Overview
About Microsoft Defender Vulnerability Management
Microsoft Defender Vulnerability Management delivers asset visibility, intelligent assessments, and built-in remediation tools for Windows, macOS, Linux, Android, iOS, and network devices. Leveraging Microsoft threat intelligence, breach likelihood predictions, business contexts, and devices assessments, Defender Vulnerability Management rapidly and continuously prioritizes the biggest vulnerabilities on your most critical assets and provides security recommendations to mitigate risk.
Why integrate Microsoft Defender Vulnerability Management into the Vulcan platform?
The Microsoft Defender Vulnerability Management by Vulcan integrates with the Microsoft Defender Vulnerability Management platform to pull and ingest assets type host assets and vulnerability data into your Vulcan Platform. Once the integration is complete, the Vulcan Platform scans the report's findings to correlate, consolidate, and contextualize the ingested data to impact risk and remediation priority.
Microsoft Defender Vulnerability Management Connector Details
Supported products | |
Category | Endpoint Security |
Ingested asset type(s) | Hosts |
Integration type | UNI directional (data is transferred from the Connector to the Vulcan Platform in one direction) |
Supported version and type | SaaS (latest) |
Connector Setup
Prerequisites and user permissions
Before you begin configuring the Connector, make sure you have the Tenant (Directory) ID, Application (client) ID, and Client secret (API Token).
Generating Microsoft Defender Vulnerability Management Application IDs and Client Secret
Log in to the Microsoft Azure portal by using your Azure portal administrator credentials.
In the left navigation panel on the Home pane, click Azure Active Directory.
In the Overview pane, click App Registrations.
In the App Registrations (Preview) pane, click New Registration. The Register an application form is displayed.
On the form, fill in the fields. Register an application
Name - Enter a name for the integration, for example: Vulcan Cyber MS TVM integration
Supported account types - Accounts in this organizational directory only
Click Register.
The Application (client) ID and Directory (tenant) ID are created. Save (copy+paste) these IDs somewhere safe.When you see the Application (client) ID displayed in the Vulcan Cyber MS TVM integration pane, click Add API Permissions.
Navigate to APIs my organization uses, and then click Windows Defender ATP.
In the Vulcan Cyber MS TVM integration - API permissions pane, click Add a Permission.
Provide read access to machines, vulnerabilities, and security recommendations.
Click Grant Admin Consent for <your organization name>.
Navigate to Vulcan Cyber MS TVM integration > Certificates & Secrets, and then click New Client Secret.
On the form, fill in the fields for Client secrets:
Description - Application description
Expires - date of expiration
Click Add.
The Value field is populated with the new client secret, which is your new password.
Note: You will need this password when you are configuring the integration in the Vulcan connector configuration.
Save this password in a secure location. After you leave this page, this password is not available.
You have successfully created an application ID for authentication in the Microsoft Azure portal. Continue in the Vulcan platform.
Configuring the Microsoft Defender Vulnerability Management Connector
Log in to your Vulcan Cyber dashboard and go to Connectors.
Click on Add a Connector.
Click on the Microsoft TVM icon.
Set up the Connector as follows:
Enter the Tenant (Directory) ID, Application (client) ID, and Client secret (API Token) you created earlier.
Click the Test Connectivity button to verify that Vulcan Cyber can connect to your Microsoft Defender Vulnerability Management instance, then click Create (or Save Changes).
Inactive Assets: You can configure a Vulcan rule to consider inactive assets, and Vulcan will remove assets that do not appear in scans within the configured time range.
The “Immediately remove this connector's assets when their status is <x>” selection allows you to avoid ingesting assets whose status is selected into Vulcan.
The TVM statuses that can be filtered are the Sensor health states for devices onboard to Microsoft Defender for Endpoint:Active: Devices that are actively reporting sensor data to the service.
Inactive: Devices that have stopped sending signals for more than 7 days.
Misconfigured: Devices that have impaired communications with service or cannot send sensor data. Misconfigured devices can further be classified into:
- No sensor data
- Impaired communications
Allow some time for the sync to complete. Then, you can review the sync status under Log on the Connector's setup page.
To confirm the sync is complete, navigate to the Connectors page. Once the Microsoft TVM icon shows Connected, the sync is complete.
Microsoft Defender Vulnerability Management in the Vulcan Platform
Viewing Defender Vulnerability Management vulnerabilities in the Vulcan Platform
To view vulnerabilities by Connector/Source:
Go to the Vulnerabilities page.
Use the Search or Filter input box to select the Vulnerability Source or Connector filter.
Select Defender Vulnerability Management from the vulnerability source/Connector list to filter results.
Click on any vulnerability for more vulnerability details.
Viewing Defender Vulnerability Management assets in the Vulcan Platform
To view assets by Connector/Source:
Go to the Assets page.
Click on the relevant asset type tab.
Use the Search or filter input box to select Connector from the drop-down selection.
Select Defender Vulnerability Management from the Asset source/Connector list to filter results and view all synced assets.
See the complete list of available asset filters per asset type
Taking Action on vulnerabilities and assets detected by Defender Vulnerability Management
To take remediation action on vulnerabilities and assets detected by Defender Vulnerability Management:
Go to Vulnerabilities / Assets Page.
Click on the Search and Filter input box and select Connector from the drop-down selection.
Locate the Defender Vulnerability Management option to view all synced vulnerabilities/assets.
Select the relevant Vulnerability/Asset.
Click Take Action.
Automating remediation actions on vulnerabilities detected by Defender Vulnerability Management
Large environments quickly become unmanageable if constant manual attention and effort are necessary to remediate vulnerabilities. You can take advantage of the automation capabilities of Vulcan Cyber and the Defender Vulnerability Management Connector.
From Microsoft Defender Vulnerability Management to the Vulcan Platform - Data Mapping
The Vulcan Platform integrates with Microsoft Defender Vulnerability Management through API to pull relevant vulnerabilities and assets data and map it into the Vulcan Platform pages and fields.
Hosts field mapping
Microsoft Defender Vulnerability Management field | Vulcan field |
id | Asset uniqueness criteria |
computerDnsName | Asset Name |
healthStatus exposureLevel | Asset Details |
Host | Asset Type |
lastIpAddress, lastExternalIpAddress (if the "Map external IP to asset" checkbox is checked) | Asset IP |
osPlatform | Asset OS |
osPlatform + osArchitecture + (osVersion OR version) | Asset OS Version |
firstSeen | Asset Created date |
lastSeen | Asset Last seen date |
healthStatus | Asset Status |
computerDnsName, rbacGroupName (Device group), machineTags, lastIpAddress, lastExternalIpAddress (if the Map external IP to asset checkbox is checked), healthStatus, exposureLevel, osPlatform | Asset Tags - Vendor’s tags |
cveId | Vulnerability uniqueness criteria |
cveId | Vulnerability Title |
description | Vulnerability Description |
severity published_on exploit_types exploit_uris | Vulnerability Details |
if cvssScore, than cvssScore. Else, use severity (using the logic described in the Vulnerability Score Mapping section) | Vulnerability CVSS |
cveId | Vulnerability CVE/S |
softwareName | Affected Packages |
asset id + softwareVendor + softwareName+ softwareVersion + vulnerability id | Asset-Vulnerability connection uniqueness criteria |
firstSeenTimestamp | Asset-Vulnerability connection First seen |
lastSeenTimestamp | Asset-Vulnerability connection Last seen |
softwareName, softwareVersion | Packages |
softwareVendor softwareName softwareVersion recommendedSecurityUpdate recommendedSecurityUpdateUrl | Asset-Vulnerability connection Info tool tip (from Assets screen) |
recommendationReference | Solution uniqueness criteria |
Fix for cveId | Solution Title |
recommendationName | Solution Description |
Vulnerability status mapping
Microsoft Defender Vulnerability Management score Status | Vulcan Status |
New, Updated | Vulnerable |
Fixed | Fixed |
Vulnerability score mapping
Microsoft Defender Vulnerability Management Score | Vulcan score |
Critical | 10 |
High | 7 |
Medium | 5 |
Low | 3 |
- | 0 |
Status Update Mechanisms
Every day, the Vulcan Platform syncs with the vendor's platform to receive updates on existing vulnerabilities and assets and to retrieve new ones (if any added).
The table below lists how the status update mechanism works in the Microsoft Defender Vulnerability Management connector for the vulnerabilities and assets in the Vulcan Platform.
Update type | Mechanism |
Archiving Assets | - An asset not found on the connector's last sync is archived and no longer presented on the Vulcan platform. - By X days according to "Last seen". If the Asset hasn’t been seen for X days, it will be archived from the Vulcan Platform. - By the assets status "Inactive" on the vendor's side. |
Change of vulnerability instances status from "Vulnerable" to "Fixed" | - If the vulnerability no longer appears in the scan findings, the Vulcan Platform marks it as "Fixed". |
Note: Asset or vulnerability updates on the vendor side are reflected on the Vulcan Platform only on the next scheduled connector sync (the next day).
Support and Expected Behaviour
Support and expected behavior remarks:
Solution Handling: It's important to note that the
recommendedSecurityUpdatefields are not mapped as solutions. This is because they are unique to the vuln-asset connection (AKA, instance) rather than the vulnerability itself.External IPs for Assets: The connector will provide external IP addresses for assets only when the "Map external IP to asset" checkbox is selected, which is enabled by default.
Vulnerability Status: Only records labeled as "
Vulnerable" are retrieved from theSoftwareVulnerabilitiesByMachineendpoint. To identify fixed records, they must be indicated as such in theSoftwareVulnerabilityChangesByMachineendpoint.Vulnerability Enrichment: Records are enriched only if the
exposedMachinesvalue is greater than 0.Solution Enrichment: Enrichment is performed solely on records where the
totalMachineCountvalue exceeds0.
API Endpoints in Use
API version: 1.0
API | Use in Vulcan | Permissions required |
Authentication for other endpoints | None | |
Assets | Machine.Read.All | |
Vulnerabilities, solutions, asset-vulnerability connections | Vulnerability.Read.All | |
Vulnerabilities, solutions, asset-vulnerability connections | Vulnerability.Read.All | |
Vulnerability enrichment | Vulnerability.Read.All | |
Solution enrichment | SecurityRecommendation.Read.All |