Microsoft Defender for Cloud Integration for Security Operations

  • Release version: Zurich
  • Updated July 31, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Microsoft Defender for Cloud Integration for Security Operations

    Microsoft Defender for Cloud Integration for Security Operations is an infrastructure security management solution designed to enhance the security posture of cloud environments. It integrates with the Configuration Compliance application in ServiceNow to map security tests to configuration items (CIs) and generate test results. The integration continuously discovers cloud resources and assesses their configuration against established security standards such as the Center for Internet Security (CIS).

    Show full answer Show less

    With the renaming from Microsoft Azure Security Center to Microsoft Defender for Cloud Integration for Security Operations starting in version 2.2, the product supports multiple deployments. It consolidates resource data from different deployments by reconciling it with the ServiceNow Configuration Management Database (CMDB), even when overlapping scan processes occur.

    Key Features

    • Scheduled Jobs: Automate synchronization between Microsoft Defender for Cloud and ServiceNow by running scheduled jobs that retrieve compliance data and update test results. These jobs can also be executed manually as needed.
    • Run-As User Configuration: Each integration record uses a configured run-as user, defaulting to VR.System. Maintaining this setting prevents duplicate data attachments and ensures efficient data processing.
    • Role-Based Access Control: Integration tasks require specific roles for configuration and reading data, namely snvulmsfttvm.configureintegration and snvulmsfttvm.readintegration.
    • Multiple Integration Types Included: The integration package includes several key integrations that manage different aspects of security posture data:
      • Policy Definition Integration: Retrieves and creates policy entries.
      • Assessment Metadata Integration: Retrieves metadata and creates tests.
      • Compliance Standards & Controls Integration: Retrieves standards and controls, linking them to authorization sources and tests.
      • Assessment Integration: Retrieves assessments and produces test results.
      • Container Image Vulnerabilities Integration: Retrieves container image vulnerabilities and creates vulnerability items.
    • Identification and Reconciliation Engine (IRE): Automatically creates new CIs in the CMDB when no existing CI matches an imported host from third-party scanners. These CIs are created under the cmdbcicmpresource class and can be enriched by later discoveries. Note that automatic reconciliation does not apply to cloud resources.

    What Customers Can Expect

    ServiceNow customers implementing Microsoft Defender for Cloud Integration for Security Operations gain continuous visibility into cloud resource security configurations and compliance status. The integration automates data synchronization, reduces manual effort in managing compliance lifecycle, and consolidates security data from multiple sources into the CMDB for unified management.

    By leveraging the predefined integrations and scheduled jobs, customers can efficiently monitor security policies, assessments, compliance standards, and vulnerabilities, including container image risks. The use of the Identification and Reconciliation Engine helps maintain accurate and up-to-date configuration data, supporting effective security operations management.

    The Microsoft Defender for Cloud Integration product is an infrastructure security management system that enhances the security posture of your cloud environments.

    Microsoft Defender for Cloud Integration for Security Operations integrates with the Configuration Compliance application to map tests to configuration items (CIs) to create test results. It continuously discovers new cloud resources deployed across workloads and determines whether they are configured according to security standards such as the Center for Internet Security (CIS).

    Starting with version 2.2, Microsoft Azure Security Center is renamed to Microsoft Defender for Cloud Integration for Security Operations.

    Multiple deployments of the Microsoft Defender for Cloud Platform

    If you have multiple deployments of the Microsoft Defender for Cloud Platform application, you can add an integration for each deployment. Resources that are identified by multiple third-party deployments, are consolidated and reconciled with your Configuration Management Database (CMDB). This consolidation takes place even when scan processes overlap between the multiple deployments.

    ServiceNow Microsoft Defender for Cloud Integrations

    The Microsoft Defender for Cloud Integration for Security Operations enriches the compliance data on your instance by retrieving data from Microsoft Defender for Cloud. A series of scheduled jobs invokes the integrations automatically. You can also run these scheduled jobs manually. Scheduled jobs simplify the test results remediation life cycle by keeping the instance synchronized with Microsoft Defender for Cloud.

    There is a configured run-as user for each integration record, with the default value VR.System. This value must remain the same.
    Note:
    If you do not set a valid run-as user, duplicate or multiple data retrieval attachments are created for the data source records. The number of attachments increases each time the integration is run. This increases the processing time, resulting in inconsistent transform results.
    Microsoft Defender for Cloud Platform integration tasks involve the following roles.
    • sn_vul_msft_tvm.configure_integration: Ability to read, write, and delete records.
    • sn_vul_msft_tvm.read_integration: Ability to read records.

    Viewing the Microsoft Defender for Cloud Integrations

    View the integrations by navigating to All > Microsoft Defender for Cloud Integration > Integrations.

    The following integrations are included in the base system.

    Integration Description
    Policy Definition Integration Retrieves policies and creates policy entries in your instance.
    Assessment Metadata Integration Retrieves assessment metadata and creates tests in your instance.
    Compliance Standards & Controls Integration Retrieves standards and controls and creates the authorization source and citations. It then links them to the tests created.
    Assessment Integration Retrieves assessments and processes them in your instance. The output of this integration is test results.
    Container Image Vulnerabilities Integration Retrieves vulnerabilities of Container Images and creates Container vulnerable items in your instance.

    Create CIs using the Identification and Reconciliation Engine

    Use the Identification and Reconciliation Engine (IRE) to create CIs, when an existing CI cannot be matched with a host imported from a third-party scanner.

    If a CI is not matched in the CMDB, a CI is created in the cmdb_ci_cmp_resource class. Later, when a discovery finds the same CI, it enriches the CI or creates another one.
    Note:
    Automatic reconciliation does not happen for cloud resources.