Forum Discussion
Defender Threat & Vulnerability Management Reporting
Hello, we're looking at implementing DTVM for our endpoints, but are curious about reporting. Is there a way we can get these reports in a PDF format, and scoped to specific devices only? I'd lik...
Yes, this is possible, although Defender TVM reporting is much more flexible when combined with Advanced Hunting, Log Analytics, Power BI, or Microsoft Fabric rather than relying only on the native portal reports.
A common approach is:
- Use Advanced Hunting / KQL to gather:
- device scope,
- vulnerabilities,
- software inventory,
- evidence paths,
- exposed devices,
- remediation status.
- Export the results to:
- Power BI,
- Log Analytics,
- Sentinel,
- Fabric,
- or scheduled CSV/API exports.
Regarding your questions:
- PDF reports
Yes, Power BI can export reports directly to PDF.
This is usually the preferred approach for executive or audit-style reporting. - Scope to specific devices
Yes, absolutely.
You can filter:
- device groups,
- tags,
- device names,
- OS type,
- business units,
- risk level,
- exposure level,
- or custom KQL filters.
Many organizations create:
- executive summary reports,
- technical remediation reports,
- or device-specific vulnerability assessments.
- Evidence paths from KQL
Yes, you can include evidence paths and detailed findings from tables such as:
- DeviceTvmSoftwareVulnerabilities
- DeviceTvmSoftwareInventory
- DeviceTvmInfoGathering
- DeviceEvents
- DeviceFileEvents
This works very well for:
- remediation tracking,
- audit evidence,
- and vulnerability investigation reporting.
- Power BI integration
This is actually one of the most common enterprise approaches.
Typical architecture:
Defender XDR → Advanced Hunting API / Log Analytics → Power BI → PDF export
You can:
- schedule refreshes,
- automate distribution,
- create dashboards,
- and build device-scoped reports dynamically.
One thing to keep in mind:
Native Defender TVM reporting is intentionally more operational than presentation-oriented, so many organizations build their own reporting layer on top of Defender data.
Microsoft documentation/examples worth looking at:
- Defender XDR Advanced Hunting
- Defender TVM APIs
- Streaming Defender data to Log Analytics/Sentinel
- Power BI REST/API scheduled exports
- KQL-driven security reporting
This combination becomes very powerful once you start correlating:
- exposure score,
- vulnerability age,
- exploitability,
- business criticality,
- and remediation progress.