Connect ServiceNow to Microsoft Defender for Cloud Apps

Note

Microsoft Defender for Cloud Apps is now part of Microsoft 365 Defender and can be accessed through its portal at: https://security.microsoft.com. Microsoft 365 Defender correlates signals from the Microsoft Defender suite across endpoints, identities, email, and SaaS apps to provide incident-level detection, investigation, and powerful response capabilities. It improves your operational efficiency with better prioritization and shorter response times which protect your organization more effectively. For more information about these changes, see Microsoft Defender for Cloud Apps in Microsoft 365 Defender.

This article provides instructions for connecting Microsoft Defender for Cloud Apps to your existing ServiceNow account using the app connector API. This connection gives you visibility into and control over ServiceNow use. For information about how Defender for Cloud Apps protects ServiceNow, see Protect ServiceNow.

Note

We recommend deploying ServiceNow using OAuth app tokens, available for Fuji and later releases (see the relevant ServiceNow documentation. For earlier releases, a legacy connection mode is available based on user/password. The username/password provided are only used for API token generation and are not saved after the initial connection process.

Note

Defender for Cloud Apps supports the following ServiceNow versions: Eureka, Fiji, Geneva, Helsinki, Istanbul, Jakarta, Kingston, London, Madrid, New York, Orlando, Paris, Quebec, Rome, San Diego, and Tokyo. In order to connect ServiceNow with Defender for Cloud Apps, you must have the role Admin and make sure the ServiceNow instance supports API access. For more information, see the ServiceNow product documentation.

How to connect ServiceNow to Defender for Cloud Apps using OAuth

1. Sign in with an Admin account to your ServiceNow account.

   Note

   The username/password provided are only used for API token generation and are not saved after the initial connection process.

2. In the Filter navigator search bar, type OAuth and select Application Registry.

3. In the Application Registries menu bar, select New to create a new OAuth profile.

   

4. Under What kind of OAuth application?, select Create an OAuth API endpoint for external clients.

   

5. Under Application Registries New record fill in the following fields:

   • Name field, name the new OAuth profile, for example, CloudAppSecurity.

   • The Client ID is generated automatically. Copy this ID, you need to paste it into Defender for Cloud Apps to complete connection.

   • In the Client Secret field, enter a string. If left empty, a random Secret is generated automatically. Copy and save it for later.

   • Increase the Access Token Lifespan to at least 3,600.

   • Select Submit.

   

6. In the Microsoft 365 Defender portal, select Settings. Then choose Cloud Apps. Under Connected apps, select App Connectors.

7. In the App connectors page, select +Connect an app, and then ServiceNow.

   

8. In the next window, give the connection a name and select Next.

9. In the Enter details page, select Connect using OAuth token (recommended). Select Next.

10. In the Basic Details page, add your ServiceNow user ID, password, and instance URL in the appropriate boxes. Select Next.

    

    • To find your ServiceNow User ID, in the ServiceNow portal, go to Users and then locate your name in the table.

      

11. In the OAuth Details page, enter your Client ID and Client Secret. Select Next.

12. In the Microsoft 365 Defender portal, select Settings. Then choose Cloud Apps. Under Connected apps, select App Connectors. Make sure the status of the connected App Connector is Connected.

After connecting ServiceNow, you'll receive events for seven days prior to connection.

Legacy ServiceNow connection

To connect ServiceNow with Defender for Cloud Apps, you must have admin-level permissions and make sure the ServiceNow instance supports API access.

1. Sign in with an Admin account to your ServiceNow account.

2. Create a new service account for Defender for Cloud Apps and attach the Admin role to the newly created account.

3. Make sure the REST API plug-in is turned on.

   

4. In the Microsoft 365 Defender portal, select Settings. Then choose Cloud Apps. Under Connected apps, select App Connectors.

5. In the App connectors page, select +Connect an app, and then ServiceNow.

   

6. In the next window, give the connection a name and select Next.

7. In the Enter details page, select Connect using username and password only. Select Next.

8. In the Basic Details page, add your ServiceNow user ID, password, and instance URL in the appropriate boxes. Select Next.

   

9. Select Connect.

10. In the Microsoft 365 Defender portal, select Settings. Then choose Cloud Apps. Under Connected apps, select App Connectors. Make sure the status of the connected App Connector is Connected. After connecting ServiceNow, you'll receive events for seven days prior to connection.

If you have any problems connecting the app, see Troubleshooting App Connectors.

Next steps

Control cloud apps with policies

If you run into any problems, we're here to help. To get assistance or support for your product issue, please open a support ticket.