CI lookup rules for Microsoft Defender for Cloud Integration for Security Operations and Palo Alto Prisma Cloud

  • Release version: Xanadu
  • Updated August 1, 2024
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of CI lookup rules for Microsoft Defender for Cloud Integration and Palo Alto Prisma Cloud

    The CI lookup rules module enables accurate identification of Configuration Items (CIs) in the ServiceNow Configuration Management Database (CMDB) for Microsoft Defender for Cloud Integration and Palo Alto Prisma Cloud assets. These rules define how to match scanned resource data with existing CMDB records by using specific fields and formats.

    Show full answer Show less

    Each asset is uniquely identified by a combination of object ID, cloud account, and logical datacenter. The ServiceNow discovery process populates the objectid column in the CMDB with resource IDs in formats that vary by resource type. Using the correct object ID format in lookup rules is essential for accurately finding matching CIs.

    Key details about Object ID formats

    Common resource types have specific object ID formats, such as:

    • AWS::EC2::Instance: Object ID format specific to the instance
    • AWS::ElasticLoadBalancing::LoadBalancer: Load balancer name
    • AWS::S3::Bucket: arn:aws:s3:::<Bucket Name>

    To ensure precise matching, scanners must construct object IDs following these formats as stored in the CMDB.

    CI Lookup Rules

    ServiceNow provides out-of-the-box (OOB) CI lookup rules designed to find matches for commonly used resource types in Microsoft Defender for Cloud and Palo Alto Prisma Cloud integrations. If the existing rules do not yield matches for your test results, you can create new CI lookup rules tailored to your resource types.

    Key CI lookup rules include:

    • S3 Bucket Lookup Rule: Matches by concatenating arn:aws:s3::: with the bucket name and searching the objectid column in the cmdbcicloudobjectstorage table. Applicable only for AWS::S3::Bucket resource types.
    • Name Lookup Rule: Finds CIs by matching the resource name in the objectid column, linked to resource types defined in the sncapiresourcetype table. For Palo Alto Prisma Cloud, this rule runs only for specific resource types like AWS::RDS::DBInstance, AWS::ElasticLoadBalancing::LoadBalancer, and AWS::CloudTrail::Trail, but can be extended to others.
    • Resource ID Lookup Rule: Matches CIs by resource ID in the objectid column, aligned with resource types in the sncapiresourcetype table.

    Practical considerations

    You can set the execution priority of CI lookup rules via the Order field; rules with lower order values run first. Ensuring the appropriate order and correct object ID formats in lookup rules helps improve the accuracy of CI matches and integration effectiveness.

    For customers who find the out-of-the-box rules insufficient, ServiceNow supports creating custom CI lookup rules to better fit your environment and resource types, enhancing the integration’s ability to accurately identify and manage cloud assets.

    You can use the configuration item (CI) lookup rules for the Microsoft Defender for Cloud Integration and Palo Alto Prisma Cloud integrations to find a correct match to commonly used resource types in the Configuration Management Database (CMDB).

    Overview

    The CI Lookup rules module contains the rules that help you to define the fields that have the matching data in the Configuration Management Database (CMDB). You can use these rules to identify the applications and application releases. All Microsoft Defender for Cloud Integration and Palo Alto Prisma Cloud assets are uniquely identified by the combination of their object ID, cloud account, and logical datacenter in the ServiceNow platform. ServiceNow discovery populates the resource ID in the Object_id column of the CMDB in different formats for the different resource types. The following table shows the object ID formats of commonly used resource types that the discovery service uses to populate in the Object_id column of the CI. Any scanner that wants to look up an asset of a particular resource type must search by using the right object ID format. You can get the right object ID format by looking into the object ID column of corresponding CMDB CI class and then try to construct the object ID using the values that are received from scanner.
    Table 1. Object ID format for various resource types
    Resource Type Format
    AWS::EC2::Instance Object ID
    AWS::ElasticLoadBalancing::LoadBalancer Load balancer name
    AWS::S3::Bucket arn:aws:s3:::<Bucket Name>

    The CI match for a test result may not be found accurately in the Configuration Management Database (CMDB) unless the same format of the object_id is used in the lookup rule. Most of the times, the OOB CI lookup rules find a match for the most commonly used resource types for Microsoft Defender for Cloud Integration and Palo Alto Prisma Cloud. If the following CI lookup rules aren’t finding the CIs in the CMDB for your test results, you can create a CI lookup rule for a resource type. For more information on how to create a CI lookup rule, see Create a CI lookup rule.

    CI lookup rules

    The following CI lookup rules are specific to the Microsoft Defender for Cloud Integration and Palo Alto Prisma Cloud.
    S3 Bucket
    This lookup rule attempts to find the CI in the CMDB by the value that was obtained by concatenating the arn:aws:s3::: and resource name. The obtained value is looked up in the object_id column of the cmdb_ci_cloud_object_storage table. This lookup rule applies only when the resource type is AWS::S3::Bucket.​
    Name
    This lookup rule attempts to find the CI in the CMDB by name. The name, which is looked up in the Object_id column of the CI class, corresponds to a resource type in the sn_capi_resource_type table.
    Note:
    For the Palo Alto Prisma Cloud application, this CI lookup rule runs only for the AWS::RDS::DBInstance, AWS::ElasticLoadBalancing::LoadBalancer, and AWS::CloudTrail::Trail resource types​. You can add the resource types that you want to execute this CI lookup rule for.
    Resource Id
    This lookup rule attempts to find the CI in the CMDB by the resource ID. The resource ID, which is looked up in the Object_id column of the CI class, corresponds to a resource type in the sn_capi_resource_type table.
    Note:
    You can set the priority for a CI lookup rule in the Order field. The CI lookup rule with the least order value is executed first.