Understand how trigger conditions work with a configuration item

  • Release version: Yokohama
  • Updated July 31, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Understand how trigger conditions work with a configuration item

    This guide explains how to configure trigger conditions for FireEye profiles within ServiceNow Security Incident Response. It focuses on how profiles run automatically based on specific conditions tied to Configuration Items (CIs) and how endpoint identification is managed through CMDB data integration with FireEye HX.

    Show full answer Show less

    Key Features

    • Trigger Conditions: Profiles are configured to run automatically when a security incident matches specific trigger conditions. Without these triggers, profiles can be run manually via the 'Run EDR profile(s)' option on the security incident form.
    • Default CI Field Usage: The integration uses the CI field on security incidents to match asset IDs with the Now Platform CMDB. This matching retrieves hostnames or IP addresses to find the corresponding FireEye HX Agent ID for endpoint identification.
    • Alternate CI Field Selection: If the default CI field is missing or does not match the CMDB records, you can configure an alternate CI field on the security incident. This alternate field can be any existing or custom field containing hostname or IP information to enable endpoint resolution.
    • Profile Configuration Flexibility: During profile setup, selecting an alternate CI field ensures profiles run successfully even when the default CI field lacks data, improving reliability in endpoint identification and data retrieval.
    • Scope of Alternate CI Fields: Alternate CI fields apply only to profile capabilities. For additional FireEye actions beyond these capabilities, the system defaults to the primary CI settings.

    Key Outcomes

    • Profiles automatically trigger based on defined conditions, streamlining security incident response workflows.
    • Accurate endpoint identification through CI field data ensures proper retrieval of FireEye HX data into ServiceNow.
    • Alternate CI field configuration provides a fallback mechanism, enhancing profile execution consistency even when standard CI data is incomplete.
    • Integration with the Now Platform CMDB allows for seamless asset matching and data enrichment on security incidents.

    After you create a profile and select the FireEye capabilities that you want the profile to run, configure the profile settings so that it runs only when a set of specific conditions are met.

    You can set trigger conditions so the profile runs automatically whenever a security incident matching the trigger condition is created. If the trigger condition is not set, these profiles can be manually run by clicking the form 'Run EDR profile(s)' on the security incident, and selecting the profile.

    By default, the integration uses the Configuration Item (CI) field on the Security incident. This value is used to match the IDs of your assets with the information stored in the Now Platform CMDB. When a security incident is created, and a profile is run either automatically or manually, the CMDB is searched to retrieve the hostname and/or IP address based on the value of the CI field. The host name and or IP is used to resolve the Agent ID on FireEye HX to identify the endpoint.

    In an ideal case, a matching value is found in the database, and data is gathered from the FireEye HX console for the matching asset. The data for various capabilities are pulled into your ServiceNow AI Platform instance and displayed in the related lists of a security incidents. When the Configuration item (CI) field is not populated on the security incident with a host name, or an IP address that matches the database, you can select an alternate field on the security incident that contains either the host name or the IP to perform the Agent ID resolution.

    During the configuration step of the profile setup, you can select an alternate CI field for endpoint identification to ensure that the you are able to identify the endpoint on FireEye HX. You can select any field on the security incident as an alternate CI trigger field including custom fields that you create. By selecting this alternate CI field as a backup, you ensure that your profiles run even if the CI field is not populated on the associated security incident upon incident creation.

    Note:
    The alternate CI fields are considered only for capabilities that could be added to a profile. For all the additional actions, the alternate CI is picked from the default settings page.
    Security Incident New record