Security Incident Response integration with Microsoft Defender for Endpoint release notes

  • Release version: Store
  • Updated June 11, 2026
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Security Incident Response integration with Microsoft Defender for Endpoint release notes

    The Security Incident Response integration with Microsoft Defender for Endpoint allows ServiceNow customers to enhance their endpoint security by inspecting, analyzing, and containing threats using Microsoft Defender capabilities directly within the ServiceNow platform. It supports proactive threat management on endpoints by integrating Defender’s features into Security Incident Response workflows and workspaces.

    Show full answer Show less

    Key Features

    • Isolate Host Action: Enables isolating compromised hosts; recent fixes ensure reliable operation with correct machine ID recognition.
    • Allow/Block Observables: Introduced capability to allow or block specific observables (domains, IPs, files, URLs) from security incidents via Defender.
    • Enhanced Security Controls: Upgraded read-only fields to strict enforcement preventing unauthorized changes across UI, scripts, and integrations.
    • Flow Designer Migration: Workflows for Defender enrichment and incident response migrated to Flow Designer for improved automation and configuration.
    • Support for Analyst and Security Incident Response Workspaces: Integration supports dedicated workspaces for better incident investigation and management.
    • GCC Environment Compatibility: Expanded support for Microsoft Defender configuration in Government Community Cloud (GCC) environments.
    • Improved Host Details Retrieval: Fixed errors and enhanced handling of special characters and parameters to ensure accurate endpoint information retrieval.
    • User Experience Improvements: Dialogue boxes updated for clarity and mandatory fields added to improve action execution reliability.

    Key Outcomes

    • ServiceNow customers can seamlessly use Microsoft Defender’s endpoint protection features within their security incident workflows, improving incident response efficiency.
    • Improved reliability and accuracy in querying host details and performing endpoint actions reduce errors and manual troubleshooting.
    • Enhanced security controls ensure data integrity and prevent unauthorized modifications within the integration.
    • Automated workflows through Flow Designer simplify configuration and maintenance for security teams.
    • Expanded environment compatibility allows customers in GCC regions to leverage Defender integration without limitations.

    Version history for the Security Incident Response integration with Microsoft Defender for Endpoint on the ServiceNow Store.

    Important:
    For details on system requirements and family compatibility, view the application listing on the ServiceNow Store website.

    Version history

    Version 1.3.5 - June 2026
    • Fixed:
      • The Isolate Host action failing with the error "No Machine id found for given CI".
      • Implemented fixes related to Cobalt Raven Non-Glide Query ACL directives, ensuring proper ACL enforcement for non-Glide query operations.
    Version 1.3.4 - April 2026
    New: Capability to Allow/Block Observables from Security Incidents such as domains, IP addresses, files, URLs using Microsoft Defender for Endpoint.
    Version 1.2.4 - March 2026
    Fixed: Handled special characters in hostname field.
    Version 1.2.1 - February 2026
    Fixed: Malformed URL errors by properly handling special characters in hostnames during EDR machine lookup.
    Version 1.2.0 - December 2025
    New: Upgraded all dictionary-level read-only fields to Strict Read-Only to enhance security and prevent unauthorized changes.This update ensures the server consistently enforces read-only behaviour across all UIs, scripts, and integrations.
    Version 1.1.20 - October 2025
    Fixed: Requests being built incorrectly, ensuring accurate host detail retrieval.
    Version 1.1.10 - August 2025
    Fixed: Get Host Details requests being built with incorrect parameters, causing failures in retrieving accurate host information.
    Version 1.0.12 - June 2025
    Fixed: Query failure due to insufficient 'query_match' access on sn_sec_core_integration_item.sys_scope for users with sn_si.analyst role, impacting Defender for Endpoint integration.
    Version 1.0.11 - May 2025
    Fixed: Bugs have been addressed and resolved as part of this release.
    Version 1.0.9 - November 2024
    Changed: Migration of Workflows to Flow Designer flows.
    Version 1.0.7 - August 2024
    • New: Migrated workflows to flow designer for Microsoft Defender enrichment capabilities.
    • Changed: Microsoft Defender for endpoint is now compatible to be configured for GCC environments.
    Version 1.0.6 - March 2024
    • Changed: The Comments field in the Run additional actions capability is now set as a mandatory field.
    • Fixed:
      • The Get Host Details and Get Logged on Users actions fail due to a large response
      • Create indicators in Microsoft Defender endpoint action fails when a different time format was chosen than YYYY-MM-DD HH:MM:SS.
    Version 1.0.5 - August 2023
    • Changed: The MS Defender Capabilities Isolate Host and Run Antivirus scan dialogue boxes' Type field is now a drop down instead of a text.
    • Fixed: If the machine is not found by the name field of the CI item in the Defender, you can search for the machine name using the FQDN field.
    Version 1.0.4 - April 2023
    Changed: Updated to support this integration on the Security Incident Response workspace.
    Version 1.0.2 - February 2023
    New: Support for Analyst workspace.
    Version 1.0.1 - November 2022
    • Fixed:
      • Microsoft Defender for Endpoint Host Details' flow is retrieving all machine details instead of retrieving details for the required Configuration Item.
      • POL_ON Defender Endpoint Observable Indicator UI page is broken.
    Version 1.0.0 - February 2022
    The Microsoft Defender For Endpoint enables organizations to proactively inspect, analyze, and contain known and unknown threats on any endpoint.