About Microsoft Defender Vulnerability Management
Microsoft Defender Vulnerability Management delivers asset visibility, intelligent assessments, and built-in remediation tools for Windows, macOS, Linux, Android, iOS, and network devices. Leveraging Microsoft threat intelligence, breach likelihood predictions, business contexts, and devices assessments, Defender Vulnerability Management rapidly and continuously prioritizes the biggest vulnerabilities on your most critical assets and provides security recommendations to mitigate risk.
Why integrate Microsoft Defender Vulnerability Management into the Vulcan platform?
The Microsoft Defender Vulnerability Management by Vulcan integrates with the Microsoft Defender Vulnerability Management platform to pull and ingest assets type host assets and vulnerability data into your Vulcan Platform. Once the integration is complete, the Vulcan Platform scans the report's findings to correlate, consolidate, and contextualize the ingested data to impact risk and remediation priority.
Microsoft Defender Vulnerability Management Connector Details
Ingested asset type(s)
UNI directional (data is transferred from the Connector to the Vulcan Platform in one direction)
Supported version and type
Prerequisites and user permissions
Before you begin configuring the Connector, make sure you have the Tenant (Directory) ID, Application (client) ID, and Client secret (API Token).
Generating Microsoft Defender Vulnerability Management Application IDs and Client Secret
Log in to the Microsoft Azure portal by using your Azure portal administrator credentials.
In the left navigation panel on the Home pane, click Azure Active Directory.
In the Overview pane, click App Registrations.
In the App Registrations (Preview) pane, click New Registration. The Register an application form is displayed.
On the form, fill in the fields. Register an application
Name - Enter a name for the integration, for example: Vulcan Cyber MS TVM integration
Supported account types - Accounts in this organizational directory only
The Application (client) ID and Directory (tenant) ID are created. Save (copy+paste) these IDs somewhere safe.
When you see the Application (client) ID displayed in the Vulcan Cyber MS TVM integration pane, click Add API Permissions.
Navigate to APIs my organization uses, and then click Windows Defender ATP.
In the Vulcan Cyber MS TVM integration - API permissions pane, click Add a Permission.
Provide read access to machines, vulnerabilities, and security recommendations.
Click Grant Admin Consent for <your organization name>.
Navigate to Vulcan Cyber MS TVM integration > Certificates & Secrets, and then click New Client Secret.
On the form, fill in the fields for Client secrets:
Description - Application description
Expires - date of expiration
The Value field is populated with the new client secret, which is your new password.
Note: You will need this password when you are configuring the integration in the Vulcan connector configuration.
Save this password in a secure location. After you leave this page, this password is not available.
You have successfully created an application ID for authentication in the Microsoft Azure portal. Continue in the Vulcan platform.
Configuring the Microsoft Defender Vulnerability Management Connector
Log in to your Vulcan Cyber dashboard and go to Connectors.
Click on Add a Connector.
Click on the Microsoft TVM icon.
Set up the Connector as follows:
Click the Test Connectivity button to verify that Vulcan Cyber can connect to your Microsoft Defender Vulnerability Management instance, then click Create (or Save Changes).
Inactive Assets: You can configure a Vulcan rule to consider inactive assets, and Vulcan will remove assets that do not appear in scans within the configured time range.
The “Immediately remove this connector's assets when their status is <x>” selection allows you to avoid ingesting assets whose status is selected into Vulcan.
The TVM statuses that can be filtered are the Sensor health states for devices onboard to Microsoft Defender for Endpoint:
Active: Devices that are actively reporting sensor data to the service.
Inactive: Devices that have stopped sending signals for more than 7 days.
Misconfigured: Devices that have impaired communications with service or cannot send sensor data. Misconfigured devices can further be classified into:
- No sensor data
- Impaired communications
Allow some time for the sync to complete. Then, you can review the sync status under Log on the Connector's setup page.
To confirm the sync is complete, navigate to the Connectors page. Once the Microsoft TVM icon shows Connected, the sync is complete.
Microsoft Defender Vulnerability Management in the Vulcan Platform
Viewing Defender Vulnerability Management vulnerabilities in the Vulcan Platform
To view vulnerabilities by Connector/Source:
Go to the Vulnerabilities page.
Use the Search or Filter input box to select the Vulnerability Source or Connector filter.
Select Defender Vulnerability Management from the vulnerability source/Connector list to filter results.
Click on any vulnerability for more vulnerability details.
Viewing Defender Vulnerability Management assets in the Vulcan Platform
To view assets by Connector/Source:
Go to the Assets page.
Click on the relevant asset type tab.
Use the Search or filter input box to select Connector from the drop-down selection.
Select Defender Vulnerability Management from the Asset source/Connector list to filter results and view all synced assets.
See the complete list of available asset filters per asset type
Taking Action on vulnerabilities and assets detected by Defender Vulnerability Management
To take remediation action on vulnerabilities and assets detected by Defender Vulnerability Management:
Go to Vulnerabilities / Assets Page.
Click on the Search and Filter input box and select Connector from the drop-down selection.
Locate the Defender Vulnerability Management option to view all synced vulnerabilities/assets.
Select the relevant Vulnerability/Asset.
Click Take Action.
Automating remediation actions on vulnerabilities detected by Defender Vulnerability Management
Large environments quickly become unmanageable if constant manual attention and effort are necessary to remediate vulnerabilities. You can take advantage of the automation capabilities of Vulcan Cyber and the Defender Vulnerability Management Connector.
From Microsoft Defender Vulnerability Management to the Vulcan Platform - Data Mapping
The Vulcan Platform integrates with Microsoft Defender Vulnerability Management through API to pull relevant vulnerabilities and assets data and map it into the Vulcan Platform pages and fields.
Hosts field mapping
Microsoft Defender Vulnerability Management field
Asset uniqueness criteria
lastIpAddress, lastExternalIpAddress (if the "Map external IP to asset" checkbox is checked)
osPlatform + osArchitecture + (osVersion OR version)
Asset OS Version
Asset Created date
Asset Last seen date
computerDnsName, rbacGroupName (Device group), machineTags, lastIpAddress, lastExternalIpAddress (if the Map external IP to asset checkbox is checked), healthStatus, exposureLevel, osPlatform
Asset Tags - Vendor’s tags
Vulnerability uniqueness criteria
if cvssScore, than cvssScore. Else, use severity (using the logic described in the Vulnerability Score Mapping section)
asset id + softwareVendor + softwareName+ softwareVersion + vulnerability id
Asset-Vulnerability connection uniqueness criteria
Asset-Vulnerability connection First seen
Asset-Vulnerability connection Last seen
Asset-Vulnerability connection Info tool tip (from Assets screen)
Solution uniqueness criteria
Fix for cveId
Vulnerability score mapping
Microsoft Defender Vulnerability Management score
Status Update Mechanisms
Every day, the Vulcan Platform syncs with the vendor's platform to receive updates on existing vulnerabilities and assets and to retrieve new ones (if any added).
The table below lists how the status update mechanism works in the Microsoft Defender Vulnerability Management connector for the vulnerabilities and assets in the Vulcan Platform.
- An asset not found on the connector's last sync is archived and no longer presented on the Vulcan platform.
- By X days according to "Last seen". If the Asset hasn’t been seen for X days, it will be archived from the Vulcan Platform.
- By the assets status "Inactive" on the vendor's side.
Change of vulnerability instances status from "Vulnerable" to "Fixed"
- If the vulnerability no longer appears in the scan findings, the Vulcan Platform marks it as "Fixed".
Note: Asset or vulnerability updates on the vendor side are reflected on the Vulcan Platform only on the next scheduled connector sync (the next day).
API Endpoints in Use
API version: 1.0
Use in Vulcan
Authentication for other endpoints
Vulnerabilities, solutions, asset-vulnerability connections