Microsoft Defender for Cloud Integration for Security Operations

  • Release version: Yokohama
  • Updated July 31, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Microsoft Defender for Cloud Integration for Security Operations

    Microsoft Defender for Cloud Integration for Security Operations is an infrastructure security management solution designed to enhance the security posture of your cloud environments within ServiceNow. It integrates with the Configuration Compliance application to continuously discover cloud resources, assess their configuration against security standards like the Center for Internet Security (CIS), and generate compliance test results. This integration replaces the previous Microsoft Azure Security Center starting from version 2.2.

    Show full answer Show less

    The solution supports multiple deployments of the Microsoft Defender for Cloud Platform by consolidating and reconciling identified resources within your Configuration Management Database (CMDB), even when scan processes overlap.

    Key Features

    • Automated Data Synchronization: A series of scheduled jobs automatically retrieve and update compliance data from Microsoft Defender for Cloud, ensuring your instance remains synchronized. These jobs can also be run manually.
    • Run-as User Configuration: Each integration record requires a configured run-as user, defaulting to VR.System. Maintaining this setting prevents duplicate data attachments and ensures consistent processing.
    • Role-Based Access Control: Specific integration-related roles are defined to manage permissions, including snvulmsfttvm.configureintegration for record management and snvulmsfttvm.readintegration for viewing records.
    • Multiple Integration Types: The base system includes integrations for:
      • Policy Definition – retrieves and creates policy entries
      • Assessment Metadata – retrieves metadata to create tests
      • Compliance Standards & Controls – retrieves standards, creates authorization sources, and links them to tests
      • Assessment – retrieves and processes assessments into test results
      • Container Image Vulnerabilities – retrieves vulnerabilities and creates related items
    • Identification and Reconciliation Engine (IRE): When a discovered host from a third-party scanner does not match an existing CI, IRE creates a new CI in the cmdbcicmpresource class. However, automatic reconciliation is not performed for cloud resources.

    Practical Considerations for ServiceNow Customers

    • Ensure proper run-as user configuration to avoid data duplication and maintain system performance.
    • Use the provided roles to control access and maintain security around integration configuration and data visibility.
    • Leverage the scheduled jobs functionality to keep your compliance data current and simplify remediation workflows.
    • Utilize the Identification and Reconciliation Engine to maintain accurate CMDB records when importing data from Microsoft Defender for Cloud and other scanners.
    • If managing multiple Microsoft Defender for Cloud deployments, the integration will consolidate overlapping data to maintain a clean CMDB.

    The Microsoft Defender for Cloud Integration product is an infrastructure security management system that enhances the security posture of your cloud environments.

    Microsoft Defender for Cloud Integration for Security Operations integrates with the Configuration Compliance application to map tests to configuration items (CIs) to create test results. It continuously discovers new cloud resources deployed across workloads and determines whether they are configured according to security standards such as the Center for Internet Security (CIS).

    Starting with version 2.2, Microsoft Azure Security Center is renamed to Microsoft Defender for Cloud Integration for Security Operations.

    Multiple deployments of the Microsoft Defender for Cloud Platform

    If you have multiple deployments of the Microsoft Defender for Cloud Platform application, you can add an integration for each deployment. Resources that are identified by multiple third-party deployments, are consolidated and reconciled with your Configuration Management Database (CMDB). This consolidation takes place even when scan processes overlap between the multiple deployments.

    ServiceNow Microsoft Defender for Cloud Integrations

    The Microsoft Defender for Cloud Integration for Security Operations enriches the compliance data on your instance by retrieving data from Microsoft Defender for Cloud. A series of scheduled jobs invokes the integrations automatically. You can also run these scheduled jobs manually. Scheduled jobs simplify the test results remediation life cycle by keeping the instance synchronized with Microsoft Defender for Cloud.

    There is a configured run-as user for each integration record, with the default value VR.System. This value must remain the same.
    Note:
    If you do not set a valid run-as user, duplicate or multiple data retrieval attachments are created for the data source records. The number of attachments increases each time the integration is run. This increases the processing time, resulting in inconsistent transform results.
    Microsoft Defender for Cloud Platform integration tasks involve the following roles.
    • sn_vul_msft_tvm.configure_integration: Ability to read, write, and delete records.
    • sn_vul_msft_tvm.read_integration: Ability to read records.

    Viewing the Microsoft Defender for Cloud Integrations

    View the integrations by navigating to All > Microsoft Defender for Cloud Integration > Integrations.

    The following integrations are included in the base system.

    Integration Description
    Policy Definition Integration Retrieves policies and creates policy entries in your instance.
    Assessment Metadata Integration Retrieves assessment metadata and creates tests in your instance.
    Compliance Standards & Controls Integration Retrieves standards and controls and creates the authorization source and citations. It then links them to the tests created.
    Assessment Integration Retrieves assessments and processes them in your instance. The output of this integration is test results.
    Container Image Vulnerabilities Integration Retrieves vulnerabilities of Container Images and creates Container vulnerable items in your instance.

    Create CIs using the Identification and Reconciliation Engine

    Use the Identification and Reconciliation Engine (IRE) to create CIs, when an existing CI cannot be matched with a host imported from a third-party scanner.

    If a CI is not matched in the CMDB, a CI is created in the cmdb_ci_cmp_resource class. Later, when a discovery finds the same CI, it enriches the CI or creates another one.
    Note:
    Automatic reconciliation does not happen for cloud resources.