0
31.3.0
Australia, Zurich, Yokohama Patch 6, Yokohama, Xanadu Patch 9, Xanadu
Integration
Note:
This app version is intended for Unified Security Exposure Management (USEM), a significant architectural upgrade to the Vulnerability Response applications.
If you are currently using Vulnerability Response and upgrading to USEM for the first time, you must use the Migration assistant for Unified Security Exposure Management to ensure a safe and successful upgrade. For full details, please refer to the KB2556844 and documentation before proceeding.
If you do not intend to upgrade to USEM, please select a version below 30.x when installing or upgrading.
The Microsoft Defender Integration for Security Exposure Management lets you configure and manage Microsoft security data imports in your ServiceNow instance.
- Microsoft Threat and Vulnerability Management (MS TVM) for endpoint vulnerability and asset data.
- Microsoft Defender for Cloud for cloud misconfiguration findings, compliance assessment data, and container image vulnerabilities.
Together, these integrations give you a consolidated view of your Microsoft security posture and enable remediation workflows directly from ServiceNow. Works with Vulnerability Response and Configuration Compliance.
This application replaces the standalone Microsoft Defender for Cloud Integration for Security Operations application. If you are upgrading from the standalone application, see Migrate from Microsoft Defender for Cloud Integration.
The Microsoft Defender Integration for Security Exposure Management application includes the following key integrations:
- Microsoft TVM Machines Integration: Import the collection of assets that communicate with MS TVM. Asset records serve as the foundation for linking vulnerability findings imported by subsequent integrations.
- Microsoft TVM Vulnerability Integration: Import endpoint vulnerability findings via the MS TVM Machines Vulnerabilities Integration. Supports both full and delta imports. Findings are mapped to Vulnerable Items (VITs) and Detections within the Vulnerability Response application to support triage, prioritization, and remediation workflows.
- Microsoft TVM Recommendations Integration: Import actionable security recommendations from MS TVM to help identify and prioritize remediation actions across your endpoint environment.
- Microsoft TVM Vulnerability (CVE) Integration: Import vulnerability and exploit information for CVEs from MS TVM, with support for Common Vulnerability Data (CVD) API enrichment and source-specific field prioritization.
- Microsoft Defender for Cloud Configuration Compliance Integration: Import cloud security posture and misconfiguration findings from Microsoft Defender for Cloud. Findings are mapped to Tests and Test Results in the Configuration Compliance application to help you enforce security policies and track compliance across your cloud environment.
- Microsoft Defender for Cloud Container Vulnerability Integration: Import container image vulnerability findings from Microsoft Defender for Cloud. Findings are mapped to Container Vulnerable Items (CVITs) to support container-specific triage, risk prioritization, and remediation workflows.
Changed:
- Migrated query access control list (ACL) definitions to the standard product codebase in Vulnerability Intelligence, improving long-term maintainability and ensuring consistent access control enforcement.
- Enforced read-only field security restrictions across multiple tables to meet platform security directive requirements and comply with updated security standards.
New:
- Added support for certificate-based authentication in the Microsoft Threat and Vulnerability Management (TVM) integration.
-
The following app for Vulnerability Response must be installed and activated:
- Vulnerability Response
-
Permissions and roles:
- Roles required: sn_vul_msft_tvm.configure_integration and administrator for MS TVM Vulnerability Integration application.