We are happy to announce that threat and vulnerability management tables in advanced hunting are being updated with an improved structure and additional data – now available in public preview.
The existing ‘DeviceTvmSoftwareInventoryVulnerabilities’ table in advanced hunting, which currently combines both software inventory and vulnerabilities, is being deprecated and split into two new dedicated tables.
This change is aimed at creating better clarity and reducing noise/complexity when using advanced hunting for common threat and vulnerability management scenarios.
Newly introduced tables:
- DeviceTvmSoftwareInventory (see schema below) – This table will serve as a complete list of all software on your devices, whether or not they have any vulnerabilities.
- No duplicate entries – unlike the old table, you’ll have a single row for each software installed on every device.
- New fields – ‘EndOfSupportStatus’ and ‘EndOfSupportDate’ will have the end-of-support state (if applicable) for specific software versions installed on devices.
- DeviceTvmSoftwareVulnerabilities (see schema below) – This table will be dedicated to discovering vulnerabilities (CVEs) in existing software across all your devices.
- New fields – ‘RecommendedSecurityUpdate’ and ‘RecommendedSecurityUpdateId’ will have missing security updates / KBs for installed software.
- New fields – ‘RecommendedSecurityUpdate’ and ‘RecommendedSecurityUpdateId’ will have missing security updates / KBs for installed software.
To avoid breaking existing flows in the short term, the old advanced hunting table will continue to be temporarily available in the back-end for querying. However, to avoid future issues it’s strongly encouraged you switch to using the new tables at your earliest convenience.
New table schemas:
For more information on advanced hunting tables in Microsoft Defender for Endpoint, read our https://docs.microsoft.com/en-us/microsoft-365/security/mtp/advanced-hunting-schema-tables?view=o365-worldwide#learn-the-schema-tables.
To get access to Microsoft Defender for Endpoint public preview capabilities, we encourage you to turn on https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/preview in the Microsoft Defender Security Center. We’re looking forward to hearing any feedback you may have.
Microsoft Defender for Endpoint is an industry leading, cloud powered endpoint security solution offering vulnerability management, endpoint protection, endpoint detection and response, and mobile threat defense. With our solution, threats are no match. If you’re not yet taking advantage of Microsoft’s unrivaled threat optics and proven capabilities, https://www.microsoft.com/en-us/microsoft-365/security/endpoint-defender?rtc=1?rtc=1 today.
Microsoft Defender for Endpoint team
