CMDB classes targeted in Service Graph Connector for Microsoft Defender Endpoint
Summarize
Summarized using AI
This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.
Summary of CMDB classes targeted in Service Graph Connector for Microsoft Defender Endpoint
The Service Graph Connector for Microsoft Defender Endpoint enables ServiceNow customers to integrate and periodically pull security data from Microsoft Defender for Endpoint. This data populates specific Configuration Management Database (CMDB) tables that extend from the coreConfiguration item [cmdbci]table.
Show less
This integration helps maintain an accurate, up-to-date asset and security posture view within ServiceNow by mapping Defender Endpoint data into relevant CMDB classes and their relationships.
Key CMDB Classes and Attributes Populated
- Computer [cmdbcicomputer]: Populated attributes include discovery source, install status, name, operating system, and OS version. It owns IP Address and Network Adapter records and references related Defender machines and software installations.
- IP Address [cmdbciipaddress]: Attributes populated include install status, IP address, IP version, name, and NIC. It references Network Adapter and Defender-related machine tables.
- SG-Defender Machines Related [sndefenderintegsgdefendermachinesrelated]: Contains Defender-specific attributes such as agent version, device ID, exposure level, onboarding status, health status, and last reported date.
- Network Adapter [cmdbcinetworkadapter]: Attributes include discovery source, install status, MAC address, and name. It references Server and Computer classes.
- Software [cmdbcispkg]: Populated when Software Asset Management (SAM) is not installed; includes key, name, and version.
- Software Installation [cmdbsamswinstall]: Populated when SAM is installed; includes discovery source, display name, and version.
- Software Instance [cmdbsoftwareinstance]: Contains installed on and name attributes, used when SAM is not installed. References Server and Windows Server classes.
- Windows Server [cmdbciwinserver]: Attributes populated include class, discovery source, install status, name, operating system, and OS version. Owns Network Adapter and IP Address records and references Defender machines and software installations.
Relationships and Data Structure
The connector establishes key relationships between these CMDB classes to mirror the real-world dependencies and ownerships, such as:
- Computers owning IP Addresses and Network Adapters.
- Network Adapters referencing Servers and Computers.
- Windows Servers owning Network Adapters and IP Addresses.
- Software and Software Instances referencing Server-related classes.
- Reference links connecting Defender-specific machine data to Computers and Windows Servers for enriched context.
Practical Benefits for ServiceNow Customers
- Automated, accurate updating of CMDB records with Defender Endpoint security data enhances visibility and control over IT assets.
- Improved asset relationships help streamline incident, vulnerability, and configuration management workflows.
- Support for both SAM and non-SAM environments ensures flexibility in software asset tracking.
- Consistent data model integration facilitates better security posture assessment and compliance reporting within ServiceNow.
When you complete setting up the connection, you can configure the integration to pull data periodically from machines utilizing the Microsoft Defender for Endpoint security solution. The data is saved in tables that extend from the Configuration item [cmdb_ci] table.
Computer [cmdb_ci_computer]
The following attributes in the Computer [cmdb_ci_computer] table are populated by collected data:
| Attribute label | Attribute name |
|---|---|
| Class | sys_class_name |
| Discovery source | discovery_source |
| Install Status | install_status |
| Name | name |
| Operating System | os |
| OS Version | os_version |
| Parent class | Relationship type | Child class |
|---|---|---|
| Computer [cmdb_ci_computer] | Owns::Owned by | IP Address [cmdb_ci_ip_address] |
| Computer [cmdb_ci_computer] | Owns::Owned by | Network Adapter [cmdb_ci_network_adapter] |
| Computer [cmdb_ci_computer] | Reference | SG-Defender Machines Related [sn_defender_integ_sg_defender_machines_related] |
| Computer [cmdb_ci_computer] | Reference | Software Installation [cmdb_sam_sw_install] |
IP Address [cmdb_ci_ip_address]
The following attributes in the IP Address [cmdb_ci_ip_address] table are populated by collected data:
| Attribute label | Attribute name |
|---|---|
| Install Status | install_status |
| IP Address | ip_address |
| IP version | ip_version |
| Name | name |
| Nic | nic |
| Parent class | Relationship type | Child class |
|---|---|---|
| IP Address [cmdb_ci_ip_address] | Reference | Network Adapter [cmdb_ci_network_adapter] |
SG-Defender Machines Related [sn_defender_integ_sg_defender_machines_related]
The following attributes in the SG-Defender Machines Related [sn_defender_integ_sg_defender_machines_related] table are populated by collected data:
| Attribute label | Attribute name |
|---|---|
| Agent Version | agent_version |
| Device Id | device_id |
| Exposure Level | exposure_level |
| First Seen | first_seen_date |
| Health Status | health_status |
| IsAadJoined | isaadjoined |
| Last Reported | last_reported |
| Managed by | managed_by |
| Onboarding Status | onboarding_status |
Network Adapter [cmdb_ci_network_adapter]
The following attributes in the Network Adapter [cmdb_ci_network_adapter] table are populated by collected data:
| Attribute label | Attribute name |
|---|---|
| Discovery source | discovery_source |
| Install Status | install_status |
| MAC Address | mac_address |
| Name | name |
| Parent class | Relationship type | Child class |
|---|---|---|
| Network Adapter [cmdb_ci_network_adapter] | Reference | Server [cmdb_ci_server] |
| Network Adapter [cmdb_ci_network_adapter] | Reference | Computer [cmdb_ci_computer] |
Software [cmdb_ci_spkg]
The following attributes in the Software [cmdb_ci_spkg] table are populated by collected data when the Software Asset Management (SAM) application isn't installed:
| Attribute label | Attribute name |
|---|---|
| Key | key |
| Name | name |
| Version | version |
| Parent class | Relationship type | Child class |
|---|---|---|
| Software [cmdb_ci_spkg] | Reference | Software Instance [cmdb_software_instance] |
Software Installation [cmdb_sam_sw_install]
The following attributes in the Software Installation [cmdb_sam_sw_install] table are populated by collected data when the SAM application is installed:
| Attribute label | Attribute name |
|---|---|
| Discovery source | discovery_source |
| Display name | display_name |
| Version | version |
Software Instance [cmdb_software_instance]
The following attributes in the Software Instance [cmdb_software_instance] table are populated by collected data when the SAM application isn't installed:
| Attribute label | Attribute name |
|---|---|
| Installed on | installed_on |
| Name | name |
| Parent class | Relationship type | Child class |
|---|---|---|
| Software Instance [cmdb_software_instance] | Reference | Server [cmdb_ci_server] |
Windows Server [cmdb_ci_win_server]
The following attributes in the Windows Server [cmdb_ci_win_server] table are populated by collected data when the SAM application isn't installed:
| Attribute label | Attribute name |
|---|---|
| Class | sys_class_name |
| Discovery source | discovery_source |
| Install Status | install_status |
| Name | name |
| Operating System | os |
| OS Version | os_version |
| Parent class | Relationship type | Child class |
|---|---|---|
| Windows Server [cmdb_ci_win_server] | Owns::Owned by | Network Adapter [cmdb_ci_network_adapter] |
| Windows Server [cmdb_ci_win_server] | Owns::Owned by | IP Address [cmdb_ci_ip_address] |
| Windows Server [cmdb_ci_win_server] | Reference | SG-Defender Machines Related [sn_defender_integ_sg_defender_machines_related] |
| Windows Server [cmdb_ci_win_server] | Reference | Software Installation [cmdb_sam_sw_install] |