Microsoft Defender for Endpoint Default Settings

  • Release version: Yokohama
  • Updated January 30, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Microsoft Defender for Endpoint Default Settings

    This guidance outlines the default settings and additional configuration steps required after installing the Microsoft Defender for Endpoint integration within ServiceNow. The Default Settings module, accessible under the Microsoft Defender for Endpoint application in the left-navigation pane, allows you to manage default configurations for various security functionalities.

    Show full answer Show less

    Key Features

    • Roles Required: You need the snsi.admin role for full access and snsi.analyst for read-only access to configure and view these settings.
    • Approval Settings:
      • Applicable to actions like Isolate Host, Remove Host Isolation, Restrict App Execution, Remove App Restriction, and Run Antivirus Scan.
      • Approvals are enforced when actions are triggered from the Related list and no existing profiles override these settings.
      • If profiles exist for these capabilities, their approval configurations take precedence.
      • Require Approval: When enabled, you can specify approver groups responsible for approving requests.
    • Alternate Configuration Item (CI):
      • This setting allows specifying an alternate CI field to be used for the Run Additional Actions on Endpoint capability instead of the default CI field on the Security Incident form.
      • For other capabilities, alternate CI settings should be configured within profiles; otherwise, the default Security Incident CI is used.
    • Agent ID Resolution Input:
      • By default, both IP and Host Name fields are used to resolve the Agent ID.
      • You can configure this to use only one field (IP or Host Name) if preferred.
    • Timeout Settings:
      • Configurable execution timeouts (in minutes) for each capability including Isolate Host, Remove Isolation, Restrict App Execution, Remove App Restriction, Run Antivirus Scan, and Stop and Quarantine File.
      • These timeouts help define thresholds for action execution durations.

    Practical Impact for ServiceNow Customers

    After installing the Microsoft Defender for Endpoint integration, configuring these default settings ensures your security actions are properly authorized, executed within defined timeframes, and correctly linked to configuration items. Managing approvals and timeouts helps maintain control over endpoint security operations directly from ServiceNow, improving your incident response effectiveness and governance.

    There are additional configuration settings you must perform after you complete the installation.

    After you complete the installation, you can find the Default Settings module under the Microsoft Defender for Endpoint application on the left-navigation pane. It contains the default settings for different Microsoft Defender for Endpoint functionalities.

    Roles required: sn_si.admin, sn_si.analyst (read-only).

    Additional Configurations

    The following are additional configuration settings:
    • Approval: This approval is specifically for the Isolate Host action, Remove Host Isolation action, and additional actions such as Restrict App Execution, Remove App Restriction and Run Antivirus Scan. You can use this approval only when actions are triggered directly from the Related list, and if there are no any existing profiles. If there are any existing profiles for these capabilities, then the approval configuration in the profile takes precedence.
      • Require Approval: When you enable Require Approval, the Approvers field is available on the form.
      • Approvers: List of approver groups. After you submit a request, approval is required from the group to complete the request.
    • Alternate CI: Enabling this check box provides the list of fields available to pass an alternate CI to the capability. By default, the integration uses the Configuration Item (CI) field on the Security incident. This configuration is applicable only for the Run Additional Actions on Endpoint capability. Use this configuration to define an alternate CI input field for the only Run Additional Actions on Endpoint capability. For the other capabilities, use the configuration in the profile section. If the profiles do not define an alternate CI, then the capabilities would take the CI field from the Security Incident form.
    • Input for Agent ID resolution: By default, IP and Host Name is used to get the Agent ID. If you're going to use only one of them, then set the input field to either IP or Host Name.
    • Timeout:
      • Isolate Host Timeout (in minutes): Indicates the execution threshold for the Isolate Host capabilities.
      • Remove Isolation Timeout (in minutes): Indicates the execution threshold for the Remove Isolation Timeout capability.
      • Restrict App Execution Timeout (in minutes): Indicates the execution threshold for the Restrict App Execution capability.
      • Remove App Restriction Timeout (in minutes): Indicates the execution threshold for the Remove App Restriction capability.
      • Run Antivirus Scan Timeout (in minutes): Indicates the execution threshold for the Run Antivirus Scan capability.
      • Stop and Quarantine File Timeout (in minutes): Indicates the execution threshold for the Stop and Quarantine File capability.
    Figure 1. Default Settings
    Additional configuration settings after you complete the installation