Service Graph Connector for Microsoft Defender Endpoint

  • Release version: Australia
  • Updated March 12, 2026
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Service Graph Connector for Microsoft Defender Endpoint

    The Service Graph Connector for Microsoft Defender Endpoint allows ServiceNow customers to integrate data from machines protected by Microsoft Defender for Endpoint into their ServiceNow instance. This integration supports Microsoft Defender for Endpoint Plan 1 and Plan 2 and is compatible with ServiceNow versions Washington DC, Xanadu, and Yokohama.

    Show full answer Show less

    Key Features

    • Data Migration: After upgrading to version 1.2.0, it is essential to migrate data from the Server CI class to the Computer CI class.
    • Connection Configuration: Use the SGC Central view in the Service Graph Workspace or CMDB Workspace for installation and configuration of the connector.
    • CMDB Integrations Dashboard: Monitor integration statuses, processing results, and errors, with filtering options for specific integrations and time frames.
    • Data Mapping: Data from Microsoft Defender for Endpoint is transformed and inserted into ServiceNow CMDB using the Robust Transform Engine and the Identification and Reconciliation Engine.

    Key Outcomes

    By leveraging this connector, customers can automate the import of machine-related data, ensuring that their Configuration Management Database (CMDB) is up-to-date with relevant security information. The integration facilitates better visibility and management of security incidents and assets within the ServiceNow platform.

    Use the Service Graph Connector for Microsoft Defender Endpoint to pull data from machines protected by the Microsoft Defender for Endpoint security solution into your ServiceNow instance.

    Request apps on the Store

    Visit the ServiceNow Store to view all the available apps, and for information about submitting requests to the store. For cumulative release notes information for all released apps, see the ServiceNow Store version history release notes.

    Supported versions

    • Supported Microsoft Defender for Endpoint versions:
      • Microsoft Defender for Endpoint Plan 1
      • Microsoft Defender for Endpoint Plan 2
    • Supported ServiceNow versions:
      • Washington DC
      • Xanadu
      • Yokohama

    Use cases

    The ServiceNow Security Operations applications have features that interact with the Service Graph Connector to gain insights into machines utilizing the Microsoft Defender for Endpoint security solution.

    Important Information for upgrading Service Graph Connector for Microsoft Defender Endpoint

    After you upgrade to Service Graph Connector for Microsoft Defender Endpoint 1.2.0, migrate data from the Server [cmdb_ci_server] CI class to the Computer [cmdb_ci_computer] CI class. For more information, see the Service Graph Connector for Microsoft Defender Endpoint - Data migration after upgrade to version 1.2.0 [KB2096769] article in the Now Support Knowledge Base.

    Configuring a connection for the connector

    Use the SGC Central view in the Service Graph Workspace or CMDB Workspace to install the connector and configure the connection. The view enables you to install and discover connectors and to manage the full life cycle of creating, editing, monitoring, and debugging connections. For instructions, see Configure Service Graph Connector for Microsoft Defender Endpoint using SGC Central.
    Important:
    Unless there are configuration issues, use SGC Central to configure the connection. The guided setup method for configuration is being deprecated.

    CMDB integrations dashboard

    The Integration Commons for CMDB store app provides a dashboard with a central view of the status, processing results, and processing errors of all installed integrations. You can see metrics for all integration runs. You can filter the view to a specific CMDB integration, a specific time duration, or a specific integration run. For more details about monitoring Microsoft Defender for Endpoint integrations in the CMDB Integrations Dashboard, see Using the CMDB Integrations Dashboard.

    Data mapping

    Data from the Microsoft Defender for Endpoint data source is mapped and transformed into the ServiceNow CMDB configuration item (CI) class definitions using the Robust Transform Engine (RTE). Data is inserted into the ServiceNow CMDB using the Identification and Reconciliation Engine (IRE).

    When you complete setting up the connection, you can configure the integration to pull data periodically from the machines utilizing the Microsoft Defender for Endpoint security solution.

    The following data source is included for the Microsoft Defender for Endpoint security solution:
    SG-Defender Machines
    Imports all the machine-related data from the machines utilizing the Microsoft Defender for Endpoint security solution, loads the imported data in the SG-Defender Machines [sn_defender_integ_sg_defender_machines] staging table, and then populates the following target tables:
    • IP Address [cmdb_ci_ip_address]
    • Software Installation [cmdb_sam_sw_install] (If the Software Asset Management (SAM) application is installed.)
    • Software Instance [cmdb_software_instance] (If the SAM application is not installed.)
    • Software [cmdb_ci_spkg] (If the SAM application is not installed.)
    • SG-Defender Machines Related [sn_defender_integ_sg_defender_machines_related]
    • Network Adapter [cmdb_ci_network_adapter]
    • Computer [cmdb_ci_computer]
    • Windows Server [cmdb_ci_win_server]
    Note:
    Only operating system details are populated in the Software Installation [cmdb_sam_sw_install], Software Instance [cmdb_software_instance], and Software [cmdb_ci_spkg] tables.

    For more information on where data is saved when pulling data from the Microsoft Defender for Endpoint security solution, see CMDB classes targeted in Service Graph Connector for Microsoft Defender Endpoint.

    You can use the IntegrationHub ETL app to view the data maps. See IntegrationHub ETL for more information.