Forum Discussion

GirthDefenceForce's avatar
GirthDefenceForce
Copper Contributor
May 07, 2026

Defender Threat & Vulnerability Management Reporting

Hello, we're looking at implementing DTVM for our endpoints, but are curious about reporting.

 

Is there a way we can get these reports in a PDF format, and scoped to specific devices only? I'd like to use the evidence paths gathered from KQL to help build the reports. Are there any guides or steps out there that shows how we can do this with tools like PowerBI?

 

Thanks in advance.

endpoint security
Getting Started
microsoft defender for endpoint
Microsoft Graph Security API

2 Replies

  • Lucaraheller's avatar
    Lucaraheller
    MCT
    May 10, 2026

    Yes, this is possible, although Defender TVM reporting is much more flexible when combined with Advanced Hunting, Log Analytics, Power BI, or Microsoft Fabric rather than relying only on the native portal reports.

    A common approach is:

    • Use Advanced Hunting / KQL to gather:
      • device scope,
      • vulnerabilities,
      • software inventory,
      • evidence paths,
      • exposed devices,
      • remediation status.
    • Export the results to:
      • Power BI,
      • Log Analytics,
      • Sentinel,
      • Fabric,
      • or scheduled CSV/API exports.

    Regarding your questions:

    1. PDF reports
      Yes, Power BI can export reports directly to PDF.
      This is usually the preferred approach for executive or audit-style reporting.
    2. Scope to specific devices
      Yes, absolutely.
      You can filter:
    • device groups,
    • tags,
    • device names,
    • OS type,
    • business units,
    • risk level,
    • exposure level,
    • or custom KQL filters.

    Many organizations create:

    • executive summary reports,
    • technical remediation reports,
    • or device-specific vulnerability assessments.
    1. Evidence paths from KQL
      Yes, you can include evidence paths and detailed findings from tables such as:
    • DeviceTvmSoftwareVulnerabilities
    • DeviceTvmSoftwareInventory
    • DeviceTvmInfoGathering
    • DeviceEvents
    • DeviceFileEvents

    This works very well for:

    • remediation tracking,
    • audit evidence,
    • and vulnerability investigation reporting.
    1. Power BI integration
      This is actually one of the most common enterprise approaches.

    Typical architecture:
    Defender XDR → Advanced Hunting API / Log Analytics → Power BI → PDF export

    You can:

    • schedule refreshes,
    • automate distribution,
    • create dashboards,
    • and build device-scoped reports dynamically.

    One thing to keep in mind:
    Native Defender TVM reporting is intentionally more operational than presentation-oriented, so many organizations build their own reporting layer on top of Defender data.

    Microsoft documentation/examples worth looking at:

    • Defender XDR Advanced Hunting
    • Defender TVM APIs
    • Streaming Defender data to Log Analytics/Sentinel
    • Power BI REST/API scheduled exports
    • KQL-driven security reporting

    This combination becomes very powerful once you start correlating:

    • exposure score,
    • vulnerability age,
    • exploitability,
    • business criticality,
    • and remediation progress.
  • Marcel_Graewer's avatar
    Marcel_Graewer
    Brass Contributor
    May 07, 2026

    Hi,

    quick honest answer: native PDF export is not part of MDVM today. The built-in reporting (Vulnerable Devices Report, Recommendations, Inventory) is interactive inside the Defender portal, not a scheduled report engine. There are a few realistic paths depending on what you actually need.

    For ad-hoc exports, the portal pages support CSV download directly. Crude but works for one-off snapshots.

    For recurring, formatted reports the practical patterns are:

    Power BI on top of the Export API. MDVM exposes a full Export API for software vulnerabilities, secure configurations, and per-device inventory, see https://learn.microsoft.com/en-us/defender-endpoint/api/get-assessment-software-vulnerabilities. The required application permission is Vulnerability.Read.All. Available in Defender for Endpoint P1, P2, and MDVM Standalone. Microsoft has a walkthrough for the Export API specifically: https://techcommunity.microsoft.com/blog/vulnerability-management/using-export-api-with-defender-vulnerability-management/4191046. Power BI Service can then schedule a refresh and email reports as PDF via the Subscribe feature, but be aware that scheduled email subscriptions require Power BI Pro or Premium per User.

    Advanced Hunting + Logic App. If your reporting need is narrower, for example "all critical CVEs older than 30 days per business unit", a KQL query against DeviceTvmSoftwareVulnerabilities joined with DeviceTvmSoftwareInventory and DeviceInfo, scheduled via Logic App, can produce a formatted email report with much less infrastructure than Power BI. PDF rendering needs a converter step (third-party connector or HTML-to-PDF service), which is a small but real piece of work. Note Advanced Hunting has a 30-day data window, so for longer trends you still need to ingest the data somewhere.

    Microsoft Security Exposure Management. Worth checking if your tenant is licensed for it. MDVM is now integrated into MSEM, and the unified recommendations and exposure views give better executive-level visibility than the standalone MDVM reports. Still no native PDF, but the dashboards are richer for stakeholder communication.

    One thing worth knowing before committing to an approach: the Export API delivers full snapshots and delta exports up to 14 days back. If your stakeholders want trends beyond that window, you have to ingest and store the snapshots yourself (Sentinel workspace, Log Analytics, or your own database). That ingestion piece is often the underestimated part of MDVM reporting projects.

    Happy to share more detail on any of the three paths if useful.