Set up scheduled import jobs to pull in Microsoft Defender for Endpoint data into your Configuration Management Database (CMDB).

Before you begin

Complete the following tasks:
  • Install Service Graph Connector for Microsoft Defender Endpoint version 1.1.0 or later from the ServiceNow Store. For ServiceNow Store installation steps, see Install a ServiceNow Store application.
  • Verify that you have an active subscription to Microsoft Defender for Endpoint.
  • Verify that you have created an Azure application to get programmatic access to Microsoft Defender for Endpoint. See Create an app to access Microsoft Defender for Endpoint without a user in the Microsoft 365 documentation.
  • Obtain the tenant ID, client ID, and client secret details for the Microsoft Defender for Endpoint administrator account.
  • Enable the Machine.Read.All and Machine.ReadWrite.All permissions in Microsoft Defender for Endpoint. See Permissions for the List machines API in the Microsoft 365 documentation.
Role required: The following table shows the roles required for each stage of the playbook.
Table 1. Role required for each playbook stage
Stage Role
Prerequisites admin
Setup cmdb_inst_admin or admin

About this task

The playbook experience for onboarding connectors is activated with SGC Central in the CMDB Workspace. To configure the SGC Central application, see Configuring SGC Central and for more information on how to interact with a playbook, see Interact with Playbook.

Procedure

  1. Navigate to Workspaces > CMDB Workspace.
  2. In the CMDB Workspace, select SGC Central.
  3. On the Overview page, select Create connection.
    Tip: Alternatively, you can select Create connection on the All connections page.
  4. On the Create connection window, select the Microsoft Defender connector type, and then select Configure connection.
    A default connection, SG Defender OAuth2.0 connection, for Microsoft Defender for Endpoint is available within the application. As the Service Graph Connector for Microsoft Defender Endpoint supports only a single instance, you can configure the default connection for the first time or resume editing it thereafter.
  5. Complete the initial prerequisites when setting up a connection for the first time using a connector.
    Note: This step is required only during the first-time setup. See Perform initial setup tasks when creating a connection in SGC Central.
  6. Enter connection details and test the API connection for importing Microsoft Defender for Endpoint data.
    1. In the Setup stage of the playbook, select the Configure and test connection activity.
    2. On the form, fill in the fields.
      Table 2. Configure and test connection form
      Field Description
      Connection Name Name to identify the Microsoft Defender for Endpoint connection record.
      Note: This field is automatically set to SG Defender OAuth2.0 connection. Leave the field value as is.
      OAuth Client ID Application (client) ID of your Microsoft Defender for Endpoint as described in the Before you begin section.
      OAuth Client Secret Client Secret of your Microsoft Defender for Endpoint as described in the Before you begin section.
      OAuth token URL Token URL of your Microsoft Defender for Endpoint.
      Enter the token URL in the following format: 
      https://login.microsoftonline.com/<tenantid>/oauth2/v2.0/token
      Where <tenantid> is the tenant ID of your Microsoft Defender for Endpoint as described in the Before you begin section.
      Use MID Server Option to use a MID Server.
      Note: Use of a MID Server is optional.
      Mid Selection Name of the MID Server used by the connector.

      This field appears only when the Use MID Server check box is selected.
    3. Select Update and test connection.
    4. Once the connection test is complete, select Continue.
  7. Configure the import schedule to import data at regular intervals.
    1. In the Setup stage of the playbook, select the Configure import schedule activity.
    2. Select Configure import schedule.
    3. Expand the Parent scheduled data import within the Import schedules list to select the SG-Defender Machines import schedule.
    4. In the Configure import schedule dialog box, select the Active check box, and then fill in the run schedule and time details.

      For more information, see Schedule a data import.

    5. Select Save.
      Alternatively, select Execute Now to execute the import schedule immediately.
    6. Select Continue.
  8. In the Setup stage of the playbook, select the Confirm connection setup activity to verify whether the connection was configured.

What to do next

Select View all connections to review the connection details. The configured connection appears in the Installed connections list.