Using Export API with Defender Vulnerability Management

Microsoft Defender Vulnerability Management helps organizations identify and remediate security vulnerabilities in their environment.

It provides a centralized view of vulnerabilities across all device types in an organization and prioritizes them based on severity and exploitability.

Defender Vulnerability Management provides an export API that allows programmatic access to vulnerability data. The API can be used to automate vulnerability management tasks, integrate vulnerability data with other security tools, and generate custom reports and dashboards.

In this blog, we will share guidance and best practices for using Defender Vulnerability Management Export API including:

• Overview of the Export API
  
• Available API methods using Export API
  
• Using API Explorer
  
• Managing large data sets and ensuring exports are up to date
  
• Use Export API to build custom dashboards/reports
  
• Defender Vulnerability Management data integrated in other tools
  

[HEADING=1]Overview of the Export API data types[/HEADING]

Export API is used for publishing raw data of all known software vulnerabilities and their details for devices in the organization.

• There are two export API methods: JSON response and files.
  

• Can be used to get Defender Vulnerability Management snapshot of all data in the organization or can be used to query delta changes in the last X days (where X is up to 15 days)
• Delta export indicates per CVE record the CVE status (New, Updated or Resolved)
• Can be saved as excel file, opened in Notepad or VScode, and can be extracted using different scripts
  

• Can be used to get Defender Vulnerability Management snapshot of all data in the organization
• Recommended for large organizations with more than 100K devices
• Each file contains 100K records
• To get the next results batch, use skip token (@odata.nextLink field)
• Result in files format is valid for 3 hours to download (sass URL)
• The files also contain information about devices that are not yet onboarded to Defender
  

• Export software vulnerabilities assessment filter options: RbacName, $skiptoken, $top, pageSize
  
• Delta export software vulnerabilities assessment filter options: RbacName , $skiptoken, $top, pageSize, sinceTime
  

More details can be seen here: Export software vulnerabilities assessment per device | Microsoft Learn

[HEADING=1]Available API methods using Export API[/HEADING]

[HEADING=2]via files:[/HEADING]

[HEADING=2]JSON response: [/HEADING]

[HEADING=1]Using API Explorer from security portal[/HEADING]

With the API Explorer, you can:

• Run requests for any method and see responses in real-time
  
• Quickly browse through the API samples and learn what parameters they support
  
• Make API calls with ease
  

To start, Open Defender portal and navigate to ‘Endpoints-Partners and API-API Explorer ‘

Based on the required data to explore, add the suffix to the API call.

In the example, we will use software vulnerabilities:

https://api.security.microsoft.com/api/machines/SoftwareVulnerabilitiesExport

[ATTACH=full]61147[/ATTACH]

• Run the query
  
• To check its working and export to excel:
  
• Copy one of the files URL from the results:
  

[ATTACH=full]61148[/ATTACH]

• Open it in website and save the JSON file
  
• Extract the JSON file
  
• Open excel , click on ‘Data’ tab->get data->from file->from JSON and choose the file you saved above
  

[HEADING=1]Managing large data sets and ensuring exports are up to date [/HEADING]

In case of large amounts of data, Organizations can use the below steps to avoid pulling all defender vulnerability management data every day and still ensure data in export is up to date:

1.Pull ‘Export software vulnerabilities assessment’ once a week

2.Pull ‘Delta export software vulnerabilities assessment’ once a day

3.Join the full snapshot with the delta file based on Device ID, Software name and version and CVE ID

4.Latest ‘Event time stamp’ indicate on the latest status of a specific CVE

[HEADING=1]Use Export API to build custom dashboards/reports[/HEADING]

Using Defender Vulnerability Management Export API customers can build custom reports and dashboards per the organization needs. We have seen organizations build anything executive or management reports to detailed vulnerability management dashboards.

There are variety of methods to use the API such as Power-Automate, Power BI, , Advanced hunting using Python, Advanced hunting using PowerShell, Using OData queries.

One example to get started is to use Defender Vulnerability Management Power BI templates which enable out of the box reports such as Organization existing vulnerabilities, Software inventory, Missing Windows security updates and more.

You can download the templates here.

[HEADING=1]Defender Vulnerability Management data integrated in other tools[/HEADING]

Defender Vulnerability Management data can be integrated in other security tools. Below examples of both Microsoft and non-Microsoft tools:

Microsoft Intune

Integration with Microsoft Intune allows customers to ‘Request Remediation’ to vulnerability security recommendations. This will create an Intune package deployment request and remediation activity item within the security portal, which can be used for monitoring the remediation progress for this recommendation.

[ATTACH=full]61149[/ATTACH]

[ATTACH=full]61150[/ATTACH]

[ATTACH=full]61151[/ATTACH]

[HEADING=2]ServiceNow Vulnerability Response[/HEADING]

For organization using ServiceNow to manage assets, ServiceNow VR can import data from different resources such as assets information, vulnerabilities information and more.

ServiceNow integration synchronizes vulnerability findings from Defender Vulnerability Management and orchestrates the remediation workflow in ServiceNow.

To learn more, see blog describing the integration, Microsoft vulnerability management integrates with ServiceNow VR

Understanding the Microsoft Threat and Vulnerability Management Vulnerability integration (servicenow.com)

[HEADING=2]Microsoft Sentinel[/HEADING]

Use Sentinel to store Defender Vulnerability Management history data. This can be used to integrate vulnerability data with other XDR workflows data, build a custom dashboard and as part of it reflect vulnerability management trends and more. To store Defender Vulnerability Management data, please follow the below:

Azure-Sentinel/DataConnectors/M365Defender-VulnerabilityManagement at master · Azure/Azure-Sentinel (github.com)

Please make sure any analytic rules/hunting queries/workbooks or any content that is related to Defender Vulnerability Management data is directed to the tables you have created.

[HEADING=2]Microsoft Security Exposure Management [/HEADING]

Exposure Management integrates with Defender Vulnerability Management helping security managers to continuously assess and analyze vulnerabilities and misconfigurations across the organization's digital landscape. In the Vulnerability Assessment initiative users can actively identify, prioritize, track and delegate vulnerabilities within the IT infrastructure and the cloud. Users gain real-time visibility into the security posture of their organization, enabling data-driven decision-making for resource investment and placement.

[ATTACH=full]61152[/ATTACH]

To learn more about, see documentation about security initiatives or blog series introducing Exposure Management.

for additional Defender Vulnerability Management, please visit Documentation page and Ninja page

Continue reading...