Perform a manual observable enrichment in Microsoft Defender for Endpoint

  • Release version: Australia
  • Updated March 12, 2026
  • 1 minute to read

    • Select individual or multiple observables and perform a manual observable enrichment to enrich observables with additional information from Microsoft Defender for Endpoint.

    Before you begin

    Role required: sn_si.analyst

    About this task

    The Microsoft Defender for Endpoint integration enables observable enrichment for all the observable types that are mapped in the Observable-Indicator Mapping module.

    Procedure

    1. Navigate to Security Incidents > Show All Incidents.
    2. Select the security incident that you want to review with the Microsoft Defender for Endpoint information.
    3. Click Show All related lists.
    4. Click the Associated Observables tab.
    5. Select the observables.
    6. From the Actions list, click Run Observable Enrichment.
    7. Select a Microsoft Defender for Endpoint source and move it to the Selected column to specify which implementation you want to use to enrich the selected observables.
    8. Click Submit.
    9. To validate the status of the execution, view the work notes.
    10. To view the results, click Microsoft Defender Indicator tab.
      You can use the following table for more information on the observable enrichment.
      Table 1. Microsoft Defender Indicator
      Field Description
      Indicator ID Identity of the Indicator entity. Click Open to view the record in detail in the ServiceNow AI Platform instance
      Observable The observable associated with the result.
      Title Title for the indicator.
      Indicator Type Type of the indicator.
      Action Action performed by the indicator.
      Recommended Action Recommended actions for the indicator.
      Integration Vendor Defender source integration from which the data is retrieved.
      Expiration Date Expiration time for the indicator.
      Retrieval Date Date when the enrichment record is created.