CI lookup rules for Microsoft Defender for Cloud Integration for Security Operations and Palo Alto Prisma Cloud

  • Release version: Yokohama
  • Updated January 30, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of CI lookup rules for Microsoft Defender for Cloud Integration and Palo Alto Prisma Cloud

    These CI lookup rules enable ServiceNow customers to accurately match and identify Configuration Items (CIs) in the Configuration Management Database (CMDB) for Microsoft Defender for Cloud Integration and Palo Alto Prisma Cloud assets. Each asset is uniquely identified by a combination of its object ID, cloud account, and logical datacenter within ServiceNow.

    Show full answer Show less

    The object ID format varies by resource type and must be correctly constructed to locate the appropriate CI in the CMDB. ServiceNow Discovery populates the Objectid column with these IDs in different formats depending on the resource type. Using the correct object ID format is essential for scanners to find the right asset.

    Object ID Formats for Common Resource Types

    • AWS::EC2::Instance: Uses the Object ID format specific to EC2 instances.
    • AWS::ElasticLoadBalancing::LoadBalancer: Uses the load balancer name as the object ID.
    • AWS::S3::Bucket: Uses the format arn:aws:s3::: in the object ID.

    Ensuring the lookup rule uses the same object ID format is critical for accurate CI matching.

    CI Lookup Rules Details

    The platform includes out-of-the-box (OOB) CI lookup rules that usually find matches for the most common resource types. If these do not return matches for your test results, you can create custom CI lookup rules.

    • S3 Bucket Lookup Rule: Searches CMDB by concatenating arn:aws:s3::: with the resource name, checking the objectid column of the cmdbcicloudobjectstorage table. This applies only to AWS::S3::Bucket resources.
    • Name Lookup Rule: Attempts to find CIs by matching the resource name in the objectid column for resource types listed in the sncapiresourcetype table. For Palo Alto Prisma Cloud, this rule applies only to AWS::RDS::DBInstance, AWS::ElasticLoadBalancing::LoadBalancer, and AWS::CloudTrail::Trail, although additional resource types can be added.
    • Resource Id Lookup Rule: Searches the CMDB by resource ID in the objectid column corresponding to resource types in the sncapiresourcetype table.

    Lookup rules are prioritized by an Order field; rules with lower order values are executed first, allowing control over rule execution sequence.

    Practical Considerations

    ServiceNow customers integrating Microsoft Defender for Cloud and Palo Alto Prisma Cloud should verify the object ID formats used by their discovery tools and ensure lookup rules align with these formats. If default rules do not find matches, customers can create or customize CI lookup rules to improve accuracy and ensure the correct association of security findings to CMDB CIs.

    You can use the configuration item (CI) lookup rules for the Microsoft Defender for Cloud Integration and Palo Alto Prisma Cloud integrations to find a correct match to commonly used resource types in the Configuration Management Database (CMDB).

    Overview

    The CI Lookup rules module contains the rules that help you to define the fields that have the matching data in the Configuration Management Database (CMDB). You can use these rules to identify the applications and application releases. All Microsoft Defender for Cloud Integration and Palo Alto Prisma Cloud assets are uniquely identified by the combination of their object ID, cloud account, and logical datacenter in the ServiceNow platform. ServiceNow discovery populates the resource ID in the Object_id column of the CMDB in different formats for the different resource types. The following table shows the object ID formats of commonly used resource types that the discovery service uses to populate in the Object_id column of the CI. Any scanner that wants to look up an asset of a particular resource type must search by using the right object ID format. You can get the right object ID format by looking into the object ID column of corresponding CMDB CI class and then try to construct the object ID using the values that are received from scanner.
    Table 1. Object ID format for various resource types
    Resource Type Format
    AWS::EC2::Instance Object ID
    AWS::ElasticLoadBalancing::LoadBalancer Load balancer name
    AWS::S3::Bucket arn:aws:s3:::<Bucket Name>

    The CI match for a test result may not be found accurately in the Configuration Management Database (CMDB) unless the same format of the object_id is used in the lookup rule. Most of the times, the OOB CI lookup rules find a match for the most commonly used resource types for Microsoft Defender for Cloud Integration and Palo Alto Prisma Cloud. If the following CI lookup rules aren’t finding the CIs in the CMDB for your test results, you can create a CI lookup rule for a resource type. For more information on how to create a CI lookup rule, see Create a CI lookup rule.

    CI lookup rules

    The following CI lookup rules are specific to the Microsoft Defender for Cloud Integration and Palo Alto Prisma Cloud.
    S3 Bucket
    This lookup rule attempts to find the CI in the CMDB by the value that was obtained by concatenating the arn:aws:s3::: and resource name. The obtained value is looked up in the object_id column of the cmdb_ci_cloud_object_storage table. This lookup rule applies only when the resource type is AWS::S3::Bucket.​
    Name
    This lookup rule attempts to find the CI in the CMDB by name. The name, which is looked up in the Object_id column of the CI class, corresponds to a resource type in the sn_capi_resource_type table.
    Note:
    For the Palo Alto Prisma Cloud application, this CI lookup rule runs only for the AWS::RDS::DBInstance, AWS::ElasticLoadBalancing::LoadBalancer, and AWS::CloudTrail::Trail resource types​. You can add the resource types that you want to execute this CI lookup rule for.
    Resource Id
    This lookup rule attempts to find the CI in the CMDB by the resource ID. The resource ID, which is looked up in the Object_id column of the CI class, corresponds to a resource type in the sn_capi_resource_type table.
    Note:
    You can set the priority for a CI lookup rule in the Order field. The CI lookup rule with the least order value is executed first.