Map the Microsoft Defender for Endpoint indicator types

  • Release version: Australia
  • Updated March 12, 2026
  • 1 minute to read

    • Map the ServiceNow Observable type with the Microsoft Defender for Endpoint indicator type. This mapping would be used in Observable Enrichment and Create Indicator actions in Microsoft Defender.

    Before you begin

    Role required: sn_si.admin or sn_si.analyst (read-only)

    About this task

    In a scenario where the observable type is not mapped to an indicator type, such observables are not eligible for Observable enrichment and indicator creation in Microsoft Defender for Endpoint.

    Procedure

    1. Navigate to Microsoft Defender for Endpoint > Observable-Indicator Mapping.
      Figure 1. Observable-Indicator Mapping
      Map the Microsoft Defender for Endpoint indicator types
    2. Add or update an Observable type in one of the following ways:
      • To add new mapping, click Add Observable Type.
      • To update the Observable to the Indicator type mapping, click any existing row.
    3. To save the mapping, click Update.