Good day community,

I've noticed a large discrepancy in CVEs reported in Defender compared to a Qualys scan, specifically related to the CVEs published after the Solarwinds breach.

What I've noticed is that when I query for specific CVEs I only have a result returned for 2 instances across 3 exposed devices. Great, right? Except when I run a Qualys scan, I get 40+ servers with recommendations.

All the devices in the Qualys scan is reporting in to Defender for Endpoint without any issue, but they don't return as being at risk, the same way they do in Qualys.

I attach a sample of the output I get from Qualys, as well as the query I'm running to identify the relevant CVEs.

DeviceTvmSoftwareInventoryVulnerabilities
| where CveId == "CVE-2020-1472" or CveId == "CVE-2019-0604" or CveId == "CVE-2019-0708" or CveId == "CVE-2014-1812" or CveId == "CVE-2020-0688" or CveId == "CVE-2016-0167" or CveId == "CVE-2017-11774" or CveId == "CVE-2018-8581" or CveId == "CVE-2019-11510" or CveId == "CVE-2018-15961" or CveId == "CVE-2019-11580" or CveId == "CVE-2020-10189" or CveId == "CVE-2019-3398" or CveId == "CVE-2019-8394" or CveId == "CVE-2018-13379" or CveId == "CVE-2019-19781"

Am I misinterpreting the results, perhaps?