Microsoft Defender for Endpoint for Vulnerability Management and Reporting

Hi Dilan,

Yes, you can absolutely replace Rapid7 with Microsoft Defender for Endpoint (MDE) for vulnerability management and reporting — but the key difference is that MDE is exposure-based and API-driven, not a traditional scan-and-export model like Rapid7.

Below is the practical way to approach this in an enterprise-ready way.

First, understand the data sources

Microsoft Defender Vulnerability Management exposes its data through:

– Advanced Hunting tables
– Defender for Endpoint APIs
– Microsoft Graph API (Secure Score + Intune)

The most important Advanced Hunting tables for vulnerability tracking are:

– DeviceTvmSoftwareVulnerabilities
– DeviceTvmSoftwareVulnerabilitiesKB
– DeviceTvmSecureConfigurationAssessment
– DeviceTvmSecureConfigurationAssessmentKB

These provide CVE mapping per device, severity, exploitability, remediation details, and exposure scoring.

Ongoing vulnerability tracking and remediation

Use DeviceTvmSoftwareVulnerabilities to track every CVE per device. You can calculate aging buckets directly in KQL.

Example logic:

DeviceTvmSoftwareVulnerabilities
| extend AgeDays = datetime_diff("day", now(), PublishedDate)
| extend AgingBucket =
case(
AgeDays <= 30, "0–30 days",
AgeDays <= 60, "31–60 days",
AgeDays <= 90, "61–90 days",
"90+ days"
)
| summarize DevicesAffected = dcount(DeviceId)
by VulnerabilitySeverityLevel, AgingBucket

Important: Advanced Hunting only shows current state. If you want trending over time (true 30/60/90-day reporting), you must snapshot the data daily.

Best practice architecture

MDE API + Graph API
→ Azure Function (scheduled daily pull)
→ Azure SQL / Log Analytics
→ Power BI

The daily snapshot is critical. Without it, you cannot properly track aging or trends.

Clear reporting and severity breakdown

For severity breakdown (Critical, High, Medium, Low):

DeviceTvmSoftwareVulnerabilities
| summarize DevicesAffected = dcount(DeviceId)
by VulnerabilitySeverityLevel

For remediation tracking, combine with:

DeviceTvmSoftwareVulnerabilitiesKB

This gives remediation guidance, KB references, and fix availability.

Secure Score over time

Use Microsoft Graph:

GET https://graph.microsoft.com/v1.0/security/secureScores

This returns daily Secure Score snapshots. Store at least 90 days to build trend visuals in Power BI.

You can build:

– 30-day trend
– 60-day trend
– 90-day trend
– % improvement over baseline

Non-compliant devices (Intune)

Use Graph:

GET https://graph.microsoft.com/v1.0/deviceManagement/managedDevices

Filter:

$filter=complianceState eq 'noncompliant'

You can also filter for devices that checked in within 14 days:

lastSyncDateTime ge {Today-14}

Important fields:

– complianceState
– lastSyncDateTime
– gracePeriodExpirationDateTime
– operatingSystem
– deviceName

This allows you to report:

– Non-compliant devices
– Devices in grace period
– Devices stale >14 days
– Devices healthy

Exposure-based mindset (important shift from Rapid7)

Rapid7 is vulnerability-count driven.
MDE is exposure-based.

You should incorporate:

– Exploit availability
– Exposure score impact
– Device criticality

This gives more realistic risk reporting rather than raw CVE counts.

Recommended Power BI dashboard structure

Page 1 – Executive Summary
– Total devices
– Critical CVEs
– 90-day Secure Score trend
– Exposure score

Page 2 – Vulnerability Aging
– Severity by 0–30 / 31–60 / 61–90 / 90+
– Top 10 recurring CVEs

Page 3 – Remediation
– % remediated last 30 days
– MTTR by severity

Page 4 – Compliance
– Non-compliant devices
– Grace period devices
– Devices not synced >14 days

Required API permissions

Register one Entra ID app with:

– Vulnerability.Read.All
– Machine.Read.All
– SecurityEvents.Read.All
– DeviceManagementManagedDevices.Read.All

Final recommendation

Yes, MDE + Power BI can replace Rapid7 for vulnerability management and reporting, but only if you:

1. Implement daily data snapshotting
2. Build structured reporting
3. Shift from scan-based thinking to exposure-based risk