Trigger conditions in a configuration item
Summarize
Summary of Trigger Conditions in a Configuration Item
This content explains how to set up trigger conditions for profiles in Microsoft Defender for Endpoint within ServiceNow, allowing profiles to run automatically when specific security incidents occur. By configuring these conditions, users can ensure that profiles are executed only under certain circumstances, enhancing the management of security incidents.
Show less
Key Features
- Automatic Execution: Profiles can be configured to run automatically when a security incident matches the trigger conditions.
- Manual Execution: If no trigger condition is set, profiles can still be run manually via the Run EDR profile(s) form on the security incident.
- Integration with CMDB: The CI field on the security incident is used to match asset IDs with the ServiceNow AI Platform Configuration Management Database (CMDB), facilitating endpoint identification.
- Alternate CI Field: Users can select an alternate CI field on the security incident for endpoint identification, ensuring profiles can run even if the primary CI field is not populated.
Key Outcomes
By properly configuring trigger conditions and alternate CI fields, ServiceNow customers can:
- Enhance the automated response to security incidents, ensuring timely actions based on specific conditions.
- Improve endpoint identification, even when primary data fields are unavailable, thereby minimizing potential delays in incident response.
- Leverage custom fields to tailor the identification process to the organization’s specific needs, optimizing the use of Microsoft Defender for Endpoint capabilities.
After you create a profile and select the Microsoft Defender for Endpoint capabilities that you want the profile to run, configure the profile settings so that the profile runs only when a set of specific conditions is met.
How to trigger conditions in a configuration item
You can set trigger conditions so the profile runs automatically whenever a security incident is created that matches the trigger condition. If the trigger condition is not set, these profiles can be manually run by clicking the Run EDR profile(s) form on the security incident, and selecting the profile.
By default, the integration uses the Configuration Item (CI) field on the Security incident. This value is used to match the IDs of your assets with the information stored in the ServiceNow AI Platform Configuration Management Database (CMDB). When a security incident is created, and a profile is run either automatically or manually, the CMDB is searched to retrieve the host name or IP address based on the value of the CI field. The host name or IP is used to resolve the Agent ID on Microsoft Defender for Endpoint to identify the endpoint.
In an ideal scenario, a matching value is found in the database, and data is gathered from the Microsoft Defender for Endpoint console for the matching asset. The data for various capabilities are pulled into your ServiceNow AI Platform Configuration Management Database (CMDB) instance and displayed in the related lists of a security incident. When the Configuration item (CI) field is not populated on the security incident with a host name with or an IP address that matches the database, you can select an alternate field on the security incident that contains either the host name or the IP to perform the Agent ID resolution.
During the configuration step of the profile setup, you can select an alternate CI field for endpoint identification to ensure that you are able to identify the endpoint on Microsoft Defender for Endpoint. You can select any field on the security incident as an alternate CI trigger field, including custom fields that you create. By selecting this alternate CI field as a backup, you ensure that your profiles run even if the CI field is not populated on the associated security incident on incident creation.