Microsoft Defender Vulnerability Management helps organizations identify and remediate security vulnerabilities in their environment.
It provides a centralized view of vulnerabilities across all device types in an organization and prioritizes them based on severity and exploitability.
Defender Vulnerability Management provides an export API that allows programmatic access to vulnerability data. The API can be used to automate vulnerability management tasks, integrate vulnerability data with other security tools, and generate custom reports and dashboards.
In this blog, we will share guidance and best practices for using Defender Vulnerability Management Export API including:
Export API is used for publishing raw data of all known software vulnerabilities and their details for devices in the organization.
Method |
Explanation |
JSON response
|
|
Files
|
|
More details can be seen here: Export software vulnerabilities assessment per device | Microsoft Learn
API Method |
Details |
|
SoftwareVulnerabilitiesExport |
Software vulnerabilities data by machine |
Export software vulnerabilities assessment per device | Microsoft Learn |
SoftwareInventoryExport |
software data by machine |
Export software inventory assessment per device | Microsoft Learn |
InfoGatheringExport |
|
|
SoftwareInventoryNonCpeExport |
non cpe products by machine |
Export non product code software inventory assessment per device | Microsoft Learn |
SecureConfigurationsAssessmentExport |
SCA data by machine(configurations) |
Export secure configuration assessment per device | Microsoft Learn |
HardwareFirmwareInventoryExport |
firmware data by machine |
Hardware and firmware assessment methods and properties per device | Microsoft Learn |
BrowserExtensionsInventoryExport |
browser extensions by machine |
|
BaselineComplianceAssessmentExport |
Baseline data by machine |
Security baseline assessment methods and properties per device | Microsoft Learn |
CertificateAssessmentExport |
certificates data by machine |
Certificate assessment methods and properties per device | Microsoft Learn |
With the API Explorer, you can:
To start, Open Defender portal and navigate to ‘Endpoints-Partners and API-API Explorer ‘
Based on the required data to explore, add the suffix to the API call.
In the example, we will use software vulnerabilities:
https://api.security.microsoft.com/api/machines/SoftwareVulnerabilitiesExport
In case of large amounts of data, Organizations can use the below steps to avoid pulling all defender vulnerability management data every day and still ensure data in export is up to date:
1.Pull ‘Export software vulnerabilities assessment’ once a week
2.Pull ‘Delta export software vulnerabilities assessment’ once a day
3.Join the full snapshot with the delta file based on Device ID, Software name and version and CVE ID
4.Latest ‘Event time stamp’ indicate on the latest status of a specific CVE
Using Defender Vulnerability Management Export API customers can build custom reports and dashboards per the organization needs. We have seen organizations build anything executive or management reports to detailed vulnerability management dashboards.
There are variety of methods to use the API such as Power-Automate, Power BI, , Advanced hunting using Python, Advanced hunting using PowerShell, Using OData queries.
One example to get started is to use Defender Vulnerability Management Power BI templates which enable out of the box reports such as Organization existing vulnerabilities, Software inventory, Missing Windows security updates and more.
You can download the templates here.
Defender Vulnerability Management data can be integrated in other security tools. Below examples of both Microsoft and non-Microsoft tools:
Microsoft Intune
Integration with Microsoft Intune allows customers to ‘Request Remediation’ to vulnerability security recommendations. This will create an Intune package deployment request and remediation activity item within the security portal, which can be used for monitoring the remediation progress for this recommendation.
Use Sentinel to store Defender Vulnerability Management history data. This can be used to integrate vulnerability data with other XDR workflows data, build a custom dashboard and as part of it reflect vulnerability management trends and more. To store Defender Vulnerability Management data, please follow the below:
Please make sure any analytic rules/hunting queries/workbooks or any content that is related to Defender Vulnerability Management data is directed to the tables you have created.
Exposure Management integrates with Defender Vulnerability Management helping security managers to continuously assess and analyze vulnerabilities and misconfigurations across the organization's digital landscape. In the Vulnerability Assessment initiative users can actively identify, prioritize, track and delegate vulnerabilities within the IT infrastructure and the cloud. Users gain real-time visibility into the security posture of their organization, enabling data-driven decision-making for resource investment and placement.
To learn more about, see documentation about security initiatives or blog series introducing Exposure Management.
for additional Defender Vulnerability Management, please visit Documentation page and Ninja page
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.