Advanced hunting: updates to threat and vulnerability management tables

Published Mar 07 2021 01:00 AM 9,944 Views
Microsoft

We are happy to announce that threat and vulnerability management tables in advanced hunting are being updated with an improved structure and additional data – now available in public preview. 

 

The existing ‘DeviceTvmSoftwareInventoryVulnerabilities’ table in advanced hunting, which currently combines both software inventory and vulnerabilities, is being deprecated and split into two new dedicated tables. 

 

This change is aimed at creating better clarity and reducing noise/complexity when using advanced hunting for common threat and vulnerability management scenarios. 

 

Newly introduced tables: 

  1. DeviceTvmSoftwareInventory (see schema below) – This table will serve as a complete list of all software on your devices, whether or not they have any vulnerabilities.  
    • No duplicate entries – unlike the old table, you’ll have a single row for each software installed on every device. 
    • New fields – ‘EndOfSupportStatus’ and ‘EndOfSupportDate’ will have the end-of-support state (if applicable) for specific software versions installed on devices. 
  2. DeviceTvmSoftwareVulnerabilities (see schema below) – This table will be dedicated to discovering vulnerabilities (CVEs) in existing software across all your devices. 
    • New fields – ‘RecommendedSecurityUpdate’ and ‘RecommendedSecurityUpdateId’ will have missing security updates / KBs for installed software.   
       

To avoid breaking existing flows in the short term, the old advanced hunting table will continue to be temporarily available in the back-end for querying. However, to avoid future issues it’s strongly encouraged you switch to using the new tables at your earliest convenience.

  

New table schemas: 

 

DeviceTvmSoftwareInventory.png DeviceTvmSoftwareVulnerabilities.png

 

For more information on advanced hunting tables in Microsoft Defender for Endpoint, read our advanced hunting documentation

 

To get access to Microsoft Defender for Endpoint public preview capabilities, we encourage you to turn on preview features in the Microsoft Defender Security Center. We’re looking forward to hearing any feedback you may have.

 

Microsoft Defender for Endpoint is an industry leading, cloud powered endpoint security solution offering vulnerability management, endpoint protection, endpoint detection and response, and mobile threat defense. With our solution, threats are no match. If you’re not yet taking advantage of Microsoft’s unrivaled threat optics and proven capabilities, sign up for a free Microsoft Defender for Endpoint trial today.

 

 

Microsoft Defender for Endpoint team

 

 

 

 
 
 
5 Comments
Co-Authors
Version history
Last update:
‎Jun 09 2021 12:12 PM
Updated by: