The Microsoft Defender for Cloud Integration product is an infrastructure security management system that enhances the security posture of your cloud environments.

Microsoft Defender for Cloud Integration for Security Operations integrates with the Configuration Compliance application to map tests to configuration items (CIs) to create test results. It continuously discovers new cloud resources deployed across workloads and determines whether they are configured according to security standards such as the Center for Internet Security (CIS).

Starting with version 2.2, Microsoft Azure Security Center is renamed to Microsoft Defender for Cloud Integration for Security Operations.

Available versions

ApplicationVersion
Microsoft Defender for Cloud Integration for Security Operations 2.3
Configuration Compliance 14.3
Security Support Common 13.2
Vulnerability Response 16.2

Multiple deployments of the Microsoft Defender for Cloud Platform

If you have multiple deployments of the Microsoft Defender for Cloud Platform application, you can add an integration for each deployment. Resources that are identified by multiple third-party deployments, are consolidated and reconciled with your Configuration Management Database (CMDB). This consolidation takes place even when scan processes overlap between the multiple deployments.

ServiceNow Microsoft Defender for Cloud Integrations

The Microsoft Defender for Cloud Integration for Security Operations enriches the compliance data on your instance by retrieving data from Microsoft Defender for Cloud. A series of scheduled jobs invokes the integrations automatically. You can also run these scheduled jobs manually. Scheduled jobs simplify the test results remediation life cycle by keeping the instance synchronized with Microsoft Defender for Cloud.

There is a configured run-as user for each integration record, with the default value VR.System. This value must remain the same.
Note: If you do not set a valid run-as user, duplicate or multiple data retrieval attachments are created for the data source records. The number of attachments increases each time the integration is run. This increases the processing time, resulting in inconsistent transform results.
Microsoft Defender for Cloud Platform integration tasks involve the following roles.
  • sn_vul_asc.configure_integration: Ability to read, write, and delete records.
  • sn_vul_asc.read_integration: Ability to read records.

Viewing the Microsoft Defender for Cloud Integrations

View the integrations by navigating to All > Microsoft Defender for Cloud Integration > Integrations.

The following integrations are included in the base system.

IntegrationDescription
Policy Definition Integration Retrieves policies and creates policy entries in your instance.
Assessment Metadata Integration Retrieves assessment metadata and creates tests in your instance.
Compliance Standards & Controls Integration Retrieves standards and controls and creates the authorization source and citations. It then links them to the tests created.
Assessment Integration Retrieves assessments and processes them in your instance. The output of this integration is test results.

Create CIs using the Identification and Reconciliation Engine

Use the Identification and Reconciliation Engine (IRE) to create CIs, when an existing CI cannot be matched with a host imported from a third-party scanner.

If a CI is not matched in the CMDB, a CI is created in the cmdb_ci_cmp_resource class. Later, when a discovery finds the same CI, it enriches the CI or creates another one.
Note: Automatic reconciliation does not happen for cloud resources.