Blog Post

Microsoft Defender Vulnerability Management Blog
3 MIN READ

Threat & Vulnerability Management APIs are now generally available

Efrat Kliger's avatar
Efrat Kliger
Icon for Microsoft rankMicrosoft
Apr 14, 2020

We are excited to announce that Microsoft Defender Advanced Threat Protection (ATP) Threat & Vulnerability Management APIs are now generally available!


Threat & Vulnerability Management APIs can help drive more clarity in your organization with customized views into your security posture and can also help alleviate your security teams’ workload. They do this by automating vulnerability management workflows—from data collection, to risk score analysis, and integrating its capabilities with your other organizational processes and solutions.


The new Threat & Vulnerability Management APIs are exposed through the standard Azure Active Directory-based authentication and authorization model which allows developers and Software-as-a-service (SaaS) application users easy access to robust functionalities. See our documentation for available APIs and try them out using the Microsoft Defender ATP API Explorer tool.

 

Now, let’s look at how you can use Threat & Vulnerability Management APIs in your daily security administration work.

 

Create custom interface and reports

With Threat & Vulnerability Management APIs, you can create meaningful reports while allowing flexibility in using the solution components, such as exposure score, installed software, vulnerabilities, and security recommendations in an automated fashion.

 

The custom interface that you’ll create can show just the right amount of information that you need at the right time, giving you a simpler task view or list for your day-to-day work. This can help streamline your user experience according to your organization’s needs.

 

In a previous blog, we walked you through creating custom reports using Microsoft Defender ATP APIs and Power BI. To build on the resources we shared for custom reports on GitHub, you can now also use this Threat & Vulnerability Management dashboard.

 

 

Save time and resources through automation

Designed for automation-focused security teams, you can identify and expose common, repeatable activities so you can stop worrying about routine tasks and start investing in your greater vulnerability management strategy.

 

Looking for a good place to start? Check out the linked Power Automation to automate email notification on any new vulnerabilities that meet the criteria of your organization.

 

To set this up:

  1. Follow the steps described here and create an app to access Microsoft Defender ATP APIs. Provide the app Vulnerability.Read.All permission.
  2. Import the TVM_FlowSample.Zip file linked to this blog and add it to your Power Automation environment.
  3. Set the Get vulnerabilities HTTP call with your app details:

 

Get data visibility across solutions

You can invoke the API to drive data exchange between Microsoft Defender ATP Threat & Vulnerability Management and other solutions in your environment. In addition to ad-hoc integrations, we are constantly working on extending our network of partners.

 

Skybox® Security, a global leader in cybersecurity management, announced its partnership with Microsoft Defender ATP and the Microsoft Intelligent Security Association (MISA). This partnership will strengthen Skybox’s vulnerability detection capabilities with the inclusion of critical data from Threat & Vulnerability Management. It thereby expands Skybox’s vulnerability management for enterprises that continue to deploy workloads across hybrid and cloud network environments. Learn more about the integration here and watch this video for details.

 

If you would like to see additional integrations with Microsoft Defender ATP, go to the Partner Application page in the Microsoft Defender Security Center, and click Recommend other partners.

 

Solutions that can empower your organization

A typical enterprise depends on multiple security systems to operate and to combat advanced cyber adversaries. At Microsoft, we believe that when these solutions work together, you gain greater efficiency, speed, and stronger defenses. Threat & Vulnerability Management APIs can help empower you to deliver greater value to your vulnerability management program.


As always, we welcome and appreciate your feedback.
Efrat Kliger 

Thorsten Henking

Tomer Teller 

 

Updated Jul 16, 2020
Version 11.0
APIs
Threat & Vulnerability Management
  • Efrat Kliger's avatar
    Efrat Kliger
    Icon for Microsoft rankMicrosoft
    Apr 15, 2020

    Hi SteveEllis , the dashboard should work fine for large organizations as well. Feel free to contact us here if you encounter any issue.

  • Efrat Kliger's avatar
    Efrat Kliger
    Icon for Microsoft rankMicrosoft
    Apr 17, 2020

    bthomas , we are working on exposing a new Incident API for MTP that would cover Incidents from the different workloads. I would be happy to include you in the private preview once available. Stay tuned!

  • SteveEllis's avatar
    SteveEllis
    Copper Contributor
    Apr 15, 2020

    Will people with very large deployments need to modify the TVM dashboard queries due to the 10,000 row return in line with API limits. 

  • bthomas's avatar
    bthomas
    Iron Contributor
    Apr 16, 2020

    Will the API be able to get information from the Microsoft 365 security portal (https://security.microsoft.com/)?

     

    We are looking into using this portal within our organization and building automation around it, but because currently I don't seem to able to get the information about the incident id's that are created on that portal and not related to MDATP.

  • bthomas's avatar
    bthomas
    Iron Contributor
    Apr 17, 2020

    Efrat Kliger That's good to hear. What do you need from my end to get included in the private preview (once available)?

  • Arjen_Gerritsen's avatar
    Arjen_Gerritsen
    Copper Contributor
    Apr 21, 2020

    Hi,

     

    API's are great starting point. I have two questions:

     

    1) Authentication using local tokens

    In contrast to using a App Registration Service Principals, for Azure REST API we normally log on using locally cached credentials. I wonder if users having the role Security Adminstrator or Security Reader can obtain access to Threat & Vulnerability Management API's. The same question is for Service Principals that are used in Azure DevOps Powershell tasks, where we usally grab the local tokens for the logged on Service Connnection. Using App Regsitration Service Principals only invloves exposing secrets to users, which is not very desirable. I tried using the locally cached tokens, but got 401 Unautorized errors returned.

     

    2) Machines data model

    When listing machine the data is missing the unique Azure Resource ID. The only way finding back the machine is by its name an IP address, which may be in a multi-subscription, multi-resource group environment not uniquely identifiable. Netiher is it the other way around we a known VM may not be found only by its name and IP address. It is possible to include the Azure Unique Resource ID in the dataset, as it can be found in the Azure Metadata Instance API (see https://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service)

     

    Thanks a lot in advance.

    Arjen

     

     

  • lorisscandurra's avatar
    lorisscandurra
    Copper Contributor
    Sep 26, 2024

    Thank you for the Post Efrat.

    Is it possible to also write back information with the API?

    We want to integrate the information from the Vulnerability Management into our Ticket Tool and want to write back information if we decide that this Vulnerability is an exception. In the documentation I found only ways to get Information from the API but not to write back.

     

    Thank you in advance for your answer.