Defend Integration
CMDB and Defend share a bidirectional data relationship. CMDB provides asset context — criticality, PHI tags, and ownership — that Defend uses to prioritize threats. Defend provides security posture data that CMDB displays on CI records.
How Data Flows
| Direction | What Flows | Purpose |
|---|---|---|
| CMDB → Defend | Criticality level, PHI/PII tags, environment | Defend escalates alert severity based on asset importance |
| Defend → CMDB | Last known threat status, security posture | CMDB shows whether an asset is clean, at risk, or compromised |
Criticality-Based Alert Escalation
When Defend detects a threat on a device, it queries CMDB for the CI's criticality:
| CI Criticality | Defend Behavior |
|---|---|
| Critical | P1 alert, immediate notification to all on-call responders |
| High | P2 alert, standard escalation timeline |
| Medium | Standard alert priority |
| Low | Informational alert |
PHI Amplification
CIs tagged with PHI receive an additional priority boost. A medium-criticality server tagged with PHI is treated as high-priority by Defend — because a data breach on that asset has regulatory implications beyond the operational impact.
Security Posture View
Each CI's detail page in CMDB includes a security posture section showing:
- Last scan date from Defend
- Threat status — clean, suspicious activity detected, or active threat
- Recent alerts — last 5 Defend alerts for this asset
- Agent status — whether the Defend agent is installed and reporting
This gives technicians a quick security health check when working on an asset without switching to the Defend console.
Setting Up the Integration
The Defend integration works automatically when both products are active in your Hub organization. No additional configuration is required — Defend reads CMDB data via internal service-to-service APIs authenticated with integration keys.
Defend reads CMDB data in real time. When you update a CI's criticality or add a PHI tag, the change takes effect immediately for future Defend alerts.
Bus Events
CMDB emits events that Defend and other products can consume:
| Event | When Emitted |
|---|---|
cmdb.config.created | New CI created |
cmdb.config.updated | CI modified (including criticality/tag changes) |
cmdb.password.anomaly | Unusual password access pattern detected |
cmdb.asset.discovered | New device found via auto-discovery |
Defend listens for cmdb.config.updated to refresh its criticality cache when CI metadata changes.
Next Steps
- Asset Criticality — Configure criticality levels
- PHI and PII Tagging — Tag assets storing sensitive data
- Integrations — All CMDB integrations