Microsoft Defender for Cloud Connector
The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the Tenable FedRAMP Product Offering.
The following steps allow you to configure this connector for use with Tenable Exposure Management from start to finish.
Connector Details
Tenable Exposure Management ingests Microsoft Defender for Cloud assets and security recommendations (findings) through the Azure Resource Graph API.
| Details | Description |
|---|---|
|
Supported products |
|
|
Category |
Cloud Security Posture Management (CSPM), Cloud Workload Protection Platform (CWPP) |
| Ingested data | Assets and Findings |
|
Ingested Asset Classes |
Device Application Container Image Container Repository Code Repository Resource |
|
Integration type |
UNI directional (data is transferred from the connector to Tenable Exposure Management in one direction) |
|
Supported version and type |
SaaS (latest) |
Prerequisites and User Permissions
Before you begin configuring the connector, make sure to:
-
Assign the Required Azure Roles to a service principal.
-
Generate the Integration Credentials in Azure.
Assign the Required Azure Roles
The connector authenticates as a Microsoft Entra ID (Azure AD) service principal and reads data only. Assign the following read-only roles to the service principal:
-
Reader — Required to enumerate subscriptions, resource groups, and the resource inventory through Azure Resource Graph.
-
Security Reader — Required to read Microsoft Defender for Cloud security state (assessments and governance assignments) through Azure Resource Graph.
Assign both roles at the Subscription scope for each subscription you want to ingest, or once at the Management Group scope to cover all child subscriptions.
Generate the Integration Credentials
The connector requires three values from a Microsoft Entra ID app registration: the Tenant ID, the Client ID, and the Client Secret.
To generate the integration credentials:
-
In the Azure portal, go to Microsoft Entra ID > App registrations > New registration.
-
Type a descriptive name for the app (for example, tenable-dfc-connector), then register the app.
-
On the app's Overview page, copy the Application (client) ID and the Directory (tenant) ID to a safe location. You need these values to configure the connector.
-
Go to Certificates & secrets > Client secrets > New client secret, set an expiry, then copy the generated secret value to a safe location.
Note: Azure displays the client secret value only once. Copy it immediately. -
Assign the Reader and Security Reader roles to the service principal at the Subscription or Management Group scope, as described in Assign the Required Azure Roles.
Add a Connector
To add a new connector:
-
In the left navigation menu, click Connectors.
The Connectors page appears.
-
In the upper-right corner, click
Add new connector.
The Connector Library page appears.
-
In the search box, type the name of the connector.
-
On the tile for the connector, click Connect.
The connector configuration options appear.
Configure the Connector
To configure the connector:
-
(Optional) In the Connector's Name text box, type a descriptive name for the connector.
-
(Optional) To use a preconfigured on-prem connector to connect to this connector, from the Gateway drop-down, select the on-prem connector you want to use for the connector. Otherwise, select Don't use gateway.
Note: For information about configuring a gateway, see Tenable On-Prem Connector. -
(Required) In the Tenant ID text box, type the Directory (tenant) ID from your Azure app registration.
-
(Required) In the Client ID text box, type the Application (client) ID from your Azure app registration.
-
(Required) In the Client Secret text box, type the client secret value you generated in Azure.
-
Data pulling configuration: This configuration has dynamic settings tailored to the specific connector and integration type. Below are the configurations relevant to this connector.
-
For the Pull all Subscriptions checkbox (selected by default), keep it selected to ingest every subscription visible to the service principal. To limit the sync, clear the checkbox, then from the Subscriptions drop-down, select one or more subscriptions.
-
For the Pull all Resource Groups checkbox (selected by default), keep it selected to ingest every resource group. To limit the sync, clear the checkbox, then from the Resource Groups drop-down, select one or more resource groups.
-
For the Pull all Cloud Providers checkbox (selected by default), keep it selected to ingest every cloud-provider source present in the tenant (for example, Azure, AWS, and GCP). To limit the sync, clear the checkbox, then from the Cloud Providers drop-down, select one or more cloud providers.
-
(Required) For Risk Level Filter ("Severity levels to fetch for findings"), from the drop-down, select one or more severity levels (Critical, High, Medium, Low, or Not Evaluated) to control which findings the connector fetches. By default, all levels are selected.
-
In the Asset Retention text box, type the number of days after which you want assets to be removed from Tenable Exposure Management. If an asset has not been detected or updated within the specified number of days, it is automatically removed from the application, ensuring your asset inventory is current and relevant.
Tip: For more information, see Asset Retention.
-
-
In the Test connectivity section, click the Test Connectivity button to verify that Tenable Exposure Management can connect to your connector instance.
-
A successful connectivity test confirms that the platform can connect to the connector instance. It does not, however, guarantee that the synchronization process will succeed, as additional syncing or processing issues may arise.
-
If the connectivity test fails, an error message with details about the issue appears. Click Show tests for more information about the exact error.
-
-
In the Connector scheduling section, configure the time and day(s) on which you want connector syncs to occur.
Tip: For more information, see Connector Scheduling. -
Click Create. Tenable Exposure Management begins syncing the connector. The sync can take some time to complete.
-
To confirm the sync is complete, do the following:
-
Navigate to the Connectors page and monitor the connector's status. Sync is complete once the connector status is Connected.
-
View the sync logs for the connector to monitor the logs for a successful connection.
-
Microsoft Defender for Cloud in Tenable Exposure Management
Locate Connector Assets in Tenable Exposure Management
As the connector discovers assets, Tenable Exposure Management ingests those devices for reporting.
To view assets by connector:
-
In Tenable Exposure Management, navigate to the Assets page.
-
In the Filters section, under 3rd Party Connectors, click the connector name for which you want to view assets.
The asset list updates to show only assets from the selected connector.
-
Click on any asset to view Asset Details.
Locate Connector Findings in Tenable Exposure Management
As the connector discovers individual findings, Tenable Exposure Management ingests those findings for reporting.
To view findings by connector:
-
In Tenable Exposure Management, navigate to the Findings page.
-
In the Filters section, under 3rd Party Connectors, click the connector name for which you want to view findings.
The findings list updates to show only assets from the selected connector.
-
Click on any asset to view Finding Details.
Understanding Microsoft Defender for Cloud Data
Microsoft Defender for Cloud organizes assets and security data in its own structure. The following sections explain how Tenable Exposure Management interprets that data so you can understand the assets and findings the connector ingests.
Asset Classification
Tenable Exposure Management ingests a defined set of supported Microsoft Defender for Cloud resource types and routes each one to a Tenable asset class based on its resource type. Tenable Exposure Management does not ingest resource types that are outside this supported set. Supported resource types that do not match a more specific class are classified as Resource. The following table lists representative examples for each asset class.
|
Tenable Asset Class |
Example Microsoft Defender for Cloud Resource Types |
|---|---|
|
Device |
Virtual machines, virtual machine scale sets, Azure Arc machines, SQL virtual machines, AWS EC2 instances, and GCP compute instances |
|
Application |
Web, function, and logic apps, container apps, AWS Lambda functions, GCP App Engine, and API Management |
|
Container Image |
Container images, Kubernetes containers, and ECS containers |
|
Container Repository |
Container registries, AWS ECR repositories, and GCP Artifact Registry repositories |
|
Code Repository |
DevOps repositories, such as GitHub, Azure DevOps, and GitLab |
|
Resource (default) |
All other supported resource types, such as storage accounts, databases, networking objects, and key vaults |
Findings
Microsoft Defender for Cloud uses the following terms to describe its security data:
|
Term |
Description |
|---|---|
|
Policy |
A security standard that defines a required configuration, for example, "All SQL servers must use encryption." |
|
Assessment |
A check that evaluates whether a specific resource meets a policy. The assessment is the parent record that identifies a resource that fails a policy. |
|
Recommendation |
The user-facing form of an assessment. It describes what is wrong and how to fix it. |
|
Sub-assessment |
A granular detail within an assessment, for example, the individual CVEs found during a single virtual machine scan. |
|
Alert |
A real-time notification of an active threat, such as detected malware, rather than a misconfiguration. |
A policy triggers an assessment, which Microsoft Defender for Cloud displays as a recommendation. When an assessment is complex, such as a vulnerability scan, it can break down into multiple sub-assessments.
Tenable Exposure Management ingests data at the assessment (parent) level. Each assessment evaluated on a specific resource becomes one finding, and the assessment definition becomes a Tenable detection. Sub-assessments and alerts are not ingested as separate findings.
Tenable Exposure Management ingests two types of Microsoft Defender for Cloud assessments as findings:
|
Microsoft Defender for Cloud Assessment Type |
Tenable Exposure Management Finding Type |
Example |
|---|---|---|
|
Configuration recommendations (CSPM) |
Misconfiguration |
"Enable MFA for privileged accounts" |
|
Vulnerability assessments (CWPP) |
Vulnerability |
"CVE-2024-1234 on a virtual machine" |
Data Mapping
Exposure Management integrates with the connector via API to retrieve relevant weakness and asset data, which is then mapped into the Exposure Management system. The following tables outline how fields and their values are mapped from the connector to Exposure Management.
Asset Mapping
The connector maps a common set of fields for every asset class, plus fields that are specific to each class. The common fields are listed first, followed by the class-specific fields.
Common Fields (All Asset Classes)
| Tenable Exposure Management UI Field |
Microsoft Defender for Cloud Field |
|---|---|
| Cloud Resource ID |
cloud_native_id cloud_native_resource_id resourceId |
| Asset Name | resourceName |
| Cloud Provider | cloud_source_raw or environments |
| Cloud Account ID | subscriptionName |
| Cloud Resource Type | resourceType |
| Cloud Resource - Service | cloud_resource_provider |
| Cloud Region | cloud_region or cloud_location_outer |
| First Observation Date | discovery_first_observed_at |
| Last Observed At | discovery_last_observed_at |
| External Tags |
cloud_tags_azure cloud_tags_aws |
| Asset Custom Attributes |
dfc.source dfc.resource_provider dfc.native_cloud_id dfc.resource_url dfc.hierarchy_id dfc.connector_id azure.subscription_id azure.resource_group azure.tenant_id |
Device
| Tenable Exposure Management UI Field |
Microsoft Defender for Cloud Field |
|---|---|
| Operating System - Type |
azure_os_type_outer asset_os_name arc_os_sku |
| Operating System - Product Name |
asset_os_distribution arc_os_sku |
| Device Status |
azure_arc_status azure_provisioning_state |
| Hardware - Model |
azure_vm_size arc_cpu_model |
| Hardware - RAM (MB) | arc_total_memory_bytes |
| Asset Custom Attributes (additional) |
azure.vm_size azure.computer_name azure.arc_status azure.arc_agent_version |
Resource
| Tenable Exposure Management UI Field |
Microsoft Defender for Cloud Field |
|---|---|
| Resource - Category | resourceType |
| Resource - Taxonomy | resourceType |
| Asset Custom Attributes (additional) |
azure.public_network_access azure.cidr |
Application
| Tenable Exposure Management UI Field |
Microsoft Defender for Cloud Field |
|---|---|
| Application - Endpoint URL |
cloud_resource_url cloud_native_id resourceId |
| Networking - FQDNs | app_default_hostname |
Container Image
| Tenable Exposure Management UI Field |
Microsoft Defender for Cloud Field |
|---|---|
| Container Image |
resourceName cloud_native_id resourceId resourceType |
| Container Image - Repository URL | cloud_native_id |
Container Repository
| Tenable Exposure Management UI Field |
Microsoft Defender for Cloud Field |
|---|---|
| Container Repository - Type | IMAGES |
| Container Repository - URL |
acr_login_server cloud_resource_url cloud_native_id |
Code Repository
| Tenable Exposure Management UI Field |
Microsoft Defender for Cloud Field |
|---|---|
| Code Repository - URL |
cloud_resource_url cloud_native_id resourceId |
| Code Repository - Status | ACTIVE |
| Code Repository - Visibility | repo_visibility |
Finding Mapping
| Tenable Exposure Management UI Field |
Microsoft Defender for Cloud Field |
|---|---|
| Finding ID | assessmentId (detection key: assessmentKey) |
| Finding Name | displayName |
| Description | description |
| Solution | remediationDesc |
| Severity | severity |
| CVEs | cvesDetails |
| First Seen | firstEvalDate |
| Last Updated | statusChangeDate |
| Origin Finding URL | findingUrl |
| Finding Custom Attributes |
dfc.assessment_key dfc.severity dfc.risk_level dfc.risk_level_numeric dfc.attack_paths_count dfc.is_contextual_risk dfc.recommendation_category dfc.completion_status dfc.assessment_type dfc.maturity_level dfc.tactics dfc.techniques dfc.security_categories dfc.cloud_providers |
Finding Status Mapping
|
Tenable Exposure Management Status |
Microsoft Defender for Cloud Status |
|---|---|
|
Active |
OnTime Overdue Unassigned |
|
Fixed |
Completed Exempted |
Note: These values are the governance completion status in Microsoft Defender for Cloud. The connector ingests only assessments with a completion status of OnTime, Overdue, or Unassigned. When an assessment becomes Completed or Exempted, it is excluded from the sync and its finding ages out to Fixed in Tenable Exposure Management.
Finding Severity Mapping
|
Tenable Exposure Management Severity |
Microsoft Defender for Cloud Severity |
|---|---|
|
Critical |
Critical |
|
High |
High |
|
Medium |
Medium |
|
Low |
Low |
Note: For Microsoft Defender for Cloud, Tenable uses the severity field to determine finding severity. This is independent of the connector's Risk Level Filter, which uses a separate risk level value to decide which findings to fetch.
Status Update Mechanisms
Every day, Tenable Exposure Management syncs with the vendor's platform to receive updates on existing findings and assets and to retrieve new ones (if any were added).
The table below describes how the status update mechanism works in the connector for findings and assets ingested into Tenable Exposure Management.
|
Update Type in Exposure Management |
Mechanism (When?) |
|---|---|
|
Archiving Assets |
|
|
Change a Finding status from "Active" to "Fixed" |
|
Uniqueness Criteria
Tenable Exposure Management uses defined uniqueness criteria to determine whether an ingested asset or finding should be recognized as a distinct record. These criteria help define how assets and findings are identified and counted from each connector.
Tip: To learn more about data deduplication and uniqueness criteria, See Third-Party Data Deduplication in Tenable Exposure Management .
The uniqueness criteria for this connector are as follows:
|
Data |
Uniqueness Criteria |
|---|---|
|
Asset |
resourceId (the lowercased resource ID) |
|
Detection |
assessmentKey (the assessment definition GUID) |
|
Finding |
An assessment paired with an asset (assessmentId linked to the asset resourceId) |
Support and Expected Behavior
Support Limitations and Expected Behavior
This section outlines any irregularities, expected behaviors, or limitations related to integration of the connector and Exposure Management. It also highlights details about ingested and non-ingested data to clarify data handling and functionality within this integration.
No parent/child hierarchy
Microsoft Defender for Cloud assessments are ingested at the assessment (parent) level. The connector does not expand sub-assessments into separate findings. Microsoft is migrating cloud workload protection (CWPP) data toward a unified per-CVE assessment model, so individual CVEs increasingly appear as their own assessments.
Full sync only
The connector does not support incremental (delta) syncs. Each sync re-reads the entire in-scope inventory and the full set of in-scope assessments from Azure Resource Graph.
Findings governance filter
The connector ingests only assessments whose completion status is OnTime, Overdue, or Unassigned. Assessments with a status of Completed or Exempted are not ingested.
Data not ingested
The following data is out of scope for this connector and is not ingested into Tenable Exposure Management:
-
Regulatory compliance controls
-
Network recommendations
-
Identity and access recommendations
-
Microsoft Sentinel, Web Application Firewall (WAF), and DDoS security resources
-
Raw DevOps pipelines
-
Standalone networking and identity and access management (IAM) governance objects
API Endpoints in Use
API version: 2024-04-01
|
API |
Use in Tenable Exposure Management |
Permissions required |
|---|---|---|
|
|
Authenticates the connector as a service principal and obtains an OAuth bearer token used by all later requests. |
Valid Client ID and Client Secret |
|
|
Retrieves subscriptions, resource groups, cloud-provider sources, the asset inventory, and security recommendations (findings) through Azure Resource Graph. |
Reader Security Reader |
Data Validation
This section shows how to validate and compare data between Tenable Exposure Management and the Microsoft Defender for Cloud platform.
Asset Data Validation
Objective: Ensure the number of assets in Microsoft Defender for Cloud aligns with the number of assets displayed in Tenable Exposure Management.
In Microsoft Defender for Cloud:
-
Go to Microsoft Defender for Cloud > Overview.
-
In the left menu, click Inventory.
-
Apply filters that match your connector's data-pulling configuration. For example, if you ingest a specific subscription, select it in the Subscription filter. Repeat for each option you configured.
-
Click Open query.
-
Run the query, then click Download as CSV to export the report.
-
In the exported CSV, keep only the rows whose resource type is one of the connector's supported resource types, then note the number of remaining rows. These rows represent the assets ingested into Tenable Exposure Management.
Tip: The connector ingests only supported resource types. To learn which resource types map to each asset class, see Asset Classification.
In Tenable Exposure Management:
-
Compare the total number of assets between Microsoft Defender for Cloud and Tenable Exposure Management.
Expected outcome: The asset counts in Microsoft Defender for Cloud and Tenable Exposure Management should approximately match.
If an asset is not visible in Tenable Exposure Management, check the following conditions:
-
The asset's resource type is not one of the connector's supported resource types.
-
The asset belongs to a subscription, resource group, or cloud provider that you excluded in the data-pulling configuration.
-
The asset was archived because it did not return in the connector's last sync.
Tip: To learn more on how assets are archived and findings change status, see Status Update Mechanisms.
Finding Data Validation
You cannot export findings (recommendations) in bulk for a direct total count. Instead, use a per-asset spot check: select an asset you confirmed during asset validation, then compare its recommendation count in Microsoft Defender for Cloud with its finding count in Tenable Exposure Management.
Objective: Ensure the recommendations on an asset in Microsoft Defender for Cloud align with the findings on that asset in Tenable Exposure Management.
In Microsoft Defender for Cloud:
-
Go to Microsoft Defender for Cloud > Recommendations.
-
Switch the view from By Recommendation to By Resource.
-
Select an asset that you confirmed as ingested during asset validation.
-
Note the total number of recommendations listed for that resource.
In Tenable Exposure Management:
-
Locate your connector findings, then filter to the same asset.
-
Compare the recommendation count in Microsoft Defender for Cloud with the finding count in Tenable Exposure Management.
Expected outcome: The counts should approximately match. A difference of 10–20% is generally acceptable. If the difference is larger, repeat the check with a second asset to confirm whether the gap is systematic or isolated.
A count difference can occur for the following reasons:
-
Timing differences: Microsoft Defender for Cloud evaluates recommendations continuously. New or resolved recommendations might not yet appear in Tenable Exposure Management if the connector last synced hours ago.
-
Recommendation coverage: Not all recommendation types map to Tenable Exposure Management findings. Some informational or preview recommendations are excluded.
-
Severity filtering: The Risk Level Filter you set during configuration can omit lower-severity recommendations.
-
Deduplication: Tenable Exposure Management can deduplicate findings that Microsoft Defender for Cloud reports as separate recommendations.



