Skip to main content
All CollectionsConnectorsEndPoint Security
Microsoft Defender Vulnerability Management Connector
Microsoft Defender Vulnerability Management Connector

Learn all about integrating Microsoft TVM into the Vulcan Platform

Updated over 8 months ago

Overview

About Microsoft Defender Vulnerability Management

Microsoft Defender Vulnerability Management delivers asset visibility, intelligent assessments, and built-in remediation tools for Windows, macOS, Linux, Android, iOS, and network devices. Leveraging Microsoft threat intelligence, breach likelihood predictions, business contexts, and devices assessments, Defender Vulnerability Management rapidly and continuously prioritizes the biggest vulnerabilities on your most critical assets and provides security recommendations to mitigate risk.

Why integrate Microsoft Defender Vulnerability Management into the Vulcan platform?

The Microsoft Defender Vulnerability Management by Vulcan integrates with the Microsoft Defender Vulnerability Management platform to pull and ingest assets type host assets and vulnerability data into your Vulcan Platform. Once the integration is complete, the Vulcan Platform scans the report's findings to correlate, consolidate, and contextualize the ingested data to impact risk and remediation priority.

Microsoft Defender Vulnerability Management Connector Details

Supported products

Category

Endpoint Security

Ingested asset type(s)

Hosts

Integration type

UNI directional (data is transferred from the Connector to the Vulcan Platform in one direction)

Supported version and type

SaaS (latest)


Connector Setup

Prerequisites and user permissions

Before you begin configuring the Connector, make sure you have the Tenant (Directory) ID, Application (client) ID, and Client secret (API Token).

Generating Microsoft Defender Vulnerability Management Application IDs and Client Secret

Log in to the Microsoft Azure portal by using your Azure portal administrator credentials.

  1. In the left navigation panel on the Home pane, click Azure Active Directory.

  2. In the Overview pane, click App Registrations.

  3. In the App Registrations (Preview) pane, click New Registration. The Register an application form is displayed.

  4. On the form, fill in the fields. Register an application

    • Name - Enter a name for the integration, for example: Vulcan Cyber MS TVM integration

    • Supported account types - Accounts in this organizational directory only

  5. Click Register.
    The Application (client) ID and Directory (tenant) ID are created. Save (copy+paste) these IDs somewhere safe.

  6. When you see the Application (client) ID displayed in the Vulcan Cyber MS TVM integration pane, click Add API Permissions.

  7. Navigate to APIs my organization uses, and then click Windows Defender ATP.

  8. In the Vulcan Cyber MS TVM integration - API permissions pane, click Add a Permission.

  9. Provide read access to machines, vulnerabilities, and security recommendations.

  10. Click Grant Admin Consent for <your organization name>.

  11. Navigate to Vulcan Cyber MS TVM integration > Certificates & Secrets, and then click New Client Secret.

  12. On the form, fill in the fields for Client secrets:

    • Description - Application description

    • Expires - date of expiration

  13. Click Add.

    The Value field is populated with the new client secret, which is your new password.

    Note: You will need this password when you are configuring the integration in the Vulcan connector configuration.

  14. Save this password in a secure location. After you leave this page, this password is not available.

    You have successfully created an application ID for authentication in the Microsoft Azure portal. Continue in the Vulcan platform.

Configuring the Microsoft Defender Vulnerability Management Connector

  1. Log in to your Vulcan Cyber dashboard and go to Connectors.

  2. Click on Add a Connector.

  3. Click on the Microsoft TVM icon.

  4. Set up the Connector as follows:

    • Enter the Tenant (Directory) ID, Application (client) ID, and Client secret (API Token) you created earlier.

  5. Click the Test Connectivity button to verify that Vulcan Cyber can connect to your Microsoft Defender Vulnerability Management instance, then click Create (or Save Changes).

  6. Inactive Assets: You can configure a Vulcan rule to consider inactive assets, and Vulcan will remove assets that do not appear in scans within the configured time range.

    The “Immediately remove this connector's assets when their status is <x>” selection allows you to avoid ingesting assets whose status is selected into Vulcan.
    The TVM statuses that can be filtered are the Sensor health states for devices onboard to Microsoft Defender for Endpoint:

    • Active: Devices that are actively reporting sensor data to the service.

    • Inactive: Devices that have stopped sending signals for more than 7 days.

    • Misconfigured: Devices that have impaired communications with service or cannot send sensor data. Misconfigured devices can further be classified into:
      - No sensor data
      - Impaired communications

  7. Allow some time for the sync to complete. Then, you can review the sync status under Log on the Connector's setup page.

  8. To confirm the sync is complete, navigate to the Connectors page. Once the Microsoft TVM icon shows Connected, the sync is complete.


Microsoft Defender Vulnerability Management in the Vulcan Platform

Viewing Defender Vulnerability Management vulnerabilities in the Vulcan Platform

To view vulnerabilities by Connector/Source:

  1. Go to the Vulnerabilities page.

  2. Use the Search or Filter input box to select the Vulnerability Source or Connector filter.

  3. Select Defender Vulnerability Management from the vulnerability source/Connector list to filter results.

  4. Click on any vulnerability for more vulnerability details.

Viewing Defender Vulnerability Management assets in the Vulcan Platform

To view assets by Connector/Source:

  1. Go to the Assets page.

  2. Click on the relevant asset type tab.

  3. Use the Search or filter input box to select Connector from the drop-down selection.

  4. Select Defender Vulnerability Management from the Asset source/Connector list to filter results and view all synced assets.
    See the complete list of available asset filters per asset type

Taking Action on vulnerabilities and assets detected by Defender Vulnerability Management

To take remediation action on vulnerabilities and assets detected by Defender Vulnerability Management:

  1. Go to Vulnerabilities / Assets Page.

  2. Click on the Search and Filter input box and select Connector from the drop-down selection.

  3. Locate the Defender Vulnerability Management option to view all synced vulnerabilities/assets.

  4. Select the relevant Vulnerability/Asset.

Automating remediation actions on vulnerabilities detected by Defender Vulnerability Management

Large environments quickly become unmanageable if constant manual attention and effort are necessary to remediate vulnerabilities. You can take advantage of the automation capabilities of Vulcan Cyber and the Defender Vulnerability Management Connector.


From Microsoft Defender Vulnerability Management to the Vulcan Platform - Data Mapping

The Vulcan Platform integrates with Microsoft Defender Vulnerability Management through API to pull relevant vulnerabilities and assets data and map it into the Vulcan Platform pages and fields.

Hosts field mapping

Microsoft Defender Vulnerability Management field

Vulcan field

id

Asset uniqueness criteria

computerDnsName

Asset Name

healthStatus

exposureLevel

Asset Details

Host

Asset Type

lastIpAddress, lastExternalIpAddress (if the "Map external IP to asset" checkbox is checked)

Asset IP

osPlatform

Asset OS

osPlatform + osArchitecture + (osVersion OR version)

Asset OS Version

firstSeen

Asset Created date

lastSeen

Asset Last seen date

healthStatus

Asset Status

computerDnsName, rbacGroupName (Device group), machineTags, lastIpAddress, lastExternalIpAddress (if the Map external IP to asset checkbox is checked), healthStatus, exposureLevel, osPlatform

Asset Tags - Vendor’s tags

cveId

Vulnerability uniqueness criteria

cveId

Vulnerability Title

description

Vulnerability Description

severity

published_on

exploit_types

exploit_uris

Vulnerability Details

if cvssScore, than cvssScore. Else, use severity (using the logic described in the Vulnerability Score Mapping section)

Vulnerability CVSS

cveId

Vulnerability CVE/S

softwareName

Affected Packages

asset id + softwareVendor + softwareName+ softwareVersion + vulnerability id

Asset-Vulnerability connection uniqueness criteria

firstSeenTimestamp

Asset-Vulnerability connection First seen

lastSeenTimestamp

Asset-Vulnerability connection Last seen

softwareName, softwareVersion

Packages

softwareVendor

softwareName

softwareVersion

recommendedSecurityUpdate

recommendedSecurityUpdateUrl

Asset-Vulnerability connection Info tool tip (from Assets screen)

recommendationReference

Solution uniqueness criteria

Fix for cveId

Solution Title

recommendationName

Solution Description

Vulnerability status mapping

Microsoft Defender Vulnerability Management score Status

Vulcan Status

New, Updated

Vulnerable

Fixed

Fixed

Vulnerability score mapping

Microsoft Defender Vulnerability Management Score

Vulcan score

Critical

10

High

7

Medium

5

Low

3

-

0

Status Update Mechanisms

Every day, the Vulcan Platform syncs with the vendor's platform to receive updates on existing vulnerabilities and assets and to retrieve new ones (if any added).

The table below lists how the status update mechanism works in the Microsoft Defender Vulnerability Management connector for the vulnerabilities and assets in the Vulcan Platform.

Update type

Mechanism

Archiving Assets

- An asset not found on the connector's last sync is archived and no longer presented on the Vulcan platform.

- By X days according to "Last seen". If the Asset hasn’t been seen for X days, it will be archived from the Vulcan Platform.

- By the assets status "Inactive" on the vendor's side.

Change of vulnerability instances status from "Vulnerable" to "Fixed"

- If the vulnerability no longer appears in the scan findings, the Vulcan Platform marks it as "Fixed".

Note: Asset or vulnerability updates on the vendor side are reflected on the Vulcan Platform only on the next scheduled connector sync (the next day).

Support and Expected Behaviour

Support and expected behavior remarks:

  • Solution Handling: It's important to note that the recommendedSecurityUpdate fields are not mapped as solutions. This is because they are unique to the vuln-asset connection (AKA, instance) rather than the vulnerability itself.

  • External IPs for Assets: The connector will provide external IP addresses for assets only when the "Map external IP to asset" checkbox is selected, which is enabled by default.

  • Vulnerability Status: Only records labeled as "Vulnerable" are retrieved from the SoftwareVulnerabilitiesByMachine endpoint. To identify fixed records, they must be indicated as such in the SoftwareVulnerabilityChangesByMachine endpoint.

  • Vulnerability Enrichment: Records are enriched only if the exposedMachines value is greater than 0.

  • Solution Enrichment: Enrichment is performed solely on records where the totalMachineCount value exceeds 0.

API Endpoints in Use

API version: 1.0

API

Use in Vulcan

Permissions required

Authentication for other endpoints

None

Assets

Machine.Read.All
Machine.ReadWrite.All
Machine.Read
Machine.ReadWrite

Vulnerabilities, solutions, asset-vulnerability connections

Vulnerability.Read.All
Vulnerability.Read

Vulnerabilities, solutions, asset-vulnerability connections

Vulnerability.Read.All
Vulnerability.Read

Vulnerability enrichment

Vulnerability.Read.All
Vulnerability.Read

Solution enrichment

SecurityRecommendation.Read.All
SecurityRecommendation.Read


Did this answer your question?