Support for the Vulnerability Response Integration with Microsoft Defender for IoT (Azure)

  • Release version: Zurich
  • Updated July 31, 2025
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Support for the Vulnerability Response Integration with Microsoft Defender for IoT (Azure)

    This integration enables ServiceNow customers to import and manage vulnerability data from Microsoft Defender for IoT (Azure) directly within the ServiceNow Configuration Management Database (CMDB) and Vulnerability Response application. It facilitates automated data mapping, CI (Configuration Item) lookup, and error handling to streamline vulnerability detection and management processes.

    Show full answer Show less

    Data Mapping

    The integration maps key vulnerability detection and National Vulnerability Database (NVD) fields from Microsoft Defender for IoT (Azure) into ServiceNow fields. For vulnerability detections, fields such as source (always set to Microsoft Azure Defender for IoT), name, detection key, and status (defaulted to open) are mapped. For NVD entries, critical fields like vulnerability ID, description, score, and exploit information are synchronized, with exploit indicators set to "Yes" if exploits are detected in the source data.

    CI Lookup and Configuration

    The integration links vulnerability detections to CIs using the device ID from Microsoft Defender for IoT (Azure), leveraging the sysobjectsource table populated by the Service Graph Connector. By default, the integration requires a CI match to minimize unclassified hardware CIs in the CMDB. However, customers can override this by setting the snmsftd4iotazvr.requirecimatch system property to false to allow creation of unclassified hardware CIs if no match is found.

    Error Handling and Troubleshooting

    The integration is largely pre-configured, requiring customers only to input their Azure Tenant ID, Client ID, and Client Secret. Logs related to the integration are accessible via the System Logs under the snmsftd4iotazvr and snvul sources. Integration run errors appear in the Notes field with a state of Complete and a substate of Failed.

    Common errors during data retrieval include missing REST message or method, absent OAuth credentials, incorrect API resource paths or versions, unauthorized responses (e.g., 401 errors due to invalid credentials), invalid JSON responses, and attachment handling failures often linked to MID Server roles or system permissions.

    Data processing errors typically involve missing vulnerability IDs, often indicating issues with the Microsoft API response.

    Practical Implications for ServiceNow Customers

    • Ensure proper configuration of OAuth credentials and API resource paths to enable smooth data retrieval from Microsoft Defender for IoT (Azure).
    • Monitor system logs to quickly identify and resolve integration errors.
    • Leverage the CI lookup feature to maintain accurate vulnerability associations within the CMDB, adjusting the CI match requirement based on organizational needs.
    • Use the integration to automate vulnerability detection ingestion and improve security posture visibility.

    You can refer to this section for questions regarding data mapping and error handling.

    Data mapping

    The following tables describe the data mapping fields used for vulnerability detection and National Vulnerability Database (NVD) entries in the Microsoft Defender for IoT (Azure) application and if there's an equivalent entry used after the data is imported into the ServiceNow CMDB.
    Table 1. Vulnerability Detection
    Microsoft Defender for IoT (Azure) field ServiceNow field
    N/A source
    Note:
    Always set this field to Microsoft Azure Defender for IoT.
    name detection_key
    N/A status
    Note:
    This field is set to 0, meaning open, by default.
    Table 2. NVD entries
    Microsoft Defender for IoT (Azure) field ServiceNow field
    properties/vulnerabilityid id
    source
    Note:
    This field is set to NVD by default.
    properties/description summary
    properties/score score
    properties/exploittype Exploit exists

    If the API data indicates an exploit exists, the integration sets this field to Yes.
    properties/exploittype public_exploit

    If the API data indicates an exploit exists, the integration sets this field to Yes.
    Configuration item (CI) lookup
    The CI Lookup is performed using the deviceid from Microsoft Defender for IoT (Azure). The sys_object_source table, populated by the Service Graph Connector, is searches for the the matching deviceid. If a match is found, the detection and vulnerable item are linked to that CI.
    Note:
    By default, a CI match is required to insert vulnerability detections. This helps minimize unclassed hardware CIs in your CMDB. To change this behavior, you can set the sn_msftd4iotazvr.require_ci_matchsystem property to false. Setting the property to false allows the creation of unclassed hardware CIs if a CI match isn't found.

    Error handling

    The integration is designed to be mostly pre-configured, so you only need to enter your Azure Tenant ID, Client ID, and Client Secret. Log messages from the application are viewable in the System Logs from the sn_msftd4iotazvr source. Additional relevant log message can also appear from the sn_vul source.

    If the integration run fails, the error is shown in the Notes field on the integration run. The state is set to Complete with a substate of Failed.

    The Import Queue (sn_vul_ds_import_q_entry) table contains all the pending transformation requests. You can filter this table to only show items that have a status of Processing to view what is currently under transformation.

    The following tables describes the error messages and possible causes during data retrieval and data processing.

    Table 3. Vulnerability Detection Integration (Data Retrieval)
    Error message Possible cause

    Cannot run integration without a REST message and REST method specified

    		 On the Detection Integration job record, the REST message or REST method fields are not populated.

    Cannot run integration without Microsoft Defender for IoT (Azure) oauth_client_id specified

    		 On the Integration Instance, the OAuth Client ID is not populated.

    Cannot run integration without Microsoft Defender for IoT (Azure) oauth_client_secret specified

    		 On the Integration Instance, the OAuth Client Secret is not populated.

    Cannot run integration without the detection API resource path specified

    On the Integration Instance, the detection API resource path is not populated.

    The default is https://management.azure.com/providers/Microsoft.ResourceGraph/resources

    Cannot run integration with API version specified

    On the Integration Instance, the API version is not populated.

    The default is 2021-03-01.

    Invalid response code {response code} received from Microsoft Defender for IoT (Azure)

    The response from the Microsoft API is invalid.

    For example, the invalid response code 401 received from Microsoft Defender for IoT (Azure) means Unauthorized. The credentials or OAuth Token are likely invalid.
    Failed to parse the JSON response body The JSON response received is invalid if it isn't able to be parsed. This means that no data was received. Ensure that the credentials are correct and no other errors occur.

    Error writing attachment

    		 The system couldn't attach the response data to the data source. You likely need to contact your system administrator for further troubleshooting. A common cause for this error is that the MID Server or Run as user is missing the sn_vul.vr_import_admin role.

    Attachment content is null: attachment sys_id = {sys_id}

    		 The Data Source attachment content is null. This could indicate an issue with the Microsoft API itself, or an issue in ServiceNow. Contact your system administrator for further troubleshooting.

    Could not find attachment with sys_id {sys_id}

    		 Data source attachment was not found. This could indicate an issue with the Microsoft API itself, or an issue in ServiceNow. Contact your system administrator for further troubleshooting.
    Table 4. Vulnerability Detection Integration (Data Processing)
    Error message Possible cause

    Cannot create a Detection without a vulnerability ID

    		 A vulnerability ID was not present for the record. This is most likely caused by an issue with the Microsoft API.