteria in the profile.

    Before you begin

    Role required: sn_sni.admin

    About this task

    You can plan how often you want to poll for future AWS Security Hub findings that match the AWS Security Hub finding profile configuration.

    The polling interval is configured for each profile individually. The different polling intervals may impact the performance of the AWS Security Hub findings integration. When scheduling, plan to balance the system load against the urgency of an incident. A one-minute default value is set for all profiles. You can modify this setting based on the urgency of the incident and the anticipated load on your system.

    Any alerts that gets added to the incident in a particular polling interval is processed and then appended to the AWS Security Hub alerts related lists and comments.

    Procedure

    1. On the scheduling form, fill in the fields.

      Configure the schedule to define how and when you pull findings from the AWS Security Hub tenant.

      Table 1. Scheduling form
      Field Description
      Ongoing finding ingestion Ongoing finding ingestion that the ServiceNow AI Platform instance pulls from the AWS Security Hub tenant for new incidents. Security incidents are created if triggered findings are found and the security incident generation filtering criteria matches.
      Poll closed findings Polling findings that have been resolved.

      These findings are ingested during ongoing incident ingestion.
      Polling increment (minutes) Polling frequency that is defined in minutes.
      Set Initial finding ingestion time Findings ingestion that is based on the configured date and time.

      You can use this option to define a specific date and time for the initial ingestion. Subsequent ingestions are based on the polling interval period.
      Input Initial finding ingestion time

      Date and time that you specify for the incident ingestion.
      One-Time Retrieval Select this checkbox to allow one-time retrieval of historical AWS Security Hub findings and then do the reconciliation of the data. When you select this checkbox, the application will pull all the open and closed AWS Security Hub findings for the period up to 90 days approximately.

      When processing the data both ongoing findings and historical data are pulled, but the processing of the ongoing findings takes precedence over historical pull. Otherwise, the historical pull may take some time based on the duration as well as the number of findings that are ingested.

      Note:
      The retrieved historical AWS Security Hub findings undergo de-duplication checks to prevent any duplicates within the Security Incident Response application.
      Since date The date since when the historical findings are ingested from AWS Security Hub.
      Note:
      The findings data is approximately pulled from the past 90 days.

      The scheduling page enables you to define how and when findings are pulled from the AWS Security Hub tenant.

    2. To navigate to the Additional Options page, click Continue.