How is the software inventory created in MDATP?

philippwree · ‎Jun 08 2020

Can anyone tell me exactly how the software inventory is created in MDATP? We have about 600 packaged applications, but only 200 are shown in the software inventory. When I look at the software inventory directly on a client, everything is correct. But I noticed that the global software inventory only shows applications that have a "Product Code (CPE)". How is this product code generated or where does it come from? And why do only about one third of my applications have this code? Even many Microsoft products do not have this code.

NiklasM · ‎Jun 08 2020

@philippwreeI am not 100% sure about the functionality, so I also hope for a deep dive answer.
But as far as I understood from documentation and the last webinars is, that the software inventory depends on the EDR system.
Defender ATP is a discovery and not a scanning system, which means, that software can only be detected if the software produces an event in your logs.

The Docs also tell this a little bit, but not clear enough: https://docs.microsoft.com/de-de/windows/security/threat-protection/microsoft-defender-atp/tvm-softw...

So if you are missing a software maybe it was not used yet. But if you use the software on a daily basis, than Microsoft should clarify this.

philippwree · ‎Jun 08 2020

@NiklasM Thanks, I'll check it out.

philippwree · ‎Jun 17 2020

Unfortunately this was not the solution. I have used some of the missing applications extensively, but they were still not listed in the software inventory.

Additionally I noticed that the product code (CPE) in the individual software inventory of a device is set to "not available", but when I export the software inventory the product code is available.

Dashboard:

Dashboard

Export:

Export

NiklasM · ‎Jun 19 2020

@Gilad_Mittelman @Tomer Teller @Efrat Kliger Maybe you can assist here? Or you have an Microsoft college with the appropriate information.

Tomer Teller · ‎Jun 21 2020

@philippwree - Thank you for the feedback. Your analysis is accurate.

We currently do not reflect Non-CPE products in the main software inventory page, this is planned to be fixed in the upcoming months.

Sergg · ‎Jul 14 2020

@Tomer Tellersorry for chasing you, but can you please explain if few more sentences the ent-to-end process of https://securitycenter.microsoft.com/software-inventory and https://securitycenter.microsoft.com/vulnerabilities get collected? Frequency, timeouts, does it uses Windows Update or registry, etc.

Is there a blog or webinar from the Microsoft explaining this subject so you do not repeat the information? We have customer questions while official Microsoft documentation does not have any details at all. Best regards Serg.

byertjames · ‎Jul 07 2021

Is there any update to OP's question? Maybe in the official documentation or forum?
I have the same questions for our environment. I have applications I've updated, removed etc and am wondering how quickly and how these changes corelate with discovered vulnerabilities.

If software is updated or removed then I expect the discovered vulnerabilities to update within a time frame.

If software is added, updated, removed then I expect the software inventory and security recommendations list to reflect the changes within a time frame

byertjames · ‎Jul 13 2021

@byertjames

Please find below the answers to the questions asked :

How often when does the software inventory list in MS 365 Defender get updated?

TVM Software Inventory data freshness is currently 3-4h (upper limit, can also be less).

Please refer the below screenshots for the information :

Can we use a command line or powershell to trigger a software inventory scan?

There is no command line or powershell or anything else to trigger an inventory scan/update.

In addition to that if you have any further queries regarding the issue, please let me know.

Appreciate your time and patience.

Awaiting your reply.

With Best Regards,

Truptesh Fulpagare | Microsoft Security

v-tfulpagare@microsoft.com | +1-425-704-3638 Ext: 2261221 | Mon-Fri: 07:30 PM – 05:00 AM IST

Backup Engineer: Hrudyesh Bagde | v-hrbagd@microsoft.com | Mon-Fri: 07:30 PM – 05:00 AM IST

Manager: Anirudh Palit | v-2anpal@microsoft.com | Mon-Fri: 05:00 AM – 02:30 PM EST

Team Callback Request email (monitored 24/7): secPro-EP@microsoft.com

philippwree · ‎Oct 05 2021

Now 14 months have passed. Is there any new status for reflect Non-CPE products in the main software inventory page?

Tomer Teller · ‎Oct 05 2021

@philippwree - While this capability was indeed deferred in previous releases the good news that it will land in this Q4.

gd2020 · ‎Oct 04 2022

@byertjames Where is the link to this screen shot?

byertjames · ‎Oct 05 2022

@gd2020

That screenshot was from the old version of the website now rolled into Microsoft 365 Defender

Software inventory in Defender Vulnerability Management | Microsoft Learn

I believe this direct link can take you there

https://security.microsoft.com/vulnerability-management-inventories/applications

You now have to select the relevant row and in the side pane click on report inaccuracy as needed.

How is the software inventory created in MDATP?

How is the software inventory created in MDATP?

Re: How is the software inventory created in MDATP?

Re: How is the software inventory created in MDATP?

Re: How is the software inventory created in MDATP?

Re: How is the software inventory created in MDATP?

Re: How is the software inventory created in MDATP?

Re: How is the software inventory created in MDATP?

Re: How is the software inventory created in MDATP?

Re: How is the software inventory created in MDATP?

Re: How is the software inventory created in MDATP?

Re: How is the software inventory created in MDATP?

Re: How is the software inventory created in MDATP?

Re: How is the software inventory created in MDATP?

Products (50)

Special Topics (27)

Video Hub (462)

Most Active Hubs

Most Active Hubs

Video Hub

How is the software inventory created in MDATP?