Trigger conditions in a configuration item

  • Release version: Yokohama
  • Updated January 30, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Trigger conditions in a configuration item

    This content explains how ServiceNow customers can configure trigger conditions in profiles that integrate with Microsoft Defender for Endpoint. It focuses on automating when a profile runs based on specific conditions tied to security incidents and asset identification within the ServiceNow AI Platform Configuration Management Database (CMDB).

    Show full answer Show less

    How to Use Trigger Conditions

    • Profiles can be set to run automatically when a security incident matches defined trigger conditions, or they can be run manually via the "Run EDR profile(s)" form on the security incident record.
    • By default, the integration uses the Configuration Item (CI) field on the security incident to match asset IDs with the CMDB records.
    • When a profile runs, the system searches the CMDB for host name or IP address information based on the CI field, which it then uses to resolve the Agent ID in Microsoft Defender for Endpoint to identify the endpoint.
    • If the CI field is not populated or does not match the CMDB data, an alternate CI field can be selected during profile configuration. This can be any field on the security incident, including custom fields, that contains the host name or IP address for endpoint identification.

    Practical Considerations

    • Using alternate CI fields ensures profiles run reliably even if the default CI field is missing or incomplete on a security incident.
    • Alternate CI fields apply specifically to capabilities such as Get Host Details, Get Logged On Users, Isolate Host, and Remove Isolation within profiles.
    • For additional actions beyond these capabilities, the alternate CI must be configured separately in the Default Settings module.

    Key Outcomes

    By correctly configuring trigger conditions and CI fields, ServiceNow customers can automate profile execution in response to security incidents, ensuring accurate endpoint identification and seamless data retrieval from Microsoft Defender for Endpoint. This leads to efficient incident response and enriched asset data within the ServiceNow AI Platform CMDB.

    After you create a profile and select the Microsoft Defender for Endpoint capabilities that you want the profile to run, configure the profile settings so that the profile runs only when a set of specific conditions is met.

    How to trigger conditions in a configuration item

    You can set trigger conditions so the profile runs automatically whenever a security incident is created that matches the trigger condition. If the trigger condition is not set, these profiles can be manually run by clicking the Run EDR profile(s) form on the security incident, and selecting the profile.

    By default, the integration uses the Configuration Item (CI) field on the Security incident. This value is used to match the IDs of your assets with the information stored in the ServiceNow AI Platform Configuration Management Database (CMDB). When a security incident is created, and a profile is run either automatically or manually, the CMDB is searched to retrieve the host name or IP address based on the value of the CI field. The host name or IP is used to resolve the Agent ID on Microsoft Defender for Endpoint to identify the endpoint.

    In an ideal scenario, a matching value is found in the database, and data is gathered from the Microsoft Defender for Endpoint console for the matching asset. The data for various capabilities are pulled into your ServiceNow AI Platform Configuration Management Database (CMDB) instance and displayed in the related lists of a security incident. When the Configuration item (CI) field is not populated on the security incident with a host name with or an IP address that matches the database, you can select an alternate field on the security incident that contains either the host name or the IP to perform the Agent ID resolution.

    During the configuration step of the profile setup, you can select an alternate CI field for endpoint identification to ensure that you are able to identify the endpoint on Microsoft Defender for Endpoint. You can select any field on the security incident as an alternate CI trigger field, including custom fields that you create. By selecting this alternate CI field as a backup, you ensure that your profiles run even if the CI field is not populated on the associated security incident on incident creation.

    Note:
    The alternate CI fields are considered only for capabilities that could be added to a profile. These capabilities include Get Host Details, Get Logged On Users, Isolate Host, and Remove Isolation. For all the additional actions, the alternate CI must be configured in the Default Settings module.