Define aggregation conditions

  • Release version: Xanadu
  • Updated June 30, 2025
  • 2 minutes to read

    • Define additional incident aggregation criteria that aggregates an incoming detection to an existing SIR security incident instead of creating similar, potentially duplicate detections. When you use field matching value criteria for each profile, this additional aggregation can reduce the number of active, overlapping security incidents by placing all related detections data on a single security incident.

    Before you begin

    Role required: sn_si.ingestion_profile_admin

    Note:
    Users with the sn_si.admin role can perform all operations available to a profile admin, as the sn_si.admin role inherits the required permissions by default.

    About this task

    If a new incident matches all the values that are selected in the aggregation field conditions in the mapping step, the incident is automatically added to the most recently opened security incident with the same field values. As a user with the sn_si.ingestion_profile_admin role working with security incidents, you can view all the added aggregate incidents on a related list on a security incident.

    All the aggregated incidents on a security incident are displayed on the CrowdStrike Next-Gen SIEM Aggregated Incidents related list. This list details the associated timestamps and aggregated field values. This information helps you understand why incidents are added to the existing security incidents.

    Procedure

    1. To define additional incident field criteria that allows an incoming CrowdStrike Next-Gen SIEM detection to be appended to an open security incident instead of creating a new incident, select the Aggregation Conditions option as shown in the following figure.
    2. In the Incident fields with matching values field, enter the field values that you want to match on existing security incidents in your ServiceNow AI Platform instance.
      All field values that you selected in the multi selection input field must match so that the aggregation criteria is met and that this incoming incident can be appended to an existing security incident. This selection implies it is an AND condition where fields, such as Observables and Configuration Items that may have multiple field values, are mapped to them. If only a subset of the values is matched, the CrowdStrike Next-Gen SIEM Incident aggregation conditions are not met and a new security incident is created.
    3. To add multiple field matching conditions, click Add New Criteria
      The aggregation occurs if any one of the multi selection field conditions that you define are met. This selection implies the OR condition.
    4. To update the work note for a new incident when it is added to a security incident, select Log work note for new Incident.

      The work note logs that a new incident is added and includes a link to the incident details. The log work note also updates more details that you add to the work note field in your mapping section.

    5. To configure the schedule, click Continue.

    What to do next

    Set a schedule to retrieve the incident data and ingested incidents that match the criteria in the profile.