Colum header meanings in vulnerabilities export files

%3CLINGO-SUB%20id%3D%22lingo-sub-2242736%22%20slang%3D%22en-US%22%3EColum%20header%20meanings%20in%20vulnerabilities%20export%20files%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2242736%22%20slang%3D%22en-US%22%3E%3CP%3EWhen%20I%20export%20a%20csv%20from%20a%20machine's%20%22Discovered%20Vulnerabilities%22%20tab%2C%20what%20do%20the%20%22has%20exploit%22%2C%20%22has%20known%20threats%22%2C%20and%20%22has%20associated%20alerts%22%20column%20headers%20mean%20respectively%3F%20Also%2C%20do%20I%20need%20both%20AV%20and%20EDR%20turned%20on%20for%20both%20of%20these%20to%20be%20true%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2275249%22%20slang%3D%22en-US%22%3ERe%3A%20Colum%20header%20meanings%20in%20vulnerabilities%20export%20files%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2275249%22%20slang%3D%22en-US%22%3EFor%20more%20information%20about%20threat%20and%20vulnerability%20management%20please%20refer%20to%20this%20link%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fsecurity%2Fdefender-endpoint%2Ftvm-weaknesses%3Fview%3Do365-worldwide%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fsecurity%2Fdefender-endpoint%2Ftvm-weaknesses%3Fview%3Do365-worldwide%3C%2FA%3E.%20Additionally%2C%20if%20I%20understand%20your%20second%20question%20correctly%2C%20the%20EDR%20service%20is%20doing%20the%20vulnerability%20assessment.%20Please%20let%20me%20know%20if%20this%20answers%20your%20question%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2814235%22%20slang%3D%22en-US%22%3ERe%3A%20Colum%20header%20meanings%20in%20vulnerabilities%20export%20files%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2814235%22%20slang%3D%22en-US%22%3EAfter%20working%20with%20Defender%20longer%20and%20doing%20some%20more%20research%2C%20the%20%22has%20known%20threats%22%20and%20%22has%20associated%20alerts%22%20make%20sense.%20As%20far%20as%20I%20understand%3A%3CBR%20%2F%3E%3CBR%20%2F%3E%22has%20known%20threats%22%20%3D%20there%20is%20a%20threat%20under%20the%20%22Threat%20Analytics%22%20blade%20that%20directly%20correlates%20somehow%20with%20that%20vulnerability.%3CBR%20%2F%3E%3CBR%20%2F%3E%22has%20associated%20alerts%22%20%3D%20there%20is%20an%20alert%20in%20your%20environment%20that%20is%20somehow%20tied%20to%20that%20vulnerability.%20Maybe%20it%20is%20saying%20someone%20in%20your%20org%20tried%20to%20take%20action%20to%20exploit%20that%20vulnerability.%3CBR%20%2F%3E%3CBR%20%2F%3E%22has%20exploit%22%20%3D%20XXX%20What%20goes%20here%3F%20This%20seems%20very%20vague%20if%20it%20is%20saying%20there%20is%20a%20known%20exploit.%20There%20are%20a%20lot%20of%20known%20exploits.%20How%20is%20this%20decided%3F%3C%2FLINGO-BODY%3E
Occasional Contributor

When I export a csv from a machine's "Discovered Vulnerabilities" tab, what do the "has exploit", "has known threats", and "has associated alerts" column headers mean respectively? Also, do I need both AV and EDR turned on for both of these to be true?

2 Replies
For more information about threat and vulnerability management please refer to this link: https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/tvm-weaknesses?view=o365-w.... Additionally, if I understand your second question correctly, the EDR service is doing the vulnerability assessment. Please let me know if this answers your question
After working with Defender longer and doing some more research, the "has known threats" and "has associated alerts" make sense. As far as I understand:

"has known threats" = there is a threat under the "Threat Analytics" blade that directly correlates somehow with that vulnerability.

"has associated alerts" = there is an alert in your environment that is somehow tied to that vulnerability. Maybe it is saying someone in your org tried to take action to exploit that vulnerability.

"has exploit" = XXX What goes here? This seems very vague if it is saying there is a known exploit. There are a lot of known exploits. How is this decided?