Service Graph Connector for Microsoft Defender Endpoint

  • Release version: Washingtondc
  • Updated April 27, 2025
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Service Graph Connector for Microsoft Defender Endpoint

    The Service Graph Connector for Microsoft Defender Endpoint enables the integration of machine data protected by Microsoft Defender for Endpoint into your ServiceNow instance. This functionality supports Microsoft Defender for Endpoint Plans 1 and 2, as well as ServiceNow versions Washington DC, Xanadu, and Yokohama.

    Show full answer Show less

    Key Features

    • Data Migration: After upgrading to version 1.2.0, ensure to migrate data from the Server CI class to the Computer CI class.
    • Connection Configuration: Use the SGC Central view in the CMDB Workspace for configuring connections, as the guided setup method is being deprecated.
    • CMDB Integrations Dashboard: The Integration Commons for CMDB provides a dashboard for monitoring the status and results of all installed integrations.
    • Data Mapping: The Robust Transform Engine (RTE) maps and transforms data from Microsoft Defender for Endpoint into the ServiceNow CMDB, while the Identification and Reconciliation Engine (IRE) inserts this data into the relevant CI classes.

    Key Outcomes

    By configuring the Service Graph Connector, you will be able to periodically pull and manage data from Microsoft Defender for Endpoint, enriching your ServiceNow CMDB with critical information. The integration supports various CI classes, including IP Address, Software Installation, and Computer, ensuring you have comprehensive visibility into your security posture. For further details and monitoring, utilize the IntegrationHub ETL app to review data mappings.

    Use the Service Graph Connector for Microsoft Defender Endpoint to pull data from machines protected by the Microsoft Defender for Endpoint security solution into your ServiceNow instance.

    Request apps on the Store

    Visit the ServiceNow Store website to view all the available apps and for information about submitting requests to the store. For cumulative release notes information for all released apps, see the ServiceNow Store version history release notes.

    Supported versions

    • Supported Microsoft Defender for Endpoint versions:
      • Microsoft Defender for Endpoint Plan 1
      • Microsoft Defender for Endpoint Plan 2
    • Supported ServiceNow versions:
      • Washington DC
      • Xanadu
      • Yokohama

    Use cases

    The ServiceNow Security Operations applications have features that interact with the Service Graph Connector to gain insights into machines utilizing the Microsoft Defender for Endpoint security solution.

    Important Information for upgrading Service Graph Connector for Microsoft Defender Endpoint

    After you upgrade to Service Graph Connector for Microsoft Defender Endpoint 1.2.0, migrate data from the Server [cmdb_ci_server] CI class to the Computer [cmdb_ci_computer] CI class. For more information, see the Service Graph Connector for Microsoft Defender Endpoint - Data migration after upgrade to version 1.2.0 [KB2096769] article in the Now Support Knowledge Base.

    Configuring a connection for the connector

    You can configure a connection for the connector by using the SGC Central view in the CMDB Workspace. The view enables you to discover and install connectors, and then effectively manage the full life cycle of creating, editing, monitoring, and debugging connections. To configure the connector using SGC Central, see Configure Service Graph Connector for Microsoft Defender Endpoint using SGC Central.
    Important:
    Unless there are configuration issues, use the SGC Central view in the CMDB Workspace to configure the connection for the connector, as the guided setup method is being deprecated.

    CMDB integrations dashboard

    The Integration Commons for CMDB store app provides a dashboard with a central view of the status, processing results, and processing errors of all installed integrations. You can see metrics for all integration runs. You can filter the view to a specific CMDB integration, a specific time duration, or a specific integration run. For more details about monitoring Microsoft Defender for Endpoint integrations in the CMDB Integrations Dashboard, see Using the CMDB Integrations Dashboard.

    Data mapping

    Data from the Microsoft Defender for Endpoint data source is mapped and transformed into the ServiceNow CMDB configuration item (CI) class definitions using the Robust Transform Engine (RTE). Data is inserted into the ServiceNow CMDB using the Identification and Reconciliation Engine (IRE).

    When you complete setting up the connection, you can configure the integration to pull data periodically from the machines utilizing the Microsoft Defender for Endpoint security solution.

    The following data source is included for the Microsoft Defender for Endpoint security solution:
    SG-Defender Machines
    Imports all the machine-related data from the machines utilizing the Microsoft Defender for Endpoint security solution, loads the imported data in the SG-Defender Machines [sn_defender_integ_sg_defender_machines] staging table, and then populates the following target tables:
    • IP Address [cmdb_ci_ip_address]
    • Software Installation [cmdb_sam_sw_install] (If the Software Asset Management (SAM) application is installed.)
    • Software Instance [cmdb_software_instance] (If the SAM application is not installed.)
    • Software [cmdb_ci_spkg] (If the SAM application is not installed.)
    • SG-Defender Machines Related [sn_defender_integ_sg_defender_machines_related]
    • Network Adapter [cmdb_ci_network_adapter]
    • Computer [cmdb_ci_computer]
    • Windows Server [cmdb_ci_win_server]
    Note:
    Only operating system details are populated in the Software Installation [cmdb_sam_sw_install], Software Instance [cmdb_software_instance], and Software [cmdb_ci_spkg] tables.

    For more information on where data is saved when pulling data from the Microsoft Defender for Endpoint security solution, see CMDB classes targeted in Service Graph Connector for Microsoft Defender Endpoint.

    You can use the IntegrationHub ETL app to view the data maps. See IntegrationHub ETL for more information.