Configuration Compliance imported data for Microsoft Defender for Cloud Integration
Summarize
Summary of Configuration Compliance imported data for Microsoft Defender for Cloud Integration
Configuration Compliance imports and organizes policy definitions, tests, authoritative sources, assets, and test results from Microsoft Defender for Cloud into ServiceNow modules. This integration enables you to view, manage, and remediate configuration compliance issues based on third-party security assessments within the Configuration Compliance application.
Show less
Key Features
- Terminology Updates: Since version 14.9, terms like Test Result Group and Rules have been renamed to Remediation Task Group and Remediation Task Rules, aligning terminology with remediation workflows.
- Test Groups and Tests: Configuration tests are grouped into test groups linked to authoritative documents. These are imported via the scheduled job Policy Definitions Integration. Tests, which define governance rules for assets, are imported using Assessment Metadata Integration. If running integrations manually, Policy Definitions Integration must run before Assessment Metadata Integration.
- Authoritative Sources: Compliance standards and citations (e.g., ISO 27001, PCI DSS) are imported through the Compliance Standards & Controls Integration job, providing context for vulnerability alerts.
- Asset Information: Resource tags and cloud attributes (Cloud Account, Region, Resource Type, Service Provider) are imported from Defender for Cloud and used mainly for filtering in assignment and remediation rules. Host tags are case-insensitive and intended for use in condition builders only.
- Test Results: Imported using the Assessment Integration job, test results reflect the latest status from Defender for Cloud. They trigger remediation tasks and use the Start Time parameter to limit imports to recent changes. A weekly Comprehensive Assessment Integration runs to update test results for the past seven days.
- CI Lookup Rules: Imported resource data is matched against the CMDB using CI lookup rules (e.g., Resource ID, Name, S3 Bucket) to associate configuration items with test results and support remediation efforts.
- Container Vulnerability Items: Vulnerabilities in container images are imported via the Container Image Vulnerabilities Integration job, which supports incremental imports based on a Start Time parameter.
Practical Implications for ServiceNow Customers
- This integration centralizes Microsoft Defender for Cloud compliance data within ServiceNow, enabling streamlined visibility and remediation tracking.
- Scheduled jobs automate data imports for policies, tests, standards, assets, and vulnerabilities; understanding their order and dependencies ensures accurate and timely data synchronization.
- Using imported cloud attributes and host tags in filters and condition builders helps tailor compliance assignments and remediation tasks to your environment.
- CI lookup rules facilitate linking imported findings to existing CMDB items, enhancing remediation traceability and impact analysis.
- The ability to run integrations manually and control import scope via Start Time parameters provides flexibility for data refresh and troubleshooting.
Configuration Compliance imports policies, tests, authoritative sources, and test results from third-party integrations and stores them in modules for viewing.
| Terminology prior to v14.9 | Terminology v14.9 onwards |
|---|---|
| Test Result Group | Remediation Task |
| Group Rules | Remediation Task Rules |
| Policy | Test group |
Test groups
A group of configuration tests constitutes a test group. Test groups are related to authoritative documents and test records, and they can be modified to meet the needs of your organization. One configuration test can belong to multiple test groups.
Tests
Tests are libraries of data records that organize scans of computing assets. Configuration tests define how assets must be governed.
A Configuration Compliance test is the mechanism third-party integration applications use to group assets by test results type.
Starting with v15.0 of Configuration Compliance, the test group to which a test belongs to populates in the Test Groups column of the Tests list.
Authoritative sources
Configuration Compliance uses authoritative sources and citations when generating vulnerability alerts for tests. Authoritative sources usually map to sections of published industry standards, such as ISO 27001 and PCI DSS 3.2.1.
These source records contain references to information about known software and hardware configuration issues from experts in the field of computer security. They define requirements for security policies and procedures.
Assets
- Resource tags: All cloud resource tags are imported as host tags as part of the Assessment integration. The cloud tags for any cloud resource type are stored here, whether the resource is a host or
not.
- Tag storage is not case-sensitive. If a Tokyo tag is created, then a TOKYO tag cannot be stored in the Host tag table. Tokyo and TOKYO are considered to be the same host tag. Whichever tag was imported first wins.
- Using host tags as a group key in a group rule can have unexpected results. Host tags are intended for use only in the condition builder.
- Cloud attributes for assets: Following are the cloud attributes that the integrations retrieve from Microsoft Defender for Cloud:
- Cloud Account
- Cloud Region
- Cloud Resource Type
- Cloud Service Provider
Test results
Configuration Compliance does not calculate the test results, but imports them as part of a third-party integration. Once they are viewable in Configuration Compliance, they are remediated using Remediation Tasks.
If the Microsoft Defender for Cloud integration is installed, the scheduled job, Assessment Integration, retrieves the test results. You can view this scheduled job by navigating to .
The Assessment Integration import is the only integration that uses the Start Time parameter in the Integration Details tab. All other Configuration Compliance imports bring in all available data regardless of Start Time.
When the Assessment Integration import is complete, an event is started to trigger end-of-import calculations.
The Assessment Integration pulls the data assessments only if there is a status change from the last successful integration run for the last one day by default. So, if the assessment fails continuously for the past few days, the integration will not fetch the assessment as there is no status change for the assessment. To keep the test results up to date with the defender assessments, a new Comprehensive Assessment Integration is added which pulls the data from the past seven days. It runs weekly and pulls all the test results, which are not passed.
CI lookup rules for identifying CIs from Microsoft Defender for Cloud integrations
When data is imported from a third-party integration, Configuration Compliance automatically uses resource data to search for matches in the Configuration Management Database (CMDB), using CI Lookup Rules. These rules are used to identify the configuration items (CIs) and add them to the test result record to aid in remediation. Base system CI lookup rules are available for Resource ID, Name, and S3 Bucket. For more information on CI lookup rules, see CI lockup rules for Microsoft Defender for Cloud Integration for Security Operations.
Container vulnerability item
When the Microsoft Defender for Cloud integration is configured, the Container Image Vulnerabilities scheduled job retrieves container vulnerable items.
You can view this scheduled job by navigating to: .
- If Start time is empty, the integration imports all available container vulnerability data.
- If Start time is set, the integration imports only data created or updated after the specified time.