Configuration Compliance imported data for Microsoft Defender for Cloud Integration
Summarize
Summary of Configuration Compliance imported data for Microsoft Defender for Cloud Integration
Configuration Compliance imports and manages data such as policies, tests, authoritative sources, and test results from third-party integrations like Microsoft Defender for Cloud. This data is stored in modules for easy viewing and remediation within ServiceNow. Key scheduled jobs automate the import of this data, ensuring up-to-date compliance information.
Show less
Key Features
- Test Groups and Tests: Test groups are collections of configuration tests linked to authoritative documents and test records. Tests define how assets are governed and are retrieved by the Assessment Metadata Integration scheduled job. Test groups are imported via the Policy Definitions Integration scheduled job.
- Authoritative Sources: These are references to industry standards (e.g., ISO 27001, PCI DSS 3.2.1) that define security requirements. They are imported by the Compliance Standards & Controls Integration scheduled job.
- Assets and Cloud Attributes: Asset information such as resource tags and cloud attributes (Cloud Account, Region, Resource Type, Service Provider) is imported and used primarily for filtering in Configuration Compliance assignments and remediation rules. Tags are case-insensitive and stored as host tags.
- Test Results: Test results are imported via the Assessment Integration scheduled job and reflect the current compliance status. This integration uses a Start Time parameter to selectively import data based on changes over the past day. A weekly Comprehensive Assessment Integration imports all failing test results from the past seven days to keep data current.
- CI Lookup Rules: Configuration Compliance uses CI lookup rules to match imported resource data against the CMDB, linking configuration items to test results to support remediation. Base lookup rules include Resource ID, Name, and S3 Bucket.
- Container Vulnerability Items: Container image vulnerabilities are imported via the Container Image Vulnerabilities Integration scheduled job. This job uses the Start Time parameter to control data imported, enabling incremental or full data ingestion.
Practical Use for ServiceNow Customers
By integrating Microsoft Defender for Cloud data, ServiceNow Configuration Compliance customers can:
- Continuously update and view policy tests, authoritative standards references, and compliance test results within the platform.
- Leverage automated scheduled jobs to import and synchronize compliance data, minimizing manual effort.
- Use asset metadata and cloud-specific attributes to create precise filters and remediation tasks.
- Identify configuration items accurately in the CMDB through CI lookup rules for effective remediation tracking.
- Track container vulnerabilities alongside other compliance data to enhance security posture.
To maximize data currency, customers should ensure scheduled jobs run in the correct sequence and can also run them manually when needed, following the prescribed order.
Configuration Compliance imports policies, tests, authoritative sources, and test results from third-party integrations and stores them in modules for viewing.
| Terminology prior to v14.9 | Terminology v14.9 onwards |
|---|---|
| Test Result Group | Remediation Task |
| Group Rules | Remediation Task Rules |
| Policy | Test group |
Test groups
A group of configuration tests constitutes a test group. Test groups are related to authoritative documents and test records, and they can be modified to meet the needs of your organization. One configuration test can belong to multiple test groups.
Tests
Tests are libraries of data records that organize scans of computing assets. Configuration tests define how assets must be governed.
A Configuration Compliance test is the mechanism third-party integration applications use to group assets by test results type.
Starting with v15.0 of Configuration Compliance, the test group to which a test belongs to populates in the Test Groups column of the Tests list.
Authoritative sources
Configuration Compliance uses authoritative sources and citations when generating vulnerability alerts for tests. Authoritative sources usually map to sections of published industry standards, such as ISO 27001 and PCI DSS 3.2.1.
These source records contain references to information about known software and hardware configuration issues from experts in the field of computer security. They define requirements for security policies and procedures.
Assets
- Resource tags: All cloud resource tags are imported as host tags as part of the Assessment integration. The cloud tags for any cloud resource type are stored here, whether the resource is a host or
not.
- Tag storage is not case-sensitive. If a Tokyo tag is created, then a TOKYO tag cannot be stored in the Host tag table. Tokyo and TOKYO are considered to be the same host tag. Whichever tag was imported first wins.
- Using host tags as a group key in a group rule can have unexpected results. Host tags are intended for use only in the condition builder.
- Cloud attributes for assets: Following are the cloud attributes that the integrations retrieve from Microsoft Defender for Cloud:
- Cloud Account
- Cloud Region
- Cloud Resource Type
- Cloud Service Provider
Test results
Configuration Compliance does not calculate the test results, but imports them as part of a third-party integration. Once they are viewable in Configuration Compliance, they are remediated using Remediation Tasks.
If the Microsoft Defender for Cloud integration is installed, the scheduled job, Assessment Integration, retrieves the test results. You can view this scheduled job by navigating to .
The Assessment Integration import is the only integration that uses the Start Time parameter in the Integration Details tab. All other Configuration Compliance imports bring in all available data regardless of Start Time.
When the Assessment Integration import is complete, an event is started to trigger end-of-import calculations.
The Assessment Integration pulls the data assessments only if there is a status change from the last successful integration run for the last one day by default. So, if the assessment fails continuously for the past few days, the integration will not fetch the assessment as there is no status change for the assessment. To keep the test results up to date with the defender assessments, a new Comprehensive Assessment Integration is added which pulls the data from the past seven days. It runs weekly and pulls all the test results, which are not passed.
CI lookup rules for identifying CIs from Microsoft Defender for Cloud integrations
When data is imported from a third-party integration, Configuration Compliance automatically uses resource data to search for matches in the Configuration Management Database (CMDB), using CI Lookup Rules. These rules are used to identify the configuration items (CIs) and add them to the test result record to aid in remediation. Base system CI lookup rules are available for Resource ID, Name, and S3 Bucket. For more information on CI lookup rules, see CI lockup rules for Microsoft Defender for Cloud Integration for Security Operations.
Container vulnerability item
When the Microsoft Defender for Cloud integration is configured, the Container Image Vulnerabilities scheduled job retrieves container vulnerable items.
You can view this scheduled job by navigating to: .
- If Start time is empty, the integration imports all available container vulnerability data.
- If Start time is set, the integration imports only data created or updated after the specified time.