Pull in data from machines using the Microsoft Defender for Endpoint security solution into your Configuration Management Database (CMDB).

Before you begin

Important: Unless there are configuration issues, use the SGC Central view in the CMDB Workspace to configure the connection for the connector, as the guided setup method is being deprecated.

To use this Service Graph Connector, you need a subscription to a Subscription Unit that is based in the IT Operations Management (ITOM) Visibility application or in the ITOM Discovery application. As defined in the section titled "Managed IT Resource Types" in ServiceNow Subscription Unit Overview for your subscription, for managed IT resources that are created or modified in the CMDB by this Service Graph Connector, but that aren’t yet managed by ITOM Visibility or ITOM Discovery, these resources will increase Subscription Unit consumption from that application. Review your current Subscription Unit consumption within ITOM Visibility or ITOM Discovery to ensure available capacity.

Dependencies and requirements:
  • The Integration Commons for CMDB store app, which is automatically installed.
  • The CMDB CI class models store app, which is automatically installed. See CMDB CI Class Models.
  • The ITOM Discovery License plugin (com.snc.itom.discovery.license). You must activate this plugin.
  • ITOM Licensing plugin (com.snc.itom.license). For more information, see Request Discovery.
  • The Datastream Action plugin (com.glide.hub.action_type.datastream), which is automatically installed.
  • Observability Commons for CMDB (sn_observability), which is only required for event ingestion. For Event Management to work, the Observability Commons for CMDB (sn_observability) app must be installed prior to installing the connector. For more information, see Observability Commons for CMDB on the ServiceNow Store.
Complete the following tasks:
  • Install the Service Graph Connector for Microsoft Defender Endpoint application (sn_defender_integ). For more information, see Install a ServiceNow Store application.
  • Ensure that you have an active subscription to Microsoft Defender for Endpoint.
  • Ensure that you have created an Azure application to get programmatic access to Microsoft Defender for Endpoint. See Create an app to access Microsoft Defender for Endpoint without a user in the Microsoft 365 documentation.
  • Obtain the tenant ID, client ID, and client secret details for the Microsoft Defender for Endpoint administrator account.
  • Enable the Machine.Read.All and Machine.ReadWrite.All permissions in Microsoft Defender for Endpoint. See Permissions for the List machines API in the Microsoft 365 documentation.
Role required: SGC-Admin (sn_cmdb_int_util.sgc_admin)
Note: The admin user role is required to run background scripts and to provide table-level access to the SGC-Admin user.

Procedure

  1. Ensure that the application scope is set to the Service Graph Connector for Microsoft Defender Endpoint application by using the application picker.
    For more information, see Application picker.
  2. Navigate to All > Service Graph Connectors > Microsoft Defender > Setup.
  3. On the Getting started page, select Get Started.
  4. Configure the authentication credentials details for sending requests to the List machines API in Microsoft Defender for Endpoint.
    1. Configure your Microsoft Defender for Endpoint authentication credentials.
      1. In the Configure the connection section of the Service Graph Connector for Microsoft Defender page, select Get Started.
      2. For the Configure the credentials task, select Configure.
      3. On the form, review and modify the fields.
        Table 1. Application Registries form
        Field Description
        Connection Name Name to identify the connection record.
        Note: This field is automatically set to the SG Defender OAuth connection record. Leave the field value as is.
        Client ID Application (client) ID of your Microsoft Defender for Endpoint as described in the Before you begin section.
        Client Secret Client Secret of your Microsoft Defender for Endpoint as described in the Before you begin section.
        OAuth Token URL Token URL of your Microsoft Defender for Endpoint.
        Enter the token URL in the following format: 
        https://login.microsoftonline.com/<tenantid>/oauth2/v2.0/token
        Where <tenantid> is the tenant ID of your Microsoft Defender for Endpoint as described in the Before you begin section.
      4. Select Update to return to the guided setup page.
      5. Set the Configure the credentials task to complete by selecting Mark as Complete.
    2. Test the List machines API connection to import machine-related data from Microsoft Defender for Endpoint.
      1. For the Test the connection task, select Configure.
      2. On the Service Graph Connections page, select Test Connection.
      3. When the Status field is set to Success, select Update to close the Test the connection dialog box and return to the guided setup page.

        If any of the tests have errors, follow the suggestions for remediation.

      4. Set the Test the connection task to complete by selecting Mark as Complete.
  5. Configure the scheduled jobs to import machine-related data from Microsoft Defender for Endpoint.
    1. In the Set up scheduled import jobs section of the Service Graph Connector for Microsoft Defender page, select Get Started.
    2. For the Configure scheduled jobs task, select Configure.
    3. From the Name column, select the scheduled job that you want to activate.
      By default, the SG-Defender Machines scheduled job is available to run the SG-Defender Machines data source.
    4. On the Scheduled Data Import form, verify the field values for the scheduled job.
      For more information, see Schedule a data import.
    5. Select Update.
    6. Select the back button of your browser to return to the guided setup page.
    7. Set the Configure the scheduled jobs task to complete by selecting Mark as Complete in the guided setup.