Create a ticket in Defender for Cloud

The integration between Defender for Cloud and ServiceNow allows Defender for Cloud customers to create tickets in Defender for Cloud that connects to a ServiceNow account. ServiceNow tickets are linked to recommendations directly from Defender for Cloud, allowing the two platforms to facilitate efficient incident management.

Prerequisites

• Have an application registry in ServiceNow.

• Enable Defender Cloud Security Posture Management (CSPM) on your Azure subscription.

• The following roles are required:

  • To create an assignment: Admin permissions to ServiceNow.

Create a new ticket based on a recommendation to ServiceNow

Security admins can create and assign tickets directly from the Defender for Cloud portal.

1. Sign in to the Azure portal.

2. Navigate to Microsoft Defender for Cloud > Recommendations.

3. Select any recommendation with unhealthy resources that you want to create a ServiceNow ticket for and assign an owner to.

4. Select the resource from the unhealthy resources and select Assign owner.

   

5. In the Type field, select ServiceNow

   

6. Select the integration instance.

7. Select the ticket type.

   Note

   In ServiceNow, there are several types of tickets that can be used to manage and track different types of incidents, requests, and tasks. Only incident, change request, and problem are supported with this integration.

   

8. Expand the assignment details section.

9. Complete the following fields:

   • Assigned to: Choose the owner whom you would like to assign the affected recommendation to.

   • Caller: Represents the user defining the assignment.

   • Description and Short Description: Enter a description, and short description.

   • Remediation timeframe: Select the remediation timeframe.

   • Apply Grace Period: (Optional) apply a grace period.

   • Set Email Notifications: (Optional) You can send a reminder to the owners or the owner’s direct manager.

     

10. Select Create.

After the assignment is created, the Ticket ID assigned to this affected resource will appear next to the resource in the recommendation. The Ticket ID represents the ticket created in the ServiceNow portal. You can select the Ticket ID to navigate to the newly created incident in the ServiceNow portal.

Note

When the integration is deleted, all of the assignments will be deleted. Deletion can take up to 24 hrs.

Next step

Assign an owner to a recommendation or severity level