Service Graph Connector for Microsoft Defender Endpoint

Release version: Zurich

Updated July 31, 2025

2 minutes to read

Summarize

Summarized using AI

Summary of Service Graph Connector for Microsoft Defender Endpoint

The Service Graph Connector for Microsoft Defender Endpoint enables you to integrate data from machines secured by Microsoft Defender for Endpoint into your ServiceNow instance. This connector supports Microsoft Defender for Endpoint Plans 1 and 2 and is compatible with ServiceNow versions Washington DC, Xanadu, and Yokohama.

Show full answer Show less

Key Features

Data Integration: Automatically pulls detailed machine-related data from the Microsoft Defender for Endpoint security solution into the ServiceNow CMDB.
Configuration Management: Use the SGC Central view to install and configure the connector, managing the lifecycle of connections effectively.
Monitoring Dashboard: The CMDB Integrations Dashboard provides insights into the status and errors of all integrations, allowing for effective monitoring of Microsoft Defender for Endpoint data flows.
Data Mapping: The Robust Transform Engine (RTE) ensures that data is accurately mapped to ServiceNow CMDB classes, while the Identification and Reconciliation Engine (IRE) manages data insertion.

Key Outcomes

By utilizing the Service Graph Connector, ServiceNow customers can enhance their security operations with real-time data from Microsoft Defender for Endpoint, enabling improved incident response and asset management. After upgrading to version 1.2.0, users must migrate data from the Server CI class to the Computer CI class for optimal performance. The integration allows for periodic data pulls, ensuring the CMDB remains up-to-date with the latest security information.

Use the Service Graph Connector for Microsoft Defender Endpoint to pull data from machines protected by the Microsoft Defender for Endpoint security solution into your ServiceNow instance.

Request apps on the Store

Visit the ServiceNow Store website to view all the available apps and for information about submitting requests to the store. For cumulative release notes information for all released apps, see the ServiceNow Store version history release notes.

Supported versions

Supported Microsoft Defender for Endpoint versions:
- Microsoft Defender for Endpoint Plan 1
- Microsoft Defender for Endpoint Plan 2
Supported ServiceNow versions:
- Washington DC
- Xanadu
- Yokohama

Use cases

The ServiceNow Security Operations applications have features that interact with the Service Graph Connector to gain insights into machines utilizing the Microsoft Defender for Endpoint security solution.

Important Information for upgrading Service Graph Connector for Microsoft Defender Endpoint

After you upgrade to Service Graph Connector for Microsoft Defender Endpoint 1.2.0, migrate data from the Server [cmdb_ci_server] CI class to the Computer [cmdb_ci_computer] CI class. For more information, see the Service Graph Connector for Microsoft Defender Endpoint - Data migration after upgrade to version 1.2.0 [KB2096769] article in the Now Support Knowledge Base.

Configuring a connection for the connector

Use the SGC Central view in the Service Graph Workspace or CMDB Workspace to install the connector and configure the connection. The view enables you to install and discover connectors and to manage the full life cycle of creating, editing, monitoring, and debugging connections. For instructions, see Configure Service Graph Connector for Microsoft Defender Endpoint using SGC Central.

Important:

Unless there are configuration issues, use SGC Central to configure the connection. The guided setup method for configuration is being deprecated.

CMDB integrations dashboard

The Integration Commons for CMDB store app provides a dashboard with a central view of the status, processing results, and processing errors of all installed integrations. You can see metrics for all integration runs. You can filter the view to a specific CMDB integration, a specific time duration, or a specific integration run. For more details about monitoring Microsoft Defender for Endpoint integrations in the CMDB Integrations Dashboard, see Using the CMDB Integrations Dashboard.

Data mapping

Data from the Microsoft Defender for Endpoint data source is mapped and transformed into the ServiceNow CMDB configuration item (CI) class definitions using the Robust Transform Engine (RTE). Data is inserted into the ServiceNow CMDB using the Identification and Reconciliation Engine (IRE).

When you complete setting up the connection, you can configure the integration to pull data periodically from the machines utilizing the Microsoft Defender for Endpoint security solution.

The following data source is included for the Microsoft Defender for Endpoint security solution:

SG-Defender Machines

Imports all the machine-related data from the machines utilizing the Microsoft Defender for Endpoint security solution, loads the imported data in the SG-Defender Machines [sn_defender_integ_sg_defender_machines] staging table, and then populates the following target tables:

IP Address [cmdb_ci_ip_address]
Software Installation [cmdb_sam_sw_install] (If the Software Asset Management (SAM) application is installed.)
Software Instance [cmdb_software_instance] (If the SAM application is not installed.)
Software [cmdb_ci_spkg] (If the SAM application is not installed.)
SG-Defender Machines Related [sn_defender_integ_sg_defender_machines_related]
Network Adapter [cmdb_ci_network_adapter]
Computer [cmdb_ci_computer]
Windows Server [cmdb_ci_win_server]

Note:

Only operating system details are populated in the Software Installation [cmdb_sam_sw_install], Software Instance [cmdb_software_instance], and Software [cmdb_ci_spkg] tables.

For more information on where data is saved when pulling data from the Microsoft Defender for Endpoint security solution, see CMDB classes targeted in Service Graph Connector for Microsoft Defender Endpoint.

You can use the IntegrationHub ETL app to view the data maps. See IntegrationHub ETL for more information.