Microsoft Defender for Cloud (CNAPP)

The Microsoft Defender for Cloud API Connector bridges your cloud security platform with Qualys ETM to automatically synchronize asset inventory and security findings through scheduled API calls.

By centralizing misconfiguration data from Microsoft's cloud security service, the connector deduplicates redundant entries, normalizes data formats, enriches findings with additional context, and calculates risk scores using TruRisk, eliminating manual data aggregation and enabling faster remediation decisions.

Security teams gain unified visibility into cloud infrastructure vulnerabilities alongside other organizational findings, transforming disconnected security alerts into actionable intelligence for risk-driven prioritization across hybrid environments.

Connector Details

Here is a comprehensive overview of what the Microsoft Defender Connector supports.

Vendor

Microsoft

Product Name

Defender for Cloud

Category

Cloud Security

Findings Supported

Yes

Assets Supported

Cloud Resources
(check the Asset Data Scope below for full details)

Version

1.0.0
Supported Version & Type SaaS (Latest)

Integration Type

API Integration (REST)

Direction

Unidirectional

Delta Support

Not Supported

Import of Installed Software

Not Supported

Import of Source Tags

Not Supported
Filters/Filter Query     Not Supported

Asset Data Scope

Complete list of cloud resources fetched with the Defender for Cloud connector.

Cloud Provider and Findings

Resources
Azure Vulnerabilities

Compute and its vulnerability findings

  • Serverless Function (Asset only) 
  • Container Image and its vulnerability findings
  • Container Instance (Asset only)
Azure Misconfigurations

Misconfiguration from MS Defender for following assets:

  • Azure Container Instance
  • Azure Compute VM
  • Azure Serverless (Functions)

Cloud Platform for Findings SupportCloud Platform for Findings Support

Asset Class Finding Type AWS Azure GCP OCI
Compute Resource Type EC2 Instance Azure Virtual Machine Compute Engine VM OCI Compute Instance
Inventory
Vulnerabilities
Misconfigurations
Serverless Resource Type AWS Lambda Function Azure Function App GCP Cloud Functions OCI Functions
Inventory
Vulnerabilities NA
Misconfigurations
Container Image Resource Type Amazon ECR
(Container Image)		 Azure Container Registry
(ACR Image)		 Google Artifact Registry
(Container Image)		 OCI Container Registry
(OCIR Image)
Inventory
Vulnerabilities
Misconfigurations NA
Container Instance Resource Type Amazon ECS Task /
AWS Fargate Container		 Azure Container Instance
(ACI)		 GKE Pod /
Cloud Run Container		 OCI Container Instances
Inventory
Vulnerabilities NA
Misconfigurations

Prerequisites

These are the required configurations you need to successfully create a MDC connection for Qualys ETM.

User Roles and Permissions

You need the following MDC API Access information to configure the connection:

  • Subscription
  • Tenant ID
  • Client ID 
  • Client Secret

For quick reference on how to obtain the required values, follow the steps below.

Authentication URL

Just provide the value - https://login.microsoftonline.com/

Client ID and Tenant ID
  1. Log on to your Microsoft Azure console and click Azure Active Directory in the left navigation pane. 
  2. Navigate to  App registrations > New Registration section from your Azure portal. Let's register an application.
  3. Provide a name for the application and select the required supported account types.
  4. You can also provide a Redirect URI. This step is optional; you can leave it blank and proceed if it does not apply.
  5. Click Register once you have provided these inputs. The newly created application is displayed with its properties. 
  6. Go to Overview > Essentials to view your Client (Application) ID and Tenant (Directory) ID. Store these values securely for later use.
  7. Click Add a certificate or secret to create the Client Secret.
Client Secrets
  1. Click New client secret to create a new client secret for this connection.
  2. Provide a value of your choice in the Description field.  You can set the Expires field to its recommended setting. Click Add.
  3. Once the secret is created, copy the Value of your Client Secret and store it securely for later use.
Required Permissions 

Steps to add the required permissions.

  1. API Permissions: After application registration, navigate to the API Permissions section of your app.
  2. Add a permission:
    • Click on Add a permission.
    • Select Microsoft Graph.
  3. Select permissions:
    • Delegated permissions: Choose permissions if the app needs to access the API as the signed-in user.
    • Application permissions: Choose permissions if the app needs to access the API as a background service or daemon without a signed-in user.
  4. Grant admin consent: If necessary, click on Grant admin consent for [Your Organization] to grant the permissions to all users in the organization.

Minimum permission required is "Reader Role (or higher)"

Assign Reader and Security Reader Roles

Navigate to Subscriptions

  1. Log in to the Azure portal at portal.azure.com.
  2. In the Azure Portal search bar at the top, type Subscriptions and click on it.
  3. Select your target subscription from the list.

Open Access Control (IAM)

  1. In the left sidebar, click Access control (IAM).
  2. Click + Add and select Add role assignment from the dropdown.

Select the Reader Role

  1. Under the Role tab, search for Reader in the search box.
  2. Select Reader from the results
  3. Click Next

Assign to your App Registration

  1. Under Assign access to, selecUser, group, or service principal
  2. Click + Select members
  3. Search for the name of the App Registration you created earlier (this is the same application name used in the connector configuration)
  4. Select it from the results and click Select
  5. Click Next, review the assignment, and click Review + assign to confirm

  6. Repeat Steps 2 through 4 to assign the Security Reader role to the same App Registration, selecting Security Reader in Step 3 instead of Reader.

Connector Configuration

Let's create our first MDC connection. Follow the steps below to get started.

Create a New API Connector

Basic DetailsBasic Details

  1. Provide the Connector's Name and Description.
  2. Select the type of findings you want to import or export - currently, we support Misconfiguration.
  3. Select the Asset Type - currently we support Host Asset.
    The following screenshot displays the Basic Details fields.

  4. Next, provide the API authentication details of the MDC environment. You need to provide the following.

    1. Subscription
    2. Tenant ID
    3. Client ID
    4. Client Secret

These values can be obtained by following the steps laid out in the User Roles and Permissions section.

Data ModelData Model

The MDC API Connector offers an out-of-box data model mapping for you to map with Qualys ETM schema. You can view the schema to understand the attributes in the data model.

Transform MapsTransform Maps

Map the fields from Defender to the corresponding fields in your target system. Transform Maps ensure the data is transformed correctly during the import or export process.

The MDC Connector offers an out-of-box transform map for you to proceed without further configuration. View the map to understand the data transformation or clone the map to edit its configurations.

Click Create New for a new Transform Map.

Perform the following steps to configure a Transform Model:

  1. Transform Map Name: Enter a unique name for the Transform Map. This name helps identify the specific transformation configuration within this connector.
  2. Source Data Model: Select the data model that serves as the input for the transformation. This is the model from which data will be extracted.
  3. Target Data Model: Choose the data model that receives the transformed data. This model defines how the data will be structured after the transformation. 

To learn more about the data mapping from MDC to Qualys ETM, refer to Data Model Mapping.

Fields Mapping

The Fields Mapping section maps fields from the Source Data Model to the Target Data Model.

  1. Source Field: Specify the field in the Source Data Model containing the transformed data.
  2. Data Type: Indicate the data type of the Source Field (e.g., string, integer, date).
  3. Target Field: Designate the corresponding field where the transformed data will be placed in the Target Data Model.

Click Add to create and display the mapping for the Source Field, Data Type, and Target Field below the section. This visual helps ensure that all necessary fields are mapped correctly and allows easy verification and adjustments.

ProfileProfile

Create a profile for your connector. A profile decides the connector status, execution schedule and transform map to choose. The connector follows the configurations of this profile for all future executions.

Click the "+" to create a new profile.

In the Add Profile screen, provide the necessary inputs for your new profile.

Provide a Name and Description.

Select the required Transform Map for the data mapping.

The Detection of DataTypes determine which findings to select for the profile. The Asset Types determine the required resource whose findings should be ingested by Qualys ETM.

The Status field determines whether the connector should be in Active or Inactive state after creation. 

Lastly, the Schedule section lets you either create a Single Occurrence schedule or a Recurring schedule. Provide the exact date and time for the Single Occurence execution and provide the Start and End date/time for the Recurring schedule.

ScoringScoring

The Scoring screen lets you map non-CVE vulnerability scores from your vendors to Qualys Detection Score (QDS) system.

Score mapping screen.

You have two columns with 5 input fields in each of them. These fields correspond to a specific severity starting from the least severe (1), to the most severe (5).

Fill out all 5 rows to create a comprehensive score mapping. This allows for translation between various vendor scoring systems and Qualys' Detection Score.

The specifics of the mapping is explained below.

Expected Source Values - Enter the vendor's original score or rating for non-CVE vulnerabilities.
This can be alphanumeric values. (e.g., "High", "Critical", "A", "3", etc.).

Severity - This column is pre-populated with severity levels from 1-5. These represent the severity levels in Qualys. The Source Value must be mapped such that it utilizes these 5 severity levels.

QDS - Enter the corresponding Qualys Detection Score. Use values from 0-100, where higher numbers indicate higher severity.

Default Severity

Below the scoring map, find the 'Default Severity' dropdown menu.

Select a default severity level from 1-5, this is applied when a vendor's score for a non-CVE vulnerability doesn't match any 'Expected Source Value' in your mapping table.

Select Identification RulesSelect Identification Rules

The Identification Rules are a set of out-of-the-box precedence rules set by Qualys CSAM. The connector discovers findings based on the order set by the selected Identification Rules.

You can proceed to the next step without making any changes to this screen.

If you don't want to choose a specific rule, turn off the toggle next to it. But, ensure that at least one rule is selected.

To learn more about the different rules and options present in this screen, refer to the CSAM Online Help.

Once you are done with all the configuration, review the configurations provided in the previous steps. Ensure all details are correct and complete. Confirm the setup to finalize the configuration of the API connector.

Save and run the connector to process the data accordingly, transforming and importing it as per the configurations set.

How Does a Connection Work?

The MDC connector operates through configured profiles that determine which data is synchronized and when.

A Connection usually involves creating a profile that defines which misconfigurations to import based on detection data types and asset types. The connector then automatically executes according to the schedule (or on-demand), pulling vulnerability data from Microsoft Defender for Endpoint into Qualys ETM where it can be viewed alongside other security findings.

With the MDC API Connector successfully configured, you are almost ready to view all the assets and findings from MDC.

In the Connector screen, you can find your newly configured connector listed and marked in the Processed state.

Connector States

A successfully configured connector goes through 4 states.

  1. Registered - The connector is successfully created and registered to fetch data from the vendor.
  2. Scheduled - The connector is scheduled to execute a connection with the vendor.
  3. Processing - A connection is executed and the connector is fetching the asset and findings data.
  4. Processed - The connector has successfully fetched the assets, it may still be under process of fetching the findings. Wait for some more time for the connector to fetch the findings completely.

The Processed state indicates that the Connector is successfully configured but it is under the process of importing all your assets and findings. This process (specifically for findings) may take some time.

This entire process may take up to 2 hours for completion. Once it is done, you can find the imported data in Enterprise TruRisk Management (ETM).

View Assets and Findings in ETM

Navigate to Enterprise TruRisk Management to get started with analyzing your Connector's vulnerability findings.

You can view the assets imported from the MDC connection by navigating to Inventory tab of ETM.

Go to Assets > Host to find all of your imported assets.

Use the token, inventory: (source: `Defender for Cloud`) to view all the imported MDC assets.

Here, you can learn about the criticality of your assets and their Risk Scores. Click any of the asset to find more details about them.

Next, you can navigate to the Risk Management tab to view your vulnerability findings.

Go to Findings > Misconfigurations to view all the discovered vulnerabilities.

Use the token, finding.vendorProductName: `Defender for Cloud` to view all the discovered Defender vulnerabilities.

To know more about how the MDC API Connector leverages the findings, refer to the Qualys ETM Documentation.

Additional Resources

Additional Information related to MDC Connector.

API Reference

Here are the APIs executed for the MDC connection.

Name

Filters/Key

 Description

Auth API

 https://login.microsoftonline.com/${tenantId}/oauth2/v2.0/token

Required Values-

  • Subscription Uuid
  • Tenant ID
  • Client Id
  • Client Secret

grant_type = client_credentials
Scope = https://management.azure.com/.default

Fetch Asset

https://management.azure.com/providers/
Microsoft.ResourceGraph/resources?api-version=2021-03-01

Sample Asset fetch query

Compute API Query: resource_type:${computeFilter})+(updated_at:>'${updated_at}'

Container API Query:
Resources | where type =~ 'Microsoft.ContainerInstance/containerGroups'

Fetch Container Images

 

https://${registryUri}/oauth2/token

https://${registryUri}/v2/${repository}/manifests/${digest}

https://${registryUri}/v2/${repository}/blobs/${configDigest}

    
Registry Pull Auth parameters

client_id

client_secret

filter query used= repository:${repository}:pull

Fetch Vulnerabilites

https://management.azure.com/providers/
Microsoft.ResourceGraph/resources?api-version=2021-03-01

Filter query for compute findings

securityresources | where type =~ 'microsoft.security/assessments/subassessments' and ( properties.additionalData.assessedResourceType == 'ServerVulnerabilityTvm')

Filter query for container images findings

securityresources | where type =~ 'microsoft.security/assessments/subassessments' and properties.additionalData.assessedResourceType == 'AzureContainerRegistryVulnerability'| extend assessmentKey = extract(@'providers/Microsoft.Security/assessments/([^/]*)', 1, id) | where assessmentKey == '<assesmentKey>'

Data Model Map

This section explains the attribute mappings of the values from Microsoft Defender for Cloud and Qualys ETM.

Asset Transformation Map

AZURE.VIRTUAL_MACHINEAZURE.VIRTUAL_MACHINE
id asset.assetHeader.externalAssetId
name asset.assetDetail.name
name asset.assetDetail.hostIdentity.hostname
name asset.assetDetail.hostname
tenantId asset.assetDetail.cloudInfo.tenantId
location asset.assetDetail.cloudInfo.region
resourceGroup asset.assetDetail.computeAssetClass.
cloudInstance.resourceGroupName
subscriptionId asset.assetDetail.cloudInfo.accountId
properties.timeCreated asset.assetDetail.sourceCreatedAt
osDiskId asset.assetDetail.computeAssetClass.
cloudInstance.imageId
properties.vmId asset.assetDetail.computeAssetClass.
cloudInstance.id
properties.osProfile.computerName asset.assetDetail.computeAssetClass.
cloudInstance.hostname
primaryNetworkInterface.
publicIpProperties.ipAddress		 asset.assetDetail.computeAssetClass.
cloudInstance.publicIpv4Address
primaryNetworkInterface.
nicProperties.macAddress		 asset.assetDetail.computeAssetClass.
cloudInstance.macAddress
primaryNetworkInterface.nicId asset.assetDetail.computeAssetClass.c
loudInstance.networkInterfaceId
externalTags asset.assetDetail.externalTags
id asset.assetHeader.vendorAssetId
properties.storageProfile.osDisk.osType asset.assetDetail.operatingSystem.name
properties.storageProfile.imageReference.publisher asset.assetDetail.operatingSystem.publisher
properties.storageProfile.imageReference.sku asset.assetDetail.operatingSystem.version
CONSTANT: "azure-virtual-machine" asset.assetHeader.assetTypeName

AZURE.CONTAINER_IMAGEAZURE.CONTAINER_IMAGE
zones asset.assetDetail.cloudInfo.availabilityZone
tenantId asset.assetDetail.cloudInfo.tenantId
subscriptionId asset.assetDetail.cloudInfo.accountId
properties.resourceDetails.source asset.assetDetail.cloudInfo.provider
properties.additionalData.
artifactDetails.repositoryName		 asset.assetDetail.name
properties.additionalData.
artifactDetails.repositoryName		 asset.assetDetail.containerImageAssetClass.name
properties.additionalData.
artifactDetails.repositoryName		 asset.assetDetail.containerImageAssetClass.repository
properties.additionalData.
artifactDetails.registryHost		 asset.assetDetail.containerImageAssetClass.registry
properties.additionalData.
artifactDetails.digest		 asset.assetDetail.containerImageAssetClass.digest
properties.additionalData.
artifactDetails.digest		 asset.assetHeader.externalAssetId
properties.additionalData.
artifactDetails.digest		 asset.assetHeader.vendorAssetId
location asset.assetDetail.cloudInfo.region
imageTagReferences asset.assetDetail.containerImageAssetClass.
imageTagReferences
imageConfigV2.os asset.assetDetail.operatingSystem.name
imageConfigV2.history[].size asset.assetDetail.containerImageAssetClass.
layers[].sizeInBytes
imageConfigV2.history[].digest asset.assetDetail.containerImageAssetClass.
layers[].digest
imageConfigV2.history[].created_by asset.assetDetail.containerImageAssetClass.
layers[].createdBy
imageConfigV2.created asset.assetDetail.containerImageAssetClass.
creationDate
imageConfigV2.architecture asset.assetDetail.containerImageAssetClass.
architecture
externalTags asset.assetDetail.externalTags
CONSTANT: "container-image" asset.assetHeader.assetTypeName
asset_root (imageTag) asset.assetDetail.containerImageAssetClass.tag

AZURE.CONTAINER_INSTANCEAZURE.CONTAINER_INSTANCE

location asset.assetDetail.cloudInfo.region
subscriptionId asset.assetDetail.cloudInfo.accountId
zones asset.assetDetail.cloudInfo.availabilityZone
managedBy asset.assetDetail.businessInfo.managedBy
properties.container.name asset.assetDetail.name
id asset.assetHeader.externalAssetId
id asset.assetHeader.vendorAssetId
properties.container.properties.instanceView.currentState.state asset.assetDetail.containerInstanceAssetClass.status
properties.container.properties.ports[].port asset.assetDetail.containerInstanceAssetClass.ports[].containerPort
properties.container.properties.ports[].protocol asset.assetDetail.containerInstanceAssetClass.ports[].protocol
asset_root (imageName) asset.assetDetail.containerInstanceAssetClass.image.name
asset_root (imageTagOrDigest) asset.assetDetail.containerInstanceAssetClass.image.tag
asset_root (imageRegistry) asset.assetDetail.containerInstanceAssetClass.image.registry
properties.container.properties.environmentVariables asset.assetDetail.containerInstanceAssetClass.environmentVariables
externalTags asset.assetDetail.externalTags
CONSTANT: "container-instance" asset.assetHeader.assetTypeName

AZURE.SERVERLESSAZURE.SERVERLESS

CONSTANT: "azure-function" asset.assetHeader.assetTypeName
externalTags asset.assetDetail.externalTags
id asset.assetHeader.externalAssetId
id asset.assetHeader.vendorAssetId
location asset.assetDetail.cloudInfo.region
name asset.assetDetail.name
properties.name asset.assetDetail.serverlessAssetClass.functionName
subscriptionId asset.assetDetail.cloudInfo.accountId
tenantId asset.assetDetail.cloudInfo.tenantId
zones asset.assetDetail.cloudInfo.availabilityZone

Vulnerability Transformation Map

AZURE.CONTAINER_IMAGEAZURE.CONTAINER_IMAGE

assessmentKey findingGroup.findings[].externalFindingId
id findingGroup.findings[].id
properties.additionalData.artifactDetails.digest findingGroup.findings[].asset.externalAssetId
properties.additionalData.vulnerabilityDetails.cpe.part findingGroup.findings[].product.cpePart
properties.additionalData.vulnerabilityDetails.cpe.product findingGroup.findings[].product.name
properties.additionalData.vulnerabilityDetails.cpe.vendor findingGroup.findings[].product.vendor
properties.additionalData.vulnerabilityDetails.cpe.version findingGroup.findings[].product.version
properties.additionalData.vulnerabilityDetails.cveId findingGroup.findings[].findingType.vulnerability.cveId
properties.additionalData.vulnerabilityDetails.lastModifiedDate findingGroup.findings[].lastFoundOn
properties.additionalData.vulnerabilityDetails.references[].link findingGroup.findings[0].references[]
properties.additionalData.vulnerabilityDetails.weaknesses.cwe[].id findingGroup.findings[0].findingType.vulnerability.cweIds[]
properties.description findingGroup.findings[].description
properties.displayName findingGroup.findings[].name
properties.impact findingGroup.findings[].impact
properties.remediation findingGroup.findings[].remediations[].description
properties.resourceDetails.ResourceName findingGroup.findings[].asset.assetName
properties.status.severity findingGroup.findings[].severity
properties.timeGenerated findingGroup.findings[].ingestedOn

COMPUTECOMPUTE

asset_root (assetType) asset.assetHeader.assetTypeName
id findingGroup.findings[].externalFindingId
properties.displayName findingGroup.findings[].name
properties.metadata.assessmentType findingGroup.findings[].findingType.misconfiguration.policy.type
properties.metadata.description findingGroup.findings[].description
properties.metadata.remediationDescription findingGroup.findings[].remediation.remediationStrategy
properties.metadata.severity findingGroup.findings[].severity
properties.resourceDetails.NativeResourceId findingGroup.findings[].asset.externalAssetId
properties.resourceDetails.NativeResourceId asset.assetHeader.externalAssetId
properties.resourceDetails.NativeResourceId asset.assetHeader.vendorAssetId
properties.resourceDetails.ResourceName findingGroup.findings[].asset.assetName
properties.resourceDetails.ResourceName asset.assetDetail.name
properties.status.code findingGroup.findings[].findingStatus
properties.status.firstEvaluationDate findingGroup.findings[].firstFoundOn
properties.status.statusChangeDate findingGroup.findings[].lastFoundOn
properties.statusPerInitiative[].policyInitiativeId findingGroup.findings[].findingType.misconfiguration.policy.policyId
properties.statusPerInitiative[].policyInitiativeName findingGroup.findings[].findingType.misconfiguration.policy.title

ALL MISCONFIDURATION FINDINGSALL MISCONFIDURATION FINDINGS

asset_root (assetType) asset.assetHeader.assetTypeName
id findingGroup.findings[].externalFindingId
properties.displayName findingGroup.findings[].name
properties.metadata.assessmentType findingGroup.findings[].findingType.misconfiguration.policy.type
properties.metadata.description findingGroup.findings[].description
properties.metadata.remediationDescription findingGroup.findings[].remediation.remediationStrategy
properties.metadata.severity findingGroup.findings[].severity
properties.resourceDetails.NativeResourceId findingGroup.findings[].asset.externalAssetId
properties.resourceDetails.NativeResourceId asset.assetHeader.externalAssetId
properties.resourceDetails.NativeResourceId asset.assetHeader.vendorAssetId
properties.resourceDetails.ResourceName findingGroup.findings[].asset.assetName
properties.resourceDetails.ResourceName asset.assetDetail.name
properties.status.code findingGroup.findings[].findingStatus
properties.status.firstEvaluationDate findingGroup.findings[].firstFoundOn
properties.status.statusChangeDate findingGroup.findings[].lastFoundOn
properties.statusPerInitiative[].policyInitiativeId findingGroup.findings[].findingType.misconfiguration.policy.policyId
properties.statusPerInitiative[].policyInitiativeName findingGroup.findings[].findingType.misconfiguration.policy.title

 

 

© 2026 Qualys, Inc. All rights reserved. Privacy Policy. Last updated: April, 2026