Set correlation rules

  • Release version: Zurich
  • Updated March 12, 2026
  • 1 minute to read

    • After creating a CrowdStrike Next-Gen SIEM detection profile, select correlation rules to map corresponding detections to a security incident. Correlation rules are refreshed every time a profile is opened and new rules are available for selection. The CrowdStrike Next-Gen SIEM integration supports multiple profiles.

    Before you begin

    Role required: sn_si.ingestion_profile_admin

    Note:
    Users with the sn_si.admin role can perform all operations available to a profile admin because the sn_si.admin role inherits the required permissions by default.

    Procedure

    1. If you're not continuing from the previous section of the detection profile definition process, access the profile you're defining.
      1. Navigate to All > CrowdStrike Next-Gen SIEM > Detection Profile.
      2. Select the profile you're continuing to define.
      3. Select Correlation Rules in the progress bar.
    2. Clear the All Correlation Rules selected check box.
    3. In the Correlation Rule List search field, enter the correlation rule name created in the CrowdStrike portal.
    4. Select the correlation rule.
    5. Use the right arrow to move the rule from Available to the Selected column.
    6. Complete this section of the detection profile definition process by selecting Continue.

    What to do next

    Map individual CrowdStrike Next-Gen SIEM detection fields to the fields on the ServiceNow AI Platform Security Incident Response security incident. For more information, see Map detection fields.