Security Incident Response integration with Microsoft Defender for Endpoint release notes

  • Release version: Store
  • Updated June 11, 2026
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Security Incident Response integration with Microsoft Defender for Endpoint release notes

    The Security Incident Response integration with Microsoft Defender for Endpoint provides ServiceNow customers with capabilities to proactively inspect, analyze, and contain threats on endpoints. This integration enhances incident response by linking Defender for Endpoint's threat intelligence and containment actions directly within ServiceNow Security Incident Response workflows.

    Show full answer Show less

    Key Features

    • Endpoint Isolation and Antivirus Scanning: Enables isolation of compromised hosts and running antivirus scans directly through ServiceNow workflows.
    • Observable Management: Allows blocking or allowing observables such as IP addresses, domains, files, and URLs from security incidents leveraging Defender for Endpoint.
    • Improved Security Controls: Upgraded dictionary fields to strict read-only to prevent unauthorized changes, ensuring consistent enforcement across all interfaces and integrations.
    • Flow Designer Migration: Workflows for Defender enrichment and actions have been migrated to ServiceNow Flow Designer for improved automation and manageability.
    • Support for Analyst and Security Incident Response Workspaces: Integration is compatible with key ServiceNow security workspaces, enhancing analyst productivity.
    • GCC Environment Compatibility: Configuration support extended to Government Community Cloud (GCC) environments.

    Key Outcomes

    • Enhanced Incident Response Efficiency: Analysts can perform endpoint containment actions and threat observables management without leaving the ServiceNow platform.
    • Improved Data Accuracy and Security: Fixes ensure accurate retrieval of host details and secure handling of special characters and access controls, reducing errors during incident investigations.
    • Stronger Access Control Enforcement: Fixes related to ACL directives improve security by enforcing proper permissions for non-standard query operations.
    • Smoother User Experience: UI improvements such as dropdown fields for action parameters and mandatory comment fields ensure consistent input and reduce configuration errors.

    Practical Considerations for Customers

    • Ensure you review the system requirements and compatibility in the ServiceNow Store listing before upgrading or installing this integration.
    • Take advantage of the new observable management capabilities to streamline threat mitigation directly from incidents.
    • Leverage the upgraded strict read-only fields to safeguard critical integration data from unauthorized edits.
    • Use Flow Designer-based workflows for easier customization and automation of Defender endpoint actions.

    Version history for the Security Incident Response integration with Microsoft Defender for Endpoint on the ServiceNow Store.

    Important:
    For details on system requirements and family compatibility, view the application listing on the ServiceNow Store website.

    Version history

    Version 1.3.5 - June 2026
    • Fixed:
      • The Isolate Host action failing with the error "No Machine id found for given CI".
      • Implemented fixes related to Cobalt Raven Non-Glide Query ACL directives, ensuring proper ACL enforcement for non-Glide query operations.
    Version 1.3.4 - April 2026
    New: Capability to Allow/Block Observables from Security Incidents such as domains, IP addresses, files, URLs using Microsoft Defender for Endpoint.
    Version 1.2.4 - March 2026
    Fixed: Handled special characters in hostname field.
    Version 1.2.1 - February 2026
    Fixed: Malformed URL errors by properly handling special characters in hostnames during EDR machine lookup.
    Version 1.2.0 - December 2025
    New: Upgraded all dictionary-level read-only fields to Strict Read-Only to enhance security and prevent unauthorized changes.This update ensures the server consistently enforces read-only behaviour across all UIs, scripts, and integrations.
    Version 1.1.20 - October 2025
    Fixed: Requests being built incorrectly, ensuring accurate host detail retrieval.
    Version 1.1.10 - August 2025
    Fixed: Get Host Details requests being built with incorrect parameters, causing failures in retrieving accurate host information.
    Version 1.0.12 - June 2025
    Fixed: Query failure due to insufficient 'query_match' access on sn_sec_core_integration_item.sys_scope for users with sn_si.analyst role, impacting Defender for Endpoint integration.
    Version 1.0.11 - May 2025
    Fixed: Bugs have been addressed and resolved as part of this release.
    Version 1.0.9 - November 2024
    Changed: Migration of Workflows to Flow Designer flows.
    Version 1.0.7 - August 2024
    • New: Migrated workflows to flow designer for Microsoft Defender enrichment capabilities.
    • Changed: Microsoft Defender for endpoint is now compatible to be configured for GCC environments.
    Version 1.0.6 - March 2024
    • Changed: The Comments field in the Run additional actions capability is now set as a mandatory field.
    • Fixed:
      • The Get Host Details and Get Logged on Users actions fail due to a large response
      • Create indicators in Microsoft Defender endpoint action fails when a different time format was chosen than YYYY-MM-DD HH:MM:SS.
    Version 1.0.5 - August 2023
    • Changed: The MS Defender Capabilities Isolate Host and Run Antivirus scan dialogue boxes' Type field is now a drop down instead of a text.
    • Fixed: If the machine is not found by the name field of the CI item in the Defender, you can search for the machine name using the FQDN field.
    Version 1.0.4 - April 2023
    Changed: Updated to support this integration on the Security Incident Response workspace.
    Version 1.0.2 - February 2023
    New: Support for Analyst workspace.
    Version 1.0.1 - November 2022
    • Fixed:
      • Microsoft Defender for Endpoint Host Details' flow is retrieving all machine details instead of retrieving details for the required Configuration Item.
      • POL_ON Defender Endpoint Observable Indicator UI page is broken.
    Version 1.0.0 - February 2022
    The Microsoft Defender For Endpoint enables organizations to proactively inspect, analyze, and contain known and unknown threats on any endpoint.