Microsoft Defender Vulnerability Management helps organizations identify and remediate security vulnerabilities in their environment.
It provides a centralized view of vulnerabilities across all device types in an organization and prioritizes them based on severity and exploitability.
Defender Vulnerability Management provides an export API that allows programmatic access to vulnerability data. The API can be used to automate vulnerability management tasks, integrate vulnerability data with other security tools, and generate custom reports and dashboards.
In this blog, we will share guidance and best practices for using Defender Vulnerability Management Export API including:
- Overview of the Export API
- Available API methods using Export API
- Using API Explorer
- Managing large data sets and ensuring exports are up to date
- Use Export API to build custom dashboards/reports
- Defender Vulnerability Management data integrated in other tools
Overview of the Export API data types
Export API is used for publishing raw data of all known software vulnerabilities and their details for devices in the organization.
- There are two export API methods: JSON response and files.
Method | Explanation |
JSON response |
|
Files |
|
- Export software vulnerabilities assessment filter options: RbacName, $skiptoken, $top, pageSize
- Delta export software vulnerabilities assessment filter options: RbacName, $skiptoken, $top, pageSize, sinceTime
More details can be seen here: Export software vulnerabilities assessment per device | Microsoft Learn
Available API methods using Export API
via files:
API Method | Details | |
SoftwareVulnerabilitiesExport | Software vulnerabilities data by machine | Export software vulnerabilities assessment per device | Microsoft Learn |
SoftwareInventoryExport | software data by machine | Export software inventory assessment per device | Microsoft Learn |
InfoGatheringExport | Export information gathering assessment | Microsoft Learn | |
SoftwareInventoryNonCpeExport | non cpe products by machine | Export non product code software inventory assessment per device | Microsoft Learn |
SecureConfigurationsAssessmentExport | SCA data by machine(configurations) | Export secure configuration assessment per device | Microsoft Learn |
HardwareFirmwareInventoryExport | firmware data by machine | Hardware and firmware assessment methods and properties per device | Microsoft Learn |
BrowserExtensionsInventoryExport | browser extensions by machine | Export browser extensions assessment | Microsoft Learn |
BaselineComplianceAssessmentExport | Baseline data by machine | Security baseline assessment methods and properties per device | Microsoft Learn |
CertificateAssessmentExport | certificates data by machine | Certificate assessment methods and properties per device | Microsoft Learn |
JSON response:
SoftwareVulnerabilitiesByMachine | vulnerabilities data by machine | Export software vulnerabilities assessment per device | Microsoft Learn |
SecureConfigurationsAssessmentByMachine | SCA data by machine(configurations) | Export secure configuration assessment per device | Microsoft Learn |
SoftwareVulnerabilityChangesByMachine | delta | Export software vulnerabilities assessment per device | Microsoft Learn |
SoftwareInventoryByMachine | software data by machine | Export software inventory assessment per device | Microsoft Learn |
SoftwareInventoryNoProductCodeByMachine | non cpe products by machine | Export non product code software inventory assessment per device | Microsoft Learn |
BrowserExtensionsInventoryByMachine | browser extensions by machine | Export browser extensions assessment | Microsoft Learn |
HardwareFirmwareInventoryByMachine | firmware data by machine | Hardware and firmware assessment methods and properties per device | Microsoft Learn |
BaselineComplianceAssessmentByMachine | baseline data by machine | Security baseline assessment methods and properties per device | Microsoft Learn |
CertificateAssessmentByMachine | certificates data by machine | Certificate assessment methods and properties per device | Microsoft Learn |
Using API Explorer from security portal
With the API Explorer, you can:
- Run requests for any method and see responses in real-time
- Quickly browse through the API samples and learn what parameters they support
- Make API calls with ease
To start, Open Defender portal and navigate to ‘Endpoints-Partners and API-API Explorer ‘
Based on the required data to explore, add the suffix to the API call.
In the example, we will use software vulnerabilities:
https://api.security.microsoft.com/api/machines/SoftwareVulnerabilitiesExport
- Run the query
- To check its working and export to excel:
- Copy one of the files URL from the results:
- Open it in website and save the JSON file
- Extract the JSON file
- Open excel , click on ‘Data’ tab->get data->from file->from JSON and choose the file you saved above
Managing large data sets and ensuring exports are up to date
In case of large amounts of data, Organizations can use the below steps to avoid pulling all defender vulnerability management data every day and still ensure data in export is up to date:
1.Pull ‘Export software vulnerabilities assessment’ once a week
2.Pull ‘Delta export software vulnerabilities assessment’ once a day
3.Join the full snapshot with the delta file based on Device ID, Software name and versionand CVE ID
4.Latest ‘Event time stamp’ indicate on the latest status of a specific CVE
Use Export API to build custom dashboards/reports
Using Defender Vulnerability Management Export API customers can build custom reports and dashboards per the organization needs. We have seen organizations build anything executive or management reports to detailed vulnerability management dashboards.
There are variety of methods to use the API such as Power-Automate, Power BI, , Advanced hunting using Python, Advanced hunting using PowerShell, Using OData queries.
One example to get started is to use Defender Vulnerability Management Power BI templates which enable out of the box reports such as Organization existing vulnerabilities, Software inventory, Missing Windows security updates and more.
You can download the templateshere.
Defender Vulnerability Management data integrated in other tools
Defender Vulnerability Management data can be integrated in other security tools. Below examples of both Microsoft and non-Microsoft tools:
Microsoft Intune
Integration with Microsoft Intune allows customers to ‘Request Remediation’ to vulnerability security recommendations. This will create an Intune package deployment request and remediation activity item within the security portal, which can be used for monitoring the remediation progress for this recommendation.
ServiceNow Vulnerability Response
For organization using ServiceNow to manage assets, ServiceNow VR can import data from different resources such as assets information, vulnerabilities information and more.
ServiceNow integration synchronizes vulnerability findings from Defender Vulnerability Management and orchestrates the remediation workflow in ServiceNow.
To learn more, see blog describing the integration,Microsoft vulnerability management integrates with ServiceNow VR
Microsoft Sentinel
Use Sentinel to store Defender Vulnerability Management history data. This can be used to integrate vulnerability data with other XDR workflows data, build a custom dashboard and as part of it reflect vulnerability management trends and more. To store Defender Vulnerability Management data, please follow the below:
Please make sure any analytic rules/hunting queries/workbooks or any content that is related to Defender Vulnerability Management data is directed to the tables you have created.
Microsoft Security Exposure Management
Exposure Management integrates with Defender Vulnerability Management helping security managers to continuously assess and analyze vulnerabilities and misconfigurations across the organization's digital landscape. In the Vulnerability Assessment initiative users can actively identify, prioritize, track and delegate vulnerabilities within the IT infrastructure and the cloud. Users gain real-time visibility into the security posture of their organization, enabling data-driven decision-making for resource investment and placement.
To learn more about, see documentation about security initiatives or blog series introducing Exposure Management.
for additional Defender Vulnerability Management, please visitDocumentation pageandNinja page
