Schedule detection retrieval

Release version: Australia

Updated March 12, 2026

1 minute to read

Configure a schedule to define how and when you pull detections from the CrowdStrike Next-Gen SIEM tenant.

Before you begin

Role required: sn_si.ingestion_profile_admin

Note:

Users with the sn_si.admin role can perform all operations available to a profile admin because the sn_si.admin role inherits the required permissions by default.

Procedure

If you are not continuing from the previous section of the Filtering and Aggregation criteria, access the profile you are defining.
1. Navigate to All > CrowdStrike Next-Gen SIEM > Detection Profile.
2. Select the profile you are continuing to define.
3. Select Scheduling in the progress bar.

On the scheduling form, fill in the fields.

Table 1. CrowdStrike Next-Gen SIEM Scheduling form
Field	Description
Ongoing detection ingestion	Option to set ongoing detection ingestion that the ServiceNow AI Platform instance pulls from the CrowdStrike Next-Gen SIEM tenant for new detections. Security incidents are created if triggered detections are found and the detection generation filtering criteria matches.
Polling increment (minutes)	Polling frequency defined in minutes.
Set detection ingestion time	Option to add Date and time for the initial ingestion.
Initial detection ingestion time	Date and time that you specify for the detection ingestion.
One-Time Retrieval	Option to enable one-time retrieval of historical CrowdStrike Next-Gen SIEM detections and followed by the reconciliation of the data. When processing the data, both ongoing detections and historical data are pulled. Note: The retrieved historical CrowdStrike Next-Gen SIEM detections undergo de-duplication checks to avoid any duplicates within the Security Incident Response application.
Since date	The date since historical detections were ingested from CrowdStrike Next-Gen SIEM.

Select Continue.

What to do next

Automate detection updates and closures