Breadcrumbs

Status Mapping for Defender for Endpoint

Connector Applicability

Applies to Source Connectors

MS Defender for Endpoint

Applies to Destination Connectors

All

Assumptions

These instructions assume you have already setup a source connection in CI Sync for MS Defender for Endpoint using the CI Sync instructions here: Add MS Defender for Endpoint.

Pre-Read

Syncfish recommend customers read the following documentation before changing the Connection Setting/s described below.

  1. Understanding the use of CI Sync Connection Settings

  2. Rule 5 - Mapping of Defender for Endpoint Status Values to ServiceNow Status Values

Locating and Amending the Connection Setting in the CI Sync UI

  1. Navigate to the Settings page

  2. Under the Source Connections heading (list), locate your MS Defender for Endpoint connection.

  3. Click the Update link on the right hand side of the MS Defender for Endpoint connection.

  4. Scroll down and locate the Section Heading and view the Individual Settings.

CleanShot 2026-01-27 at 11.46.34@2x-20260127-014829.png

The screen shot is provided only as sample to assist when reading this page. The state of your own CI Sync UI will depend on whether you are starting from the CI Sync default position or if you have already amended one/more of the settings.

  1. Tick the Override default box/boxes and then use the sliders related to the individual settings. The following table elaborates any further information about these particular settings.

Setting

Type

Additional Notes

Enable Onboarding Status Mapping

Slider

If enabled, CI Sync will use the native “Onboarding Status” value held in Microsoft Defender for Endpoint (this attribute and the value assocaited with each asset are visible in the Defender for EndPoint portal).

Once enabled, all subsequent settings below (i.e. multiple choicelist options) become available.

If disabled, CI Sync will use a status mapping table held internally within CI Sync.

Onboarded

Choicelist

Defines the status value CI Sync will set on the CI in ServiceNow when the status of the asset is “Onboarded” in Defender for Endpoint asset.

Three options are available:

  • Active (CI Sync will set the CI to Active (i.e. Installed, In Use, Installed, Operational) in ServiceNow)

  • Retired (CI Sync will set the CI to Retired in ServiceNow)

  • Record suppressed (CI Sync filter out, i.e. not sync, the asset to ServiceNow)

Active is the CI Sync Default Value for this setting

Can Be Onboarded

Choicelist

Defines the status value CI Sync will set on the CI in ServiceNow when the status of the asset is “Can Be Onboarded” in Defender for Endpoint asset.

Three options are available:

  • Active (CI Sync will set the CI to Active (i.e. Installed, In Use, Installed, Operational) in ServiceNow)

  • Retired (CI Sync will set the CI to Retired in ServiceNow)

  • Record suppressed (CI Sync filter out, i.e. not sync, the asset to ServiceNow)

Active is the CI Sync Default Value for this setting

Unsupported

Choicelist

Defines the status value CI Sync will set on the CI in ServiceNow when the status of the asset is “Unsupported” in Defender for Endpoint asset.

Three options are available:

  • Active (CI Sync will set the CI to Active (i.e. Installed, In Use, Installed, Operational) in ServiceNow)

  • Retired (CI Sync will set the CI to Retired in ServiceNow)

  • Record suppressed (CI Sync filter out, i.e. not sync, the asset to ServiceNow)

Retired is the CI Sync Default Value for this setting

Insufficient Info

Choicelist

Defines the status value CI Sync will set on the CI in ServiceNow when the status of the asset is “Insufficient Info” in Defender for Endpoint asset.

Three options are available:

  • Active (CI Sync will set the CI to Active (i.e. Installed, In Use, Installed, Operational) in ServiceNow)

  • Retired (CI Sync will set the CI to Retired in ServiceNow)

  • Record suppressed (CI Sync filter out, i.e. not sync, the asset to ServiceNow)

Recod suppressed is the CI Sync Default Value for this setting


Enable Record Aging

Slider

If enabled, CI Sync will “age out” (i.e. retire) Microsoft Defender for Endpoint related CIs based on how long the asset has not been seen in the Defender for Endpoint portal.

Once enabled, the setting below become available.

If disabled, CI Sync will not “age out” (i.e. retire) Microsoft Defender for Endpoint related CIs based on a not seen value. Instead, CI Sync will retire Microsoft Defender for Endpoint related CIs when the asset is removed from the Defender for Endpoint portal.

Retire records if not seen for (days)

Number

Enter the number days after which, if the asset is not seen in the Defender for Endpoint portal, CI Sync will retire the related CI in ServiceNow.

  1. After modify the settings, scroll to the bottom of the page, tick the “I consent…” checkbox and finally click the Save connection button.

  2. You can now run a sync job and the amended settings will be applied causing the CI Sync Data Sync rules to be modified accordingly.

Importantly

Make sure you consciously override the setting against either your TEST or PROD environment (i.e. your TEST vs PROD sync jobs).

For more information on how to use TEST vs PROD Connection Settings please read Understanding the use of CI Sync Connection Settings.

Syncfish strongly recommend making changes for TEST environment/sync jobs first. Only modify PROD related settings after thoroughly validating the intended results in TEST.