Microsoft Defender 365 threat and vulnerability management capabilities - Effectively identifying, assessing, and remediating endpoint weaknesses is pivotal in running a healthy security program and reducing organizational risk.
Login to Microsoft 365 Defender portal.
Role required to generate the API key: Microsoft Azure portal administrator
API permission: Application permissions
Generating API Key
Log in to the Microsoft Azure portal by using your Azure portal administrator credentials.
In the left navigation panel on the Home pane, click Azure Active Directory.
In the Overview pane, click App Registrations.
In the App registrations (Preview) pane, click New Registration.The Register an application form is displayed.
On the form, fill in the fields. Register an application
Name - Enter a name for the integration, for example: Vulcan Cyber MS TVM integration
Supported account types - Accounts in this organizational directory only
The Application (client) ID and Directory (tenant) ID are created. Enter these values on the configuration page in the Client ID and Tenant ID fields during the configuration step in the Vulcan connector configuration described below.
Once the Application (client) ID is displayed in the Vulcan Cyber MS TVM integration pane, click Add/Request API Permissions.
Select the Application Permissions option.
Navigate to APIs my organization uses, and then click Windows Defender ATP.
In the Vulcan Cyber MS TVM integration - API permissions pane, click Add a Permission.
Provide read access to machines, vulnerabilities, and security recommendations.
Click Grant Admin Consent for <your organization name>.
Navigate to Vulcan Cyber MS TVM integration > Certificates & Secrets, and then click New Client secret.
On the form, fill in the fields for Client secrets:
Description - application description
Expires - date of expiration
The Value field is populated with the new client secret, which is your new password.
Note: You will need this password when you are configuring the integration in the Vulcan connector configuration.
Save this password in a secure location. After you leave this page, this password is not available.
You have successfully created an application ID for authentication in the Microsoft Azure portal. Continue in the Vulcan platform.
Configuring Microsoft TVM Connector
Log in to your Vulcan Cyber platform and click on Connectors.
Click on the Add a Connector button.
Click on the Microsoft TVM icon.
Enter the following information into the connector setup page.
Tenant Id - previously created in Azure portal.
App Id - previously created in Azure portal.
API Token - secret key password previously generated.
Inactive Assets - In this example, the default value of 30 days is used. To remove inactive assets quicker or keep them longer, as seen by Microsoft TVM, change this value to suit your needs.
Once all information has been entered, click the Test Connectivity button to verify that Vulcan Cyber can connect to your Microsoft TVM instance, as shown below, and finally click the Create button.
Navigate to the Connectors page and once the Microsoft TVM icon shows as Connected, the connection is complete.
Locating Microsoft Defender threat and vulnerability management vulnerabilities in Vulcan Cyber
As Microsoft Defender threat and vulnerability management discovers vulnerabilities also named weaknesses, the Vulcan Cyber connector will import those vulnerabilities for reporting and action. With a large number of assets and potential vulnerabilities discovering specific vulnerabilities via source is made easy with filters.
Open the Vulcan Cyber dashboard and navigate to the Vulnerabilities section. Click on the Search or filter vulnerabilities search box, scroll to the Vulnerability Source option, and click to filter by the vulnerability source.
Locate Microsoft TVM on the vulnerability source list and click to filter results by Microsoft TVM.
Click on any vulnerability to view further information and potentially take action by clicking the Take Action drop-down and choosing an option, as shown below.
Locating Microsoft TVM assets in Vulcan Cyber
To view assets scanned managed by Microsoft TVM in Vulcan platform go to Assets tab, filter by Connector. choose Microsoft TVM. this should match the device inventory list in Microsoft TVM
Microsoft TVM API Permissions
Use in Vulcan
Why does it seem that Vulcan is showing more vulnerabilities than Microsoft TVM?
Data display logic for reported vulnerabilities is different between Vulcan and Microsoft TVM.
Both tools are showing the same data, with different modifications.
a common question about the difference is "Why there are more vulnerabilities in Vulcan for the same host?"
When Vulcan is ingesting an asset, that is affected by CVE-2022-44228, but affects the assets in different packages, the use will see the same CVE several times when the indication for the different package will be in the "i" icon.
Vulcan will consider every different package to be listed as a vulnerability instance, and as such, in some cases, it will show more vulnerability instances than the Microsoft TCM is showing.