Trigger conditions in a configuration item

  • Release version: Zurich
  • Updated July 31, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Trigger conditions in a configuration item

    This information explains how to configure trigger conditions for Microsoft Defender for Endpoint profiles within ServiceNow. Trigger conditions enable profiles to run automatically when security incidents matching specific criteria are created, streamlining endpoint security management.

    Show full answer Show less

    How Trigger Conditions Work

    • Profiles execute automatically when a security incident meets the defined trigger conditions.
    • If no trigger condition is set, profiles can still be run manually from the security incident form.
    • The default trigger uses the Configuration Item (CI) field on the security incident to match asset IDs with entries in the ServiceNow CMDB.
    • When a security incident is created and a profile runs, the CMDB is searched to find the host name or IP address based on the CI value.
    • The host name or IP address is then used to resolve the Agent ID in Microsoft Defender for Endpoint, identifying the endpoint.
    • Matching assets pull data into the ServiceNow CMDB, which is displayed in the related lists of the security incident.

    Alternate Configuration Item (CI) Fields

    • If the default CI field is not populated or does not match a host name or IP in the CMDB, you can select an alternate field on the security incident for endpoint identification.
    • This alternate CI field can be any field on the security incident, including custom fields created by the user.
    • Using an alternate CI field ensures profiles run successfully even if the default CI field is empty on incident creation.
    • The alternate CI field option applies specifically to capabilities such as Get Host Details, Get Logged On Users, Isolate Host, and Remove Isolation.
    • For additional actions beyond these capabilities, the alternate CI must be configured in the Default Settings module.

    Practical Benefits for ServiceNow Customers

    By properly configuring trigger conditions and alternate CI fields:

    • You ensure automated and reliable execution of endpoint security profiles aligned with security incidents.
    • You improve accuracy in identifying endpoints through flexible matching in the CMDB.
    • You gain consistent integration between ServiceNow security incident management and Microsoft Defender for Endpoint data.

    After you create a profile and select the Microsoft Defender for Endpoint capabilities that you want the profile to run, configure the profile settings so that the profile runs only when a set of specific conditions is met.

    How to trigger conditions in a configuration item

    You can set trigger conditions so the profile runs automatically whenever a security incident is created that matches the trigger condition. If the trigger condition is not set, these profiles can be manually run by clicking the Run EDR profile(s) form on the security incident, and selecting the profile.

    By default, the integration uses the Configuration Item (CI) field on the Security incident. This value is used to match the IDs of your assets with the information stored in the ServiceNow AI Platform Configuration Management Database (CMDB). When a security incident is created, and a profile is run either automatically or manually, the CMDB is searched to retrieve the host name or IP address based on the value of the CI field. The host name or IP is used to resolve the Agent ID on Microsoft Defender for Endpoint to identify the endpoint.

    In an ideal scenario, a matching value is found in the database, and data is gathered from the Microsoft Defender for Endpoint console for the matching asset. The data for various capabilities are pulled into your ServiceNow AI Platform Configuration Management Database (CMDB) instance and displayed in the related lists of a security incident. When the Configuration item (CI) field is not populated on the security incident with a host name with or an IP address that matches the database, you can select an alternate field on the security incident that contains either the host name or the IP to perform the Agent ID resolution.

    During the configuration step of the profile setup, you can select an alternate CI field for endpoint identification to ensure that you are able to identify the endpoint on Microsoft Defender for Endpoint. You can select any field on the security incident as an alternate CI trigger field, including custom fields that you create. By selecting this alternate CI field as a backup, you ensure that your profiles run even if the CI field is not populated on the associated security incident on incident creation.

    Note:
    The alternate CI fields are considered only for capabilities that could be added to a profile. These capabilities include Get Host Details, Get Logged On Users, Isolate Host, and Remove Isolation. For all the additional actions, the alternate CI must be configured in the Default Settings module.