Support for the Vulnerability Response Integration with Microsoft Defender for IoT (Azure)
Summarize
Summary of Support for the Vulnerability Response Integration with Microsoft Defender for IoT (Azure)
This integration allows ServiceNow customers to effectively manage vulnerabilities detected by Microsoft Defender for IoT (Azure). It streamlines the process of mapping vulnerability data to ServiceNow's Configuration Management Database (CMDB), ensuring accurate tracking and management of vulnerabilities.
Show less
Key Features
- Data Mapping: Fields from Microsoft Defender for IoT are mapped to corresponding ServiceNow fields, facilitating accurate data import. Notable mappings include detection keys and vulnerability IDs.
- Configuration Item (CI) Lookup: The integration uses device IDs to match vulnerabilities with CIs in the CMDB. You can modify the requirement for CI matches to allow unclassed hardware CIs if needed.
- Error Handling: The integration is mostly pre-configured, requiring minimal setup. Log messages are accessible for troubleshooting, and specific error messages are provided for common integration issues.
Key Outcomes
By using this integration, customers can expect to:
- Automatically import and manage vulnerability data from Microsoft Defender for IoT.
- Quickly identify and address vulnerabilities associated with specific devices in their infrastructure.
- Access detailed logging and error handling to streamline troubleshooting and minimize downtime.
You can refer to this section for questions regarding data mapping and error handling.
Data mapping
| Microsoft Defender for IoT (Azure) field | ServiceNow field |
|---|---|
| N/A | source Note: Always set this field to Microsoft Azure Defender for IoT. |
| name | detection_key |
| N/A | status Note: This field is set to 0, meaning open, by default. |
| Microsoft Defender for IoT (Azure) field | ServiceNow field |
|---|---|
| properties/vulnerabilityid | id |
| source Note: This field is set to NVD by default. |
|
| properties/description | summary |
| properties/score | score |
| properties/exploittype | Exploit exists If the API data indicates an exploit exists, the integration sets this field to Yes. |
| properties/exploittype | public_exploit If the API data indicates an exploit exists, the integration sets this field to Yes. |
Error handling
The integration is designed to be mostly pre-configured, so you only need to enter your Azure Tenant ID, Client ID, and Client Secret. Log messages from the application are viewable in the System Logs from the sn_msftd4iotazvr source. Additional relevant log message can also appear from the sn_vul source.
If the integration run fails, the error is shown in the Notes field on the integration run. The state is set to Complete with a substate of Failed.
The Import Queue (sn_vul_ds_import_q_entry) table contains all the pending transformation requests. You can filter this table to only show items that have a status of Processing to view what is currently under transformation.
The following tables describes the error messages and possible causes during data retrieval and data processing.
| Error message | Possible cause |
|---|---|
|
Cannot run integration without a REST message and REST method specified |
On the Detection Integration job record, the REST message or REST method fields are not populated. |
|
Cannot run integration without Microsoft Defender for IoT (Azure) oauth_client_id specified |
On the Integration Instance, the OAuth Client ID is not populated. |
|
Cannot run integration without Microsoft Defender for IoT (Azure) oauth_client_secret specified |
On the Integration Instance, the OAuth Client Secret is not populated. |
|
Cannot run integration without the detection API resource path specified |
On the Integration Instance, the detection API resource path is not populated. The default is https://management.azure.com/providers/Microsoft.ResourceGraph/resources |
|
Cannot run integration with API version specified |
On the Integration Instance, the API version is not populated. The default is 2021-03-01. |
|
Invalid response code {response code} received from Microsoft Defender for IoT (Azure) |
The response from the Microsoft API is invalid. For example, the invalid response code 401 received from Microsoft Defender for IoT (Azure) means Unauthorized. The credentials or OAuth Token are likely invalid. |
| Failed to parse the JSON response body | The JSON response received is invalid if it isn't able to be parsed. This means that no data was received. Ensure that the credentials are correct and no other errors occur. |
|
Error writing attachment |
The system couldn't attach the response data to the data source. You likely need to contact your system administrator for further troubleshooting. A common cause for this error is that the MID Server or Run as user is missing the sn_vul.vr_import_admin role. |
|
Attachment content is null: attachment sys_id = {sys_id} |
The Data Source attachment content is null. This could indicate an issue with the Microsoft API itself, or an issue in ServiceNow. Contact your system administrator for further troubleshooting. |
|
Could not find attachment with sys_id {sys_id} |
Data source attachment was not found. This could indicate an issue with the Microsoft API itself, or an issue in ServiceNow. Contact your system administrator for further troubleshooting. |
| Error message | Possible cause |
|---|---|
|
Cannot create a Detection without a vulnerability ID |
A vulnerability ID was not present for the record. This is most likely caused by an issue with the Microsoft API. |