Note:
This app version is intended for Unified Security Exposure Management (USEM), a significant architectural upgrade to the Vulnerability Response applications.
If you are currently using Vulnerability Response and upgrading to USEM for the first time, you must use the Migration assistant for Unified Security Exposure Management to ensure a safe and successful upgrade. For full details, please refer to the KB2556844 and documentation before proceeding.
If you do not intend to upgrade to USEM, please select a version below 30.x when installing or upgrading.
The Microsoft Defender Integration for Security Exposure Management lets you configure and manage Microsoft security data imports in your ServiceNow instance.
- Microsoft Threat and Vulnerability Management (MS TVM) for endpoint vulnerability and asset data.
- Microsoft Defender for Cloud for cloud misconfiguration findings, compliance assessment data, and container image vulnerabilities.
Together, these integrations give you a consolidated view of your Microsoft security posture and enable remediation workflows directly from ServiceNow. Works with Vulnerability Response and Configuration Compliance.
This application replaces the standalone Microsoft Defender for Cloud Integration for Security Operations application. If you are upgrading from the standalone application, see Migrate from Microsoft Defender for Cloud Integration.
The Microsoft Defender Integration for Security Exposure Management application includes the following key integrations:
- Microsoft TVM Machines Integration: Import the collection of assets that communicate with MS TVM. Asset records serve as the foundation for linking vulnerability findings imported by subsequent integrations.
- Microsoft TVM Vulnerability Integration: Import endpoint vulnerability findings via the MS TVM Machines Vulnerabilities Integration. Supports both full and delta imports. Findings are mapped to Vulnerable Items (VITs) and Detections within the Vulnerability Response application to support triage, prioritization, and remediation workflows.
- Microsoft TVM Recommendations Integration: Import actionable security recommendations from MS TVM to help identify and prioritize remediation actions across your endpoint environment.
- Microsoft TVM Vulnerability (CVE) Integration: Import vulnerability and exploit information for CVEs from MS TVM, with support for Common Vulnerability Data (CVD) API enrichment and source-specific field prioritization.
- Microsoft Defender for Cloud Configuration Compliance Integration: Import cloud security posture and misconfiguration findings from Microsoft Defender for Cloud. Findings are mapped to Tests and Test Results in the Configuration Compliance application to help you enforce security policies and track compliance across your cloud environment.
- Microsoft Defender for Cloud Container Vulnerability Integration: Import container image vulnerability findings from Microsoft Defender for Cloud. Findings are mapped to Container Vulnerable Items (CVITs) to support container-specific triage, risk prioritization, and remediation workflows.
New:
Uptake of Common Vulnerability Data (CVD) APIs in the Microsoft Defender TVM integration for CVE creation and enrichment, with source-specific field priority support.
Changed:
Authentication endpoint for the Microsoft Defender Integration is now configurable, replacing the previously hardcoded non-regulated Azure endpoint. This enables regulated market customers, including GCC (Government Community Cloud), to authenticate using the correct endpoint for their environment.
Fixed:
Microsoft Defender integration authentication failing for GCC customers due to the REST message being hardcoded to the non-regulated Azure endpoint (login.microsoftonline.com), resulting in "Confidential client is not supported in cross cloud request" errors.
-
The following app for Vulnerability Response must be installed and activated:
- Vulnerability Response
-
Permissions and roles:
- Roles required: sn_vul_msft_tvm.configure_integration and administrator for MS TVM Vulnerability Integration application.