Trigger McAfee ePO profile manually from a security incident

  • Release version: Australia
  • Updated March 12, 2026
  • 1 minute to read

    • Trigger a capability profile manually from a ServiceNow AI Platform Security Incident Response (SIR) security incident.

    Before you begin

    Role required: sn_si.admin

    Note:
    The approvals option in the Configure settings appears only for Isolate Host and Remove Host Isolation capabilities.

    About this task

    You can invoke a request to Get Host Details, Isolate Host machine, or Remove Isolation of a machine automatically if the triggering conditions you specify in the profile match the conditions on security incidents. Alternatively, if you want to submit a request manually, submit the request directly from a security incident.

    Once you activate the profile, based on the configured trigger conditions, you can view the query results in the ServiceNow AI Platform security incidents. McAfee ePO integrations also enables you to run individual capabilities on Configuration Items (CIs) without using a profile.

    Procedure

    1. Navigate to All > Security Incidents > Show All Incidents.
    2. Select the security incident that you want to review with the McAfee ePO information.
    3. In the related lists section, select Run EDR Profile(s).
    4. Browse and select a profile from the list of available profiles.
      The list of available profiles are Get Host Details, Isolate Host machine, and Remove Isolation. For example, let's select Get Host Details.
    5. Select Include Related CI to run this profile on all the related CIs of the profile.
      For example, if there are five CIs associated with the security incident, then the selected profile runs on all the five CIs.
    6. Select Submit.
      The selected profile is triggered manually. You can review the work notes and activities section and the profile-initiated and profile-completed tags in the work notes section. The results appear in the form of related lists such as Get Host Details, Isolate Host machine, or Remove Isolation.
      Note:
      All the related list tables extend the base tables.
    7. To run individual capabilities on a Configuration Item (CI), perform the following steps:
      1. In the Configuration Items related list, select the required CI.
      2. Select the Actions on selected rows... drop-down list, and select the required capability that you want to run for the selected CI.
        For example, Isolate Host.
      3. Select Isolate Host to run it on the selected CI.
        The select CI gets isolated from the network.