Schedule incident retrieval

  • Versão de lançamento: Australia
  • Atualizado 12 de mar. de 2026
  • 1 min. de leitura

    • Set a schedule that determines how frequently Microsoft Defender incidents are pulled into SIR to ensure timely and efficient ingestion.

    Antes de Iniciar

    Role required: sn_si.admin, sn_si.ingestion_profile_admin

    Procedimento

    1. If you aren’t continuing from the previous section of the Filtering and Aggregation criteria, access the profile you’re defining.
      1. Navigate to All > Microsoft Defender Integration > Defender Incident Profiles.
      2. Select the profile that you’re continuing to define.
      3. Select Scheduling in the progress bar.
    2. On the form, fill in the fields.
      Tabela 1. Scheduling form
      Field Description
      Ongoing incident ingestion Option to set ongoing incident ingestion that the ServiceNow AI Platform instance pulls from the Microsoft tenant for new incidents. Security incidents are created if triggered incidents are found and the incident generation filtering criteria matches.
      Polling increment (minutes) Polling frequency defined in minutes.
      Set incident ingestion time

      Option to add Date and time for the initial ingestion.
      Input incident ingestion time

      Date and time that you specify for the incident ingestion.
      One-Time Retrieval Option to enable one-time retrieval of historical Microsoft Defender incidents and followed by the reconciliation of the data.

      When processing the data, both ongoing incidents and historical data are pulled.

      Nota:
      The retrieved historical Microsoft Defender incidents undergo de-duplication checks to avoid any duplicates within the Security Incident Response application.
      Since date The date since historical incidents were ingested from Microsoft.

      Schedule incident retrieval

    3. Select Continue.

    O que Fazer Depois

    Automate incident updates and closures