Using Export API with Defender Vulnerability Management

Microsoft Defender Vulnerability Management helps organizations identify and remediate security vulnerabilities in their environment.

It provides a centralized view of vulnerabilities across all device types in an organization and prioritizes them based on severity and exploitability.  

Defender Vulnerability Management provides an export API that allows programmatic access to vulnerability data. The API can be used to automate vulnerability management tasks, integrate vulnerability data with other security tools, and generate custom reports and dashboards. 

In this blog, we will share guidance and best practices for using Defender Vulnerability Management Export API including:

• Overview of the Export API
• Available API methods using Export API
• Using API Explorer  
• Managing large data sets and ensuring exports are up to date
• Use Export API to build custom dashboards/reports
•  Defender Vulnerability Management data integrated in other tools

Overview of the Export API data types

Export API is used for publishing raw data of all known software vulnerabilities and their details for devices in the organization.

• There are two export API methods: JSON response and files.  

• Export software vulnerabilities assessment filter options: RbacName, $skiptoken, $top, pageSize
• Delta export software vulnerabilities assessment filter options: RbacName ,  $skiptoken, $top, pageSize, sinceTime

More details can be seen here: Export software vulnerabilities assessment per device | Microsoft Learn

Available API methods using Export API

via files:

JSON response: 

Using API Explorer from security portal

With the API Explorer, you can:

• Run requests for any method and see responses in real-time
• Quickly browse through the API samples and learn what parameters they support
• Make API calls with ease

To start, Open Defender portal and navigate to ‘Endpoints-Partners and API-API Explorer ‘ 

Based on the required data to explore, add the suffix to the API call.

In the example, we will use software vulnerabilities:

https://api.security.microsoft.com/api/machines/SoftwareVulnerabilitiesExport

• Run the query 
• To check its working and export to excel: 
• Copy one of the files URL from the results: 

• Open it in website and save the JSON file 
• Extract the JSON file 
• Open excel , click on ‘Data’ tab->get data->from file->from JSON and choose the file you saved above 

Managing large data sets and ensuring exports are up to date 

In case of large amounts of data, Organizations can use the below steps to avoid pulling all defender vulnerability management data every day and still ensure data in export is up to date:  

1.Pull ‘Export software vulnerabilities assessment’ once a week 

2.Pull ‘Delta export software vulnerabilities assessment’ once a day  

3.Join the full snapshot with the delta file based on Device ID, Software name and version and CVE ID

4.Latest ‘Event time stamp’ indicate on the latest status of a specific CVE 

Use Export API to build custom dashboards/reports

Using Defender Vulnerability Management Export API customers can build custom reports and dashboards per the organization needs. We have seen organizations build anything executive or management reports to detailed vulnerability management dashboards.

There are variety of methods to use the API such as  Power-Automate, Power BI, , Advanced hunting using Python, Advanced hunting using PowerShell, Using OData queries.

One example to get started is to use Defender Vulnerability Management Power BI templates which enable out of the box reports such as Organization existing vulnerabilities, Software inventory, Missing Windows security updates and more.

You can download the templates here.

Defender Vulnerability Management data integrated in other tools

Defender Vulnerability Management data can be integrated in other security tools. Below examples of both Microsoft and non-Microsoft tools:

Microsoft Intune

Integration with Microsoft Intune allows customers to ‘Request Remediation’ to vulnerability security recommendations. This will create an Intune package deployment request and remediation activity item within the security portal, which can be used for monitoring the remediation progress for this recommendation.

ServiceNow Vulnerability Response

Microsoft Sentinel

Use Sentinel to store Defender Vulnerability Management history data. This can be used to integrate vulnerability data with other XDR workflows data, build a custom dashboard and as part of it reflect vulnerability management trends and more. To store Defender Vulnerability Management data, please follow the below:

Azure-Sentinel/DataConnectors/M365Defender-VulnerabilityManagement at master · Azure/Azure-Sentinel (github.com)

Please make sure any analytic rules/hunting queries/workbooks or any content that is related to Defender Vulnerability Management data is directed to the tables you have created.

Microsoft Security Exposure Management

Exposure Management integrates with Defender Vulnerability Management helping security managers to continuously assess and analyze vulnerabilities and misconfigurations across the organization's digital landscape. In the Vulnerability Assessment initiative users can actively identify, prioritize, track and delegate vulnerabilities within the IT infrastructure and the cloud. Users gain real-time visibility into the security posture of their organization, enabling data-driven decision-making for resource investment and placement.

To learn more about, see documentation about security initiatives or blog series introducing Exposure Management.

for additional Defender Vulnerability Management, please visit Documentation page and Ninja page