Support for the Vulnerability Response Integration with Microsoft Defender for IoT (Azure)

Australia Operational Technology Management

Release

australia

ft:locale

ja-JP

ft:publication_title

Australia Operational Technology Management

ft:clusterId

optm

bundleId

optm

workflow

Technology

Support for the Vulnerability Response Integration with Microsoft Defender for IoT (Azure)

リリースバージョン: Australia

更新日 2026年03月12日

所要時間：8分

You can refer to this section for questions regarding data mapping and error handling.

Data mapping

The following tables describe the data mapping fields used for vulnerability detection and National Vulnerability Database (NVD) entries in the Microsoft Defender for IoT (Azure) application and if there's an equivalent entry used after the data is imported into the ServiceNow CMDB.

表 : 1. Vulnerability Detection
Microsoft Defender for IoT (Azure) field	ServiceNow field
N/A	source 注: Always set this field to Microsoft Azure Defender for IoT.
name	detection_key
N/A	status 注: This field is set to 0, meaning open, by default.

表 : 2. NVD entries
Microsoft Defender for IoT (Azure) field	ServiceNow field
properties/vulnerabilityid	id
	source 注: This field is set to NVD by default.
properties/description	summary
properties/score	score
properties/exploittype	Exploit exists If the API data indicates an exploit exists, the integration sets this field to Yes.
properties/exploittype	public_exploit If the API data indicates an exploit exists, the integration sets this field to Yes.

Configuration item (CI) lookup

The CI Lookup is performed using the deviceid from Microsoft Defender for IoT (Azure). The sys_object_source table, populated by the Service Graph Connector, is searches for the the matching deviceid. If a match is found, the detection and vulnerable item are linked to that CI.

注:

By default, a CI match is required to insert vulnerability detections. This helps minimize unclassed hardware CIs in your CMDB. To change this behavior, you can set the sn_msftd4iotazvr.require_ci_matchsystem property to false. Setting the property to false allows the creation of unclassed hardware CIs if a CI match isn't found.

Error handling

The integration is designed to be mostly pre-configured, so you only need to enter your Azure Tenant ID, Client ID, and Client Secret. Log messages from the application are viewable in the System Logs from the sn_msftd4iotazvr source. Additional relevant log message can also appear from the sn_vul source.

If the integration run fails, the error is shown in the Notes field on the integration run. The state is set to Complete with a substate of Failed.

The Import Queue (sn_vul_ds_import_q_entry) table contains all the pending transformation requests. You can filter this table to only show items that have a status of Processing to view what is currently under transformation.

The following tables describes the error messages and possible causes during data retrieval and data processing.

表 : 3. Vulnerability Detection Integration (Data Retrieval)
Error message	Possible cause
Cannot run integration without a REST message and REST method specified	On the Detection Integration job record, the REST message or REST method fields are not populated.
Cannot run integration without Microsoft Defender for IoT (Azure) oauth_client_id specified	On the Integration Instance, the OAuth Client ID is not populated.
Cannot run integration without Microsoft Defender for IoT (Azure) oauth_client_secret specified	On the Integration Instance, the OAuth Client Secret is not populated.
Cannot run integration without the detection API resource path specified	On the Integration Instance, the detection API resource path is not populated. The default is `https://management.azure.com/providers/Microsoft.ResourceGraph/resources`
Cannot run integration with API version specified	On the Integration Instance, the API version is not populated. The default is 2021-03-01.
Invalid response code {response code} received from Microsoft Defender for IoT (Azure)	The response from the Microsoft API is invalid. For example, the invalid response code 401 received from Microsoft Defender for IoT (Azure) means Unauthorized. The credentials or OAuth Token are likely invalid.
Failed to parse the JSON response body	The JSON response received is invalid if it isn't able to be parsed. This means that no data was received. Ensure that the credentials are correct and no other errors occur.
Error writing attachment	The system couldn't attach the response data to the data source. You likely need to contact your system administrator for further troubleshooting. A common cause for this error is that the MID Server or Run as user is missing the sn_vul.vr_import_admin role.
Attachment content is null: attachment sys_id = {sys_id}	The Data Source attachment content is null. This could indicate an issue with the Microsoft API itself, or an issue in ServiceNow. Contact your system administrator for further troubleshooting.
Could not find attachment with sys_id {sys_id}	Data source attachment was not found. This could indicate an issue with the Microsoft API itself, or an issue in ServiceNow. Contact your system administrator for further troubleshooting.

表 : 4. Vulnerability Detection Integration (Data Processing)
Error message	Possible cause
Cannot create a Detection without a vulnerability ID	A vulnerability ID was not present for the record. This is most likely caused by an issue with the Microsoft API.