Schedule incident retrieval

  • Release version: Australia
  • Updated March 12, 2026
  • 1 minute to read

    • Configure a schedule to define how and when you pull incidents from Cortex XSIAM tenant.

    Before you begin

    Role required: sn_si.admin, sn_si.ingestion_profile_admin

    Procedure

    1. If you are not continuing from the previous section of the Filtering and Aggregation criteria, access the profile you are defining.
      1. Navigate to All > Palo Alto Networks XSIAM > XSIAM Profile.
      2. Select the profile you are continuing to define.
      3. Select Scheduling in the progress bar.
    2. On the form, fill in the fields.
      Table 1. Scheduling form
      Field Description
      Ongoing incident ingestion Option to set ongoing incident ingestion that the ServiceNow AI Platform instance pulls from the Cortex XSIAM tenant for new incidents. Security incidents are created if triggered incidents are found and the incident generation filtering criteria matches.
      Polling increment (minutes) Polling frequency defined in minutes.
      Set incident ingestion time

      Option to add Date and time for the initial ingestion.
      Initial incident ingestion time

      Date and time that you specify for the incident ingestion.
      One-Time Retrieval Option to enable one-time retrieval of historical Cortex XSIAM incidents and followed by the reconciliation of the data.

      When processing the data, both ongoing incidents and historical data are pulled.

      Note:
      The retrieved historical Cortex XSIAM incidents undergo de-duplication checks to avoid any duplicates within the Security Incident Response application.
      Since date The date since historical incidents were ingested from Cortex XSIAM.
    3. Select Continue.

    What to do next

    Automate incident updates and closures