Cisco Vulnerability Management's integration with Microsoft Defender Vulnerability Management and Microsoft Defender for Endpoint enables you to gain deeper insight into your organization's security posture, identify vulnerabilities, and then take proactive measures to enhance your overall defense against security threats.
Latest updates
This connector has the following updates:
- The export mechanism is switched from paginated API to vulnerability file export, as recommended by Microsoft.
- Fix data is now being ingested from MS Defender for Endpoint.
Prerequisites
To setup the connector, ensure you complete the following tasks:
- Setup Microsoft Azure
- Set API Permissions
For more information about fields, see Microsoft Defender Connector Data Mapping.
Microsoft Defender Vulnerability Management and Microsoft Defender for Endpoint Connector Setting up Microsoft Azure
Microsoft Azure is a cloud-based security solution that provides advanced threat protection using your on-premises Active Directory signals to identify, detect and investigate threats directed at your organization.
Configuring the Microsoft Defender Vulnerability Management and Microsoft Defender for Endpoint Connector
Setup the Microsoft Azure Before MS Defender
Important: To use the Microsoft Defender Vulnerability Management and Microsoft Defender for Endpoint Connector connector, ensure you setup the Microsoft Azure first. For more information, see Setting up Microsoft Azure (as part of Configurating Microsoft Defender).
Set API Permissions
Important: Ensure you update your accounts with required API permissions by Oct 31, 2023. If you do not update the API permissions, the connector run will not pull and map fixes information, so the missing permissions information will cause the connector run to fail.
Note: For incremental runs, Cisco Vulnerability Management uses the start date time of the last successful connector run.
Configure the Microsoft Defender Vulnerability Management and Microsoft Defender for Endpoint Connector
Important: Only Cisco Vulnerability Management Administrators have the permissions to add a connector.
1. On the Cisco Vulnerability Management homepage, click Connectors > Add Connector.
2. On the Vulnerability Management page, click MS Defender for Endpoint.
3. On the MS Defender TVM connector dialog, type the following information:
a. In the Name field, type a Username. Use any name that allows you to easily identify the connector.
b. In the Client ID field, type the Microsoft Client ID (customer specific ID).
c. In the Client Secret field, type your secret key (customer specific secret).
d. In the Host field, type the correct host ( https://api.securitycenter.microsoft.com).
e. In the Tenant ID field, type your Microsoft tenant ID (customer specific ID).
f. Click Save and Verify. The connector is now visible in the list of configured Connectors.
Microsoft Azure Application and Director Fields and locations and Certificates and Secrets
To find MSDTVM connector configuration fields locations in Azure, go to following Microsoft Azure page.
To get required Secret value, on Microsoft Azure page, click Certificates and Secrets.
Note: For more comments and attachments, see Product Support.
Vulnerability Date Information
When importing your Microsoft Defender data, the following criteria populate these date fields.
- Found: The time when Microsoft first detected the vulnerability and maps to the firstSeenTimestamp field in Microsoft Defender Vulnerability Management and Microsoft Defender for Endpoint.
- Last Seen: The last date Microsoft detected the vulnerability and maps to the lastSeenTimestamp field in Microsoft Defender Vulnerability Management and Microsoft Defender for Endpoint.
- Created: The date the vulnerability was passed to Cisco Vulnerability Management by the Microsoft Defender Vulnerability Management and Microsoft Defender for Endpoint integration. This date is not the result of a mapping from a field from Microsoft.
Asset Information
Like the Vulnerability Information data, note the asset data in the Asset tab. The following items are clarifications to asset data that may differ from Microsoft Defender Vulnerability Management with Microsoft Defender for Endpoint.
- For each asset in the Connector runs, its activity is set to Active. Cisco Vulnerability Management assumes that assets from the Connector runs are active. Assets from Microsoft Defender Vulnerability Management with Microsoft Defender for Endpoint may be systematically inactivated if it is not found for the duration specified in the Asset Inactivity Period.
Microsoft Defender Connector Data Mapping
Note: For more information about system data fields, such as machine:ipAddresses.macAddress, see the related topic the Data Field Logic Information section.
Connector File Field Source |
Field Source Example |
Cisco Vulnerability Management Internal Field |
Cisco Vulnerability Management Internal Field Example |
Cisco Vulnerability Management Field |
ASSET | ||||
locators.container |
null |
|
||
locators.image | null | |||
locators.application | null | |||
locators.database | null | |||
machine:id | "1e5bc9d7e413ddd7902c2932e418702b84d0cc07" | locators.external_id | "1e5bc9d7e413ddd7902c2932e418702b84d0cc07" | External ID |
locators.file |
null |
|
||
machine:lastExternalIpAddress | "167.220.196.71" | locators.external_ip_address |
"167.220.196.71" |
|
machine:computerDnsName | MYMACHINE1.contoso.com | locators.fqdn | mymachine1.contoso.com | FQDN |
machine:computerDnsName | mymachine1.contoso.com | locators.hostname | mymachine1.contoso.com | Hostname |
machine:lastIpAddress | 172.17.230.209 | locators.ip_address | 172.17.230.209 | IP Address |
machine:ipAddresses.macAddress | 0012382DC4FE | locators.mac_address | 0012382DC4FE | MAC Address |
machine:computerDnsName | mymachine1.contoso.com | locators.netbios | MYMACHINE1 | NetBIOS |
locators.ec2 | null | EC2 Locator | ||
machine:osPlatform | WindowsServer2016 | os_family | WindowsServer2016 | Operating System |
machine:version + machine:osBuild | 1607 +"."+ 14393 | os_version | 1607.14393 | |
os_vendor | null | |||
os_cpe_name | null | |||
machine:machineTags | [ "test tag 1", "test tag 2" ] | Tags | [ "test tag 1", "test tag 2" ] | |
machine:healthStatus | Active | Inactive | false | Status? |
last_seen_time Note: Cisco Vulnerability Management uses the time of the last connector run to determine the time that it last saw the asset. |
2021-09-16T05:18:06Z | Last Seen | ||
last_booted_at | null | |||
asset_type | null | |||
PORTS | ||||
ports.port | null | |||
ports.protocol | null | |||
ports.status | null | |||
ports.name | null | |||
ports.product | null | |||
ports.version | null | |||
ports.extra_info | null | |||
ports.ostype | null | |||
NETWORK INTERFACES | ||||
machine:ipAddresses.ipAddress | 172.20.220.245 | network_interfaces.ip_address | 172.20.220.245 | |
machine:ipAddresses.macAddress | 6045BDD8CDA3 | network_interfaces.mac_address | 6045BDD8CDA3 | |
machine:computerDnsName | mymachine1.contoso.com | network_interfaces.hostname | mymachine1.contoso.com | |
machine:computerDnsName | mymachine1.contoso.com | network_interfaces.netbios | MYMACHINE1 | |
VULNERABILITIES |
||||
vuln:cveId | CVE-2019-1543 | vulnerabilities.definition_identifier | ||
vuln:_last_fixed_on | vulnerabilities.last_fixed_on | |||
"set-column :is_open true" | vulnerabilities.is_open | true | ||
vuln:firstSeenTimestamp | vulnerabilities.found_on | |||
vulns:vulnerabilitySeverityLevel | 8 | vulnerabilities.scanner_score | High | |
"set-column :port null", | vulnerabilities.port | null | ||
vuln:lastSeenTimestamp | vulnerabilities.last_found_on | |||
vuln:softwareVendor vuln:softwareName vuln:softwareVersion vuln:vulnerabilitySeverityLevel vuln:recommendedSecurityUpdate vuln:recommendedSecurityUpdateId vuln:recommendedSecurityUpdateUrl vuln:diskPaths vuln:registryPaths vuln:endOfSupportStatus vuln:endOfSupportDate vuln:exploitabilityLevel vuln:recommendationReference |
"softwareVendor": "google", "softwareName": "chrome", "softwareVersion": "81.0.4044.138", "vulnerabilitySeverityLevel": "High", "recommendedSecurityUpdate": "ADV 200002", "recommendedSecurityUpdateId": null, "recommendedSecurityUpdateUrl": null, "diskPaths": [ "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe" ],
"registryPaths": [ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{C4EBFDFD-0C55-3E5F-A919-E3C54949024A}" ],
"exploitabilityLevel": "NoExploit", "recommendationReference": "va-_-mozilla-_-firefox", |
vulnerabilities.details
|
||
vuln:cveId | CVE-2019-1543 | vulnerabilities.name | CVE-2019-1543 | CVE |
set-column:description | vulnerabilities.description | ““ currently empty | ||
vuln:cveId | CVE-2019-1543 | vulnerabilities.cve_raw_data | CVE-2019-1543 | |
vulnerabilities.pci_related | null | |||
vulnerabilities.override_score | ||||
recommend:recommendationName | "Update Vmware Tools" | vulnerabilities.solution | "Update Vmware Tools" | |
vulnerabilities.fix_hash | ||||
vulnerabilities.fix_hash.source | MS Defender? | |||
vulnerabilities.fix_hash.published_by_source_datetime | null | |||
vulnerabilities.fix_hash.reference_links | ||||
vulnerabilities.fix_hash.urls | ||||
RecommendedSecurityUpdateUrl | "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5026361" | vulnerabilities.fix_hash.url | "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5026361" | |
recommend:id | "va-_-vmware-_-tools" | vulnerabilities.fix_hash.external_id | "va-_-vmware-_-tools | |
“Microsoft Defender for Endpoint TVM recommendation for: “ + vuln:cveId |
"CVE-2019-1543" | vulnerabilities.fix_hash.title | Microsoft Defender for Endpoint TVM recommendation for: CVE-2019-1543 | |
vuln:recommendedSecurityUpdateId | vulnerabilities.fix_hash.diagnosis |
Microsoft has provided the following security updates {SecurityUpdateUrl collected by cve id} |
||
vulnerabilities.fix_hash.consequence | ||||
recommend:recommendationName | "Update Vmware Tools" | vulnerabilities.fix_hash.solution | "Update Vmware Tools" | |
recommend:vendor | "vmware" | vulnerabilities.fix_hash.vendor | "vmware" | |
vuln:SoftwareName | "tools" | vulnerabilities.fix_hash.product | {vuln:SoftwareName collected by cve id} " | This field has a 255-character limit. If the product names exceed the limit, the system will truncate the product names beyond the character limit. |
vulnerabilities.fix_hash.exact_match | ||||
recommend:recommendationCategory | "Application" | vulnerabilities.fix_hash.category | "Application" | |
recommend:remediationType | "Update" | vulnerabilities.fix_hash.kind | "Update" | |
FINDINGS | ||||
findings.type | ||||
findings.is_open | ||||
findings.name | ||||
findings.identifier | ||||
findings.due_date | ||||
findings.closed_at | ||||
findings.found_on | ||||
findings.last_fixed_on | ||||
findings.last_found_on | ||||
findings.override_score | ||||
findings.scanner_score | ||||
findings.status | ||||
findings.definition_identifier | ||||
findings.additional_fields | ||||
findings.additional_fields.field_name | ||||
findings.additional_fields.value |
Data Field Logic Information
MacAddress Logic
1. "set-column :_macAddress exp:{v = null; for(item : data_ipAddresses){ if(item.get(\"ipAddress\").getAsString().equals(data_lastIpAddress) && item.get(\"operationalStatus\").getAsString().equalsIgnoreCase(\"Up\")) v = item.get(\"macAddress\")}; v }",
osVersion Logic
1. "set-column :_version exp:{ empty(data_version) ? \"\" : data_version }",
2. "set-column :_osBuild exp:{ empty(data_osBuild) ? \"\" : data_osBuild }",
3. "set-column :_concatenated_version exp:{ concat(_version, \".\", _osBuild) }",
4. "set-column :_os_version exp:{ (empty(_osBuild) || _osBuild.equalsIgnoreCase(\"null\")) ? _version : _concatenated_version}",
FQDN Logic
1. "set-column :_fqdn exp:{ data_computerDnsName.contains(\".\") ? data_computerDnsName.toLowerCase() : null }",
Netbios Logic
"set-column :_netbios exp:{ data_computerDnsName.contains(\".\") ? data_computerDnsName.split(\"\\.\")[0].toUpperCase() : data_computerDnsName.toUpperCase() }",
Scanner_score Logic
"set-column :severity exp: { {\"Critical\":10, \"High\":8, \"Medium\":6,\"Low\":3}.getOrDefault(data_vulnerabilitySeverityLevel, 0) }",
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1721R)
© 1992-2024 Cisco Systems, Inc. All rights reserved.
Comments
Please sign in to leave a comment.