Forum Discussion
Microsoft Defender for Endpoint for Vulnerability Management and Reporting
Hi Dilan,
Yes, you can absolutely replace Rapid7 with Microsoft Defender for Endpoint (MDE) for vulnerability management and reporting — but the key difference is that MDE is exposure-based and API-driven, not a traditional scan-and-export model like Rapid7.
Below is the practical way to approach this in an enterprise-ready way.
First, understand the data sources
Microsoft Defender Vulnerability Management exposes its data through:
– Advanced Hunting tables
– Defender for Endpoint APIs
– Microsoft Graph API (Secure Score + Intune)The most important Advanced Hunting tables for vulnerability tracking are:
– DeviceTvmSoftwareVulnerabilities
– DeviceTvmSoftwareVulnerabilitiesKB
– DeviceTvmSecureConfigurationAssessment
– DeviceTvmSecureConfigurationAssessmentKBThese provide CVE mapping per device, severity, exploitability, remediation details, and exposure scoring.
Ongoing vulnerability tracking and remediation
Use DeviceTvmSoftwareVulnerabilities to track every CVE per device. You can calculate aging buckets directly in KQL.
Example logic:
DeviceTvmSoftwareVulnerabilities
| extend AgeDays = datetime_diff("day", now(), PublishedDate)
| extend AgingBucket =
case(
AgeDays <= 30, "0–30 days",
AgeDays <= 60, "31–60 days",
AgeDays <= 90, "61–90 days",
"90+ days"
)
| summarize DevicesAffected = dcount(DeviceId)
by VulnerabilitySeverityLevel, AgingBucketImportant: Advanced Hunting only shows current state. If you want trending over time (true 30/60/90-day reporting), you must snapshot the data daily.
Best practice architecture
MDE API + Graph API
→ Azure Function (scheduled daily pull)
→ Azure SQL / Log Analytics
→ Power BIThe daily snapshot is critical. Without it, you cannot properly track aging or trends.
Clear reporting and severity breakdown
For severity breakdown (Critical, High, Medium, Low):
DeviceTvmSoftwareVulnerabilities
| summarize DevicesAffected = dcount(DeviceId)
by VulnerabilitySeverityLevelFor remediation tracking, combine with:
DeviceTvmSoftwareVulnerabilitiesKB
This gives remediation guidance, KB references, and fix availability.
Secure Score over time
Use Microsoft Graph:
GET https://graph.microsoft.com/v1.0/security/secureScores
This returns daily Secure Score snapshots. Store at least 90 days to build trend visuals in Power BI.
You can build:
– 30-day trend
– 60-day trend
– 90-day trend
– % improvement over baselineNon-compliant devices (Intune)
Use Graph:
GET https://graph.microsoft.com/v1.0/deviceManagement/managedDevices
Filter:
$filter=complianceState eq 'noncompliant'
You can also filter for devices that checked in within 14 days:
lastSyncDateTime ge {Today-14}
Important fields:
– complianceState
– lastSyncDateTime
– gracePeriodExpirationDateTime
– operatingSystem
– deviceNameThis allows you to report:
– Non-compliant devices
– Devices in grace period
– Devices stale >14 days
– Devices healthyExposure-based mindset (important shift from Rapid7)
Rapid7 is vulnerability-count driven.
MDE is exposure-based.You should incorporate:
– Exploit availability
– Exposure score impact
– Device criticalityThis gives more realistic risk reporting rather than raw CVE counts.
Recommended Power BI dashboard structure
Page 1 – Executive Summary
– Total devices
– Critical CVEs
– 90-day Secure Score trend
– Exposure scorePage 2 – Vulnerability Aging
– Severity by 0–30 / 31–60 / 61–90 / 90+
– Top 10 recurring CVEsPage 3 – Remediation
– % remediated last 30 days
– MTTR by severityPage 4 – Compliance
– Non-compliant devices
– Grace period devices
– Devices not synced >14 daysRequired API permissions
Register one Entra ID app with:
– Vulnerability.Read.All
– Machine.Read.All
– SecurityEvents.Read.All
– DeviceManagementManagedDevices.Read.AllFinal recommendation
Yes, MDE + Power BI can replace Rapid7 for vulnerability management and reporting, but only if you:
- Implement daily data snapshotting
- Build structured reporting
- Shift from scan-based thinking to exposure-based risk
MDE exposes all of its vulnerability management data through APIs and advanced hunting tables, so you can absolutely replace Rapid7 with MDE + Power BI. Here's the practical setup.
The Pipeline
The architecture is straightforward: MDE APIs + Graph API → Azure Function (daily schedule) → Azure SQL → Power BI. The Azure Function layer is important because the APIs return current state only. You need to snapshot daily if you want trending and aging analysis.
Three API sources cover all your requirements:
- MDE Advanced Hunting API for vulnerability data. The DeviceTvmSoftwareVulnerabilities table gives you every CVE mapped to every device with severity. Run KQL to calculate aging buckets:
kusto
DeviceTvmSoftwareVulnerabilities
| extend AgeDays = datetime_diff('day', now(), PublishedDate)
| extend Bucket = case(AgeDays <= 30, "0-30d", AgeDays <= 60, "31-60d", AgeDays <= 90, "61-90d", "90d+")
| summarize dcount(CveId) by VulnerabilitySeverityLevel, Bucket
- Graph API /v1.0/security/secureScores for Secure Score history. Returns daily score snapshots. Pull 90 days and build your trend line.
- Graph API /v1.0/deviceManagement/managedDevices with $filter=complianceState eq 'noncompliant' for Intune compliance. Filter on lastSyncDateTime for your 14-day check-in window. The response includes grace period expiration dates.
Register one Entra app with Vulnerability.Read.All, Machine.Read.All, SecurityEvents.Read.All, and DeviceManagementManagedDevices.Read.All permissions to cover all three.
References:
- https://learn.microsoft.com/defender-endpoint/api/api-power-bi
- https://learn.microsoft.com/defender-endpoint/api/get-assessment-methods-properties
- https://learn.microsoft.com/defender-vulnerability-management/defender-vulnerability-management
Please mark as solution, if you find the answer helpful. This will assist others in the community who encounter a similar issue, enabling them to quickly find the solution and benefit from the guidance provided. 🖖
Also feel free to message me for further clarification! Thanks again.