Support for the Vulnerability Response Integration with Microsoft Defender for IoT (Azure)
Summarize
Summary of Support for the Vulnerability Response Integration with Microsoft Defender for IoT (Azure)
This document provides guidance on integrating Microsoft Defender for IoT (Azure) with ServiceNow Vulnerability Response. It details how vulnerability data and National Vulnerability Database (NVD) entries from Microsoft Defender for IoT are mapped into the ServiceNow Configuration Management Database (CMDB), how configuration items (CIs) are linked, and outlines error handling procedures.
Show less
Data Mapping
The integration maps key fields from Microsoft Defender for IoT (Azure) to corresponding ServiceNow fields:
- Vulnerability Detection: The source is always set to "Microsoft Azure Defender for IoT". The status defaults to 0 (open). The detection key has no direct mapping.
- NVD Entries: Fields such as vulnerability ID, description, score, and exploit information are mapped to ServiceNow fields like id, summary, score, and exploit-related flags, which are set to "Yes" if exploits exist.
Configuration Item (CI) Lookup
The integration uses the deviceid from Microsoft Defender for IoT to perform CI lookups via the sysobjectsource table populated by the Service Graph Connector. When a match is found, detections and vulnerable items are linked to the corresponding CI in the CMDB.
By default, a CI match is mandatory to insert vulnerability detections, reducing unclassified hardware CIs. This behavior can be changed by setting the snmsftd4iotazvr.requirecimatch system property to false, allowing creation of unclassified hardware CIs when no match exists.
Error Handling
The integration is mostly pre-configured; users only need to provide Azure Tenant ID, Client ID, and Client Secret. Logs can be reviewed in the System Logs under sources snmsftd4iotazvr and snvul. If an integration run fails, the error details appear in the Notes field, and the state is marked as Complete with a substate of Failed.
The Import Queue table (snvuldsimportqentry) holds pending transformation requests and can be filtered to show items in processing.
Common Data Retrieval Errors and Causes
- Missing REST message or method on the Detection Integration job.
- Missing OAuth Client ID or Secret on the Integration Instance.
- Missing detection API resource path or API version; defaults are provided but must be configured.
- Invalid response codes (e.g., 401 Unauthorized) usually indicate invalid credentials or tokens.
- Failures parsing JSON responses indicate no data received or invalid credentials.
- Attachment errors typically relate to permissions, MID Server configuration, or issues with the Microsoft API.
Common Data Processing Errors and Causes
- Failure to create a detection due to missing vulnerability ID, often caused by Microsoft API issues.
Practical Implications for ServiceNow Customers
This integration enables customers to automatically import and map vulnerability data from Microsoft Defender for IoT (Azure) into their ServiceNow CMDB, facilitating accurate vulnerability management and response workflows.
Ensuring proper CI linkage helps maintain a clean and classified CMDB. Understanding and monitoring error messages supports proactive troubleshooting and smooth integration operation.
Customers should verify configuration fields, credentials, and system property settings to tailor the integration to their environment and resolve common issues efficiently.
You can refer to this section for questions regarding data mapping and error handling.
Data mapping
| Microsoft Defender for IoT (Azure) field | ServiceNow field |
|---|---|
| N/A | source Note: Always set this field to Microsoft Azure Defender for IoT. |
| name | detection_key |
| N/A | status Note: This field is set to 0, meaning open, by default. |
| Microsoft Defender for IoT (Azure) field | ServiceNow field |
|---|---|
| properties/vulnerabilityid | id |
| source Note: This field is set to NVD by default. |
|
| properties/description | summary |
| properties/score | score |
| properties/exploittype | Exploit exists If the API data indicates an exploit exists, the integration sets this field to Yes. |
| properties/exploittype | public_exploit If the API data indicates an exploit exists, the integration sets this field to Yes. |
Error handling
The integration is designed to be mostly pre-configured, so you only need to enter your Azure Tenant ID, Client ID, and Client Secret. Log messages from the application are viewable in the System Logs from the sn_msftd4iotazvr source. Additional relevant log message can also appear from the sn_vul source.
If the integration run fails, the error is shown in the Notes field on the integration run. The state is set to Complete with a substate of Failed.
The Import Queue (sn_vul_ds_import_q_entry) table contains all the pending transformation requests. You can filter this table to only show items that have a status of Processing to view what is currently under transformation.
The following tables describes the error messages and possible causes during data retrieval and data processing.
| Error message | Possible cause |
|---|---|
|
Cannot run integration without a REST message and REST method specified |
On the Detection Integration job record, the REST message or REST method fields are not populated. |
|
Cannot run integration without Microsoft Defender for IoT (Azure) oauth_client_id specified |
On the Integration Instance, the OAuth Client ID is not populated. |
|
Cannot run integration without Microsoft Defender for IoT (Azure) oauth_client_secret specified |
On the Integration Instance, the OAuth Client Secret is not populated. |
|
Cannot run integration without the detection API resource path specified |
On the Integration Instance, the detection API resource path is not populated. The default is https://management.azure.com/providers/Microsoft.ResourceGraph/resources |
|
Cannot run integration with API version specified |
On the Integration Instance, the API version is not populated. The default is 2021-03-01. |
|
Invalid response code {response code} received from Microsoft Defender for IoT (Azure) |
The response from the Microsoft API is invalid. For example, the invalid response code 401 received from Microsoft Defender for IoT (Azure) means Unauthorized. The credentials or OAuth Token are likely invalid. |
| Failed to parse the JSON response body | The JSON response received is invalid if it isn't able to be parsed. This means that no data was received. Ensure that the credentials are correct and no other errors occur. |
|
Error writing attachment |
The system couldn't attach the response data to the data source. You likely need to contact your system administrator for further troubleshooting. A common cause for this error is that the MID Server or Run as user is missing the sn_vul.vr_import_admin role. |
|
Attachment content is null: attachment sys_id = {sys_id} |
The Data Source attachment content is null. This could indicate an issue with the Microsoft API itself, or an issue in ServiceNow. Contact your system administrator for further troubleshooting. |
|
Could not find attachment with sys_id {sys_id} |
Data source attachment was not found. This could indicate an issue with the Microsoft API itself, or an issue in ServiceNow. Contact your system administrator for further troubleshooting. |
| Error message | Possible cause |
|---|---|
|
Cannot create a Detection without a vulnerability ID |
A vulnerability ID was not present for the record. This is most likely caused by an issue with the Microsoft API. |