Configuration Compliance imported data for Microsoft Defender for Cloud Integration

  • Release version: Xanadu
  • Updated August 1, 2024
  • 4 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Configuration Compliance imported data for Microsoft Defender for Cloud Integration

    Configuration Compliance in ServiceNow imports policies, tests, authoritative sources, and test results from Microsoft Defender for Cloud Integration. This data is stored and organized within Configuration Compliance modules to enable effective viewing, assessment, and remediation of security configurations across your assets.

    Show full answer Show less

    From version 14.9 onward, terminology changes have been applied to align with remediation-focused language, such as renaming "Test Result Group" to "Remediation Task Group" and "Rules" to "Remediation Task Rules."

    Key Features

    • Test Groups: Collections of configuration tests linked to authoritative documents. Imported and refreshed through the scheduled job Policy Definitions Integration. Test groups can be customized to fit organizational requirements.
    • Tests: Define governance rules for assets and group assets by test result types. Retrieved via the Assessment Metadata Integration scheduled job. In version 15.0+, tests display their associated test groups.
    • Authoritative Sources: Industry standards and expert citations (e.g., ISO 27001, PCI DSS 3.2.1) are imported to support vulnerability alerts. These are refreshed by the Compliance Standards & Controls Integration job.
    • Assets and Attributes: Resource tags and cloud attributes from Microsoft Defender for Cloud are imported and shown in the Discovered Item form. Tags are stored case-insensitively as host tags, primarily for use in filtering and condition building in remediation rules. Key cloud attributes imported include Cloud Account, Cloud Region, Cloud Resource Type, and Cloud Service Provider.
    • Test Results: Imported from Microsoft Defender for Cloud via the Assessment Integration scheduled job. Test results are not calculated by Configuration Compliance but are used to drive remediation tasks. The integration supports incremental updates based on status changes and includes a weekly comprehensive assessment pulling results from the past seven days to maintain currency.
    • CI Lookup Rules: Automatically link imported resource data to Configuration Items (CIs) in the CMDB using lookup rules based on Resource ID, Name, and S3 Bucket. This linkage facilitates accurate remediation by associating test results with the correct CIs.

    Practical Considerations for ServiceNow Customers

    • Scheduled jobs for importing data must be run in the correct order when manual execution is needed: Policy Definitions Integration first, followed by Assessment Metadata Integration, and then Compliance Standards & Controls Integration.
    • Host tags are case-insensitive and intended for use in condition builders only; using them as group keys may cause unexpected behavior.
    • Test results import uses a Start Time parameter to optimize data retrieval, fetching only changed assessments daily, with a weekly comprehensive run to ensure data completeness.
    • Linking imported data to CIs via lookup rules enables precise remediation workflows by connecting assessment results to configuration items within your CMDB.

    Configuration Compliance imports policies, tests, authoritative sources, and test results from third-party integrations and stores them in modules for viewing.

    Note:
    Starting with v14.9 of Configuration Compliance, the following terms have been renamed:
    Table 1. Changes in terminology
    Terminology prior to v14.9 Terminology v14.9 onwards
    Test Result Group Remediation Task
    Group Rules Remediation Task Rules
    Policy Test group

    Test groups

    A group of configuration tests constitutes a test group. Test groups are related to authoritative documents and test records, and they can be modified to meet the needs of your organization. One configuration test can belong to multiple test groups.

    If the Microsoft Defender for Cloud Integration is installed, test groups are retrieved and populated by the scheduled job, Policy Definitions Integration. You can view the scheduled job by navigating to All > Microsoft Defender for Cloud Integration > Administration > Integrations > Policy Definitions Integration.
    Note:
    If you choose to run the integration manually, run the Policy Definitions Integration first.

    Tests

    Tests are libraries of data records that organize scans of computing assets. Configuration tests define how assets must be governed.

    A Configuration Compliance test is the mechanism third-party integration applications use to group assets by test results type.

    If the Microsoft Defender for Cloud Integration is installed, the scheduled job, Assessment Metadata Integration, retrieves the tests. You can view the scheduled job by navigating to Integration > Primary Integrations > Assessment Metadata Integration.
    Note:
    If you choose to run the integration manually, run the Assessment Metadata Integration after the Policy Definitions Integration.

    Starting with v15.0 of Configuration Compliance, the test group to which a test belongs to populates in the Test Groups column of the Tests list.

    Authoritative sources

    Configuration Compliance uses authoritative sources and citations when generating vulnerability alerts for tests. Authoritative sources usually map to sections of published industry standards, such as ISO 27001 and PCI DSS 3.2.1.

    These source records contain references to information about known software and hardware configuration issues from experts in the field of computer security. They define requirements for security policies and procedures.

    If the Microsoft Defender for Cloud Integration is installed, the scheduled job, Compliance Standards & Controls, retrieves the authoritative sources and citations. You can view this scheduled job by navigating to All > Microsoft Defender for Cloud Integration > Integrations > Compliance Standards & Controls Integration.
    Note:
    If you choose to run the integration manually, run the Compliance Standards & Controls Integration after the Assessment Metadata Integration.

    Assets

    The Assessment integration provides vital information such as resource tags and cloud attributes. This information is displayed in the Discovered Item form.  It is used primarily for filtering in  Configuration Compliance Assignment and Remediation Task Rules.
    • Resource tags: All cloud resource tags are imported as host tags as part of the  Assessment integration. The cloud tags for any cloud resource type are stored here, whether the resource is a host or not.
      • Tag storage is not case-sensitive. If a  Tokyo  tag is created, then a  TOKYO  tag cannot be stored in the Host tag table. Tokyo and TOKYO are considered to be the same host tag. Whichever tag was imported first wins.
      • Using host tags as a group key in a remediation task rule can have unexpected results. Host tags are intended for use only in the condition builder.
    • Cloud attributes for assets: Following are the cloud attributes that the integrations retrieve from Microsoft Defender for Cloud:
      • Cloud Account
      • Cloud Region
      • Cloud Resource Type
      • Cloud Service Provider

    Test results

    Configuration Compliance does not calculate the test results, but imports them as part of a third-party integration. Once they are viewable in Configuration Compliance, they are remediated using Remediation Tasks.

    If the Microsoft Defender for Cloud integration is installed, the scheduled job, Assessment Integration, retrieves the test results. You can view this scheduled job by navigating to All > Microsoft Defender for Cloud Integration > Integrations > Assessment Integration.

    The Assessment Integration import is the only integration that uses the Start Time parameter in the Integration Details tab. All other Configuration Compliance imports bring in all available data regardless of Start Time.

    When the Assessment Integration import is complete, an event is started to trigger end-of-import calculations.

    The Assessment Integration pulls the data assessments only if there is a status change from the last successful integration run for the last one day by default. So, if the assessment fails continuously for the past few days, the integration will not fetch the assessment as there is no status change for the assessment. To keep the test results up to date with the defender assessments, a new Comprehensive Assessment Integration is added which pulls the data from the past seven days. It runs weekly and pulls all the test results, which are not passed.

    CI lookup rules for identifying CIs from Microsoft Defender for Cloud integrations

    When data is imported from a third-party integration, Configuration Compliance automatically uses resource data to search for matches in the Configuration Management Database (CMDB), using CI Lookup Rules. These rules are used to identify the configuration items (CIs) and add them to the test result record to aid in remediation. Base system CI lookup rules are available for Resource ID, Name, and S3 Bucket. For more information on CI lookup rules, see CI lockup rules for Microsoft Defender for Cloud Integration for Security Operations.