Microsoft Defender Vulnerability Management and Microsoft Defender for Endpoint Connector

Cisco Vulnerability Management's integration with Microsoft Defender Vulnerability Management and Microsoft Defender for Endpoint enables you to gain deeper insight into your organization's security posture, identify vulnerabilities, and then take proactive measures to enhance your overall defense against security threats.

Latest updates

This connector has the following updates:

  • The export mechanism is switched from paginated API to vulnerability file export, as recommended by Microsoft.
  • Fix data is now being ingested from MS Defender for Endpoint. 


To setup the connector, ensure you complete the following tasks:

  • Setup Microsoft Azure
  • Set API Permissions

For more information about fields, see Microsoft Defender Connector Data Mapping.

Microsoft Defender Vulnerability Management and Microsoft Defender for Endpoint Connector Setting up Microsoft Azure

Microsoft Azure is a cloud-based security solution that provides advanced threat protection using your on-premises Active Directory signals to identify, detect and investigate threats directed at your organization.

Configuring the Microsoft Defender Vulnerability Management and Microsoft Defender for Endpoint Connector

Setup the Microsoft Azure Before MS Defender

Important: To use the Microsoft Defender Vulnerability Management and Microsoft Defender for Endpoint Connector connector, ensure you setup the Microsoft Azure first. For more information, see Setting up Microsoft Azure (as part of Configurating Microsoft Defender).

Set API Permissions

Important: Ensure you update your accounts with required API permissions by Oct 31, 2023. If you do not update the API permissions, the connector run will not pull and map fixes information, so the missing permissions information will cause the connector run to fail.

Note: For incremental runs, Cisco Vulnerability Management uses the start date time of the last successful connector run.

Configure the Microsoft Defender Vulnerability Management and Microsoft Defender for Endpoint Connector

Important: Only Cisco Vulnerability Management Administrators have the permissions to add a connector.

1. On the Cisco Vulnerability Management homepage, click Connectors > Add Connector.

1-Click Add Connector.png

2. On the Vulnerability Management page, click MS Defender for Endpoint.

3. On the MS Defender TVM connector dialog, type the following information:

a. In the Name field, type a Username. Use any name that allows you to easily identify the connector.
b. In the Client ID field, type the Microsoft Client ID (customer specific ID).
c. In the Client Secret field, type your secret key (customer specific secret).
d. In the Host field, type the correct host (
e. In the Tenant ID field, type your Microsoft tenant ID (customer specific ID).
f. Click Save and Verify. The connector is now visible in the list of configured Connectors.

Microsoft Azure Application and Director Fields and locations and Certificates and Secrets 

To find MSDTVM connector configuration fields locations in Azure, go to following Microsoft Azure page.

To get required Secret value, on Microsoft Azure page, click Certificates and Secrets.

Microsoft Azure Defender.jpg

Note: For more comments and attachments, see Product Support.

Vulnerability Date Information

When importing your Microsoft Defender data, the following criteria populate these date fields.

  • Found: The time when Microsoft first detected the vulnerability and maps to the firstSeenTimestamp field in Microsoft Defender Vulnerability Management and Microsoft Defender for Endpoint.
  • Last Seen: The last date Microsoft detected the vulnerability and maps to the lastSeenTimestamp field in Microsoft Defender Vulnerability Management and Microsoft Defender for Endpoint.
  • Created: The date the vulnerability was passed to Cisco Vulnerability Management by the Microsoft Defender Vulnerability Management and Microsoft Defender for Endpoint integration. This date is not the result of a mapping from a field from Microsoft.

Asset Information

Like the Vulnerability Information data, note the asset data in the Asset tab. The following items are clarifications to asset data that may differ from Microsoft Defender Vulnerability Management with Microsoft Defender for Endpoint.

  • For each asset in the Connector runs, its activity is set to Active. Cisco Vulnerability Management assumes that assets from the Connector runs are active. Assets from Microsoft Defender Vulnerability Management with Microsoft Defender for Endpoint may be systematically inactivated if it is not found for the duration specified in the Asset Inactivity Period.

Microsoft Defender Connector Data Mapping

Note: For more information about system data fields, such as machine:ipAddresses.macAddress, see the related topic the Data Field Logic Information section.

Connector File Field Source

Field Source Example

Cisco VM Internal Field

Cisco VM Internal Field Example

Cisco VM Field




    locators.image null  
    locators.application null  
    locators.database null  
machine:id  "1e5bc9d7e413ddd7902c2932e418702b84d0cc07" locators.external_id "1e5bc9d7e413ddd7902c2932e418702b84d0cc07"  External ID



machine:lastExternalIpAddress  "" locators.external_ip_address 



machine:computerDnsName locators.fqdn FQDN
machine:computerDnsName locators.hostname Hostname
machine:lastIpAddress locators.ip_address IP Address
machine:ipAddresses.macAddress  0012382DC4FE locators.mac_address 0012382DC4FE MAC Address
machine:computerDnsName locators.netbios MYMACHINE1 NetBIOS
    locators.ec2 null EC2 Locator
machine:osPlatform WindowsServer2016 os_family WindowsServer2016 Operating System
machine:version + machine:osBuild  1607 +"."+ 14393 os_version 1607.14393  
    os_vendor null  
    os_cpe_name null  
machine:machineTags [ "test tag 1", "test tag 2" ] Tags [ "test tag 1", "test tag 2" ]  
machine:healthStatus Active Inactive false Status?
Note: CVM uses the time of the last connector run to determine the time that it last saw the asset.
2021-09-16T05:18:06Z Last Seen
    last_booted_at null  
    asset_type null  
    ports.port null  
    ports.protocol null  
    ports.status null null  
    ports.product null  
    ports.version null  
    ports.extra_info null  
    ports.ostype null  
machine:ipAddresses.ipAddress network_interfaces.ip_address  
machine:ipAddresses.macAddress 6045BDD8CDA3 network_interfaces.mac_address 6045BDD8CDA3  
machine:computerDnsName network_interfaces.hostname  
machine:computerDnsName network_interfaces.netbios MYMACHINE1  


    vuln:cveId CVE-2019-1543 vulnerabilities.definition_identifier
vuln:_last_fixed_on   vulnerabilities.last_fixed_on    
"set-column :is_open true"   vulnerabilities.is_open true  
vuln:firstSeenTimestamp   vulnerabilities.found_on    
vulns:vulnerabilitySeverityLevel  8 vulnerabilities.scanner_score High  
"set-column :port null",   vulnerabilities.port null  
vuln:lastSeenTimestamp   vulnerabilities.last_found_on    
vuln:softwareVendor vuln:softwareName vuln:softwareVersion vuln:vulnerabilitySeverityLevel vuln:recommendedSecurityUpdate vuln:recommendedSecurityUpdateId vuln:recommendedSecurityUpdateUrl vuln:diskPaths vuln:registryPaths vuln:endOfSupportStatus vuln:endOfSupportDate vuln:exploitabilityLevel vuln:recommendationReference

"softwareVendor": "google", "softwareName": "chrome", "softwareVersion": "81.0.4044.138", "vulnerabilitySeverityLevel": "High", "recommendedSecurityUpdate": "ADV 200002", "recommendedSecurityUpdateId": null, "recommendedSecurityUpdateUrl": null, "diskPaths": [ "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe" ],


"registryPaths": [ "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{C4EBFDFD-0C55-3E5F-A919-E3C54949024A}" ],


"exploitabilityLevel": "NoExploit", "recommendationReference": "va-_-mozilla-_-firefox",           






vuln:cveId CVE-2019-1543 CVE-2019-1543 CVE
set-column:description   vulnerabilities.description ““ currently empty  
vuln:cveId CVE-2019-1543 vulnerabilities.cve_raw_data CVE-2019-1543  
    vulnerabilities.pci_related null  
recommend:recommendationName "Update Vmware Tools" vulnerabilities.solution "Update Vmware Tools"  
    vulnerabilities.fix_hash.source MS Defender?  
    vulnerabilities.fix_hash.published_by_source_datetime null  
RecommendedSecurityUpdateUrl "" vulnerabilities.fix_hash.url ""  
recommend:id "va-_-vmware-_-tools" vulnerabilities.fix_hash.external_id "va-_-vmware-_-tools  

“Microsoft Defender for Endpoint TVM recommendation for: “ + vuln:cveId 

"CVE-2019-1543" vulnerabilities.fix_hash.title Microsoft Defender for Endpoint TVM recommendation for: CVE-2019-1543  
vuln:recommendedSecurityUpdateId   vulnerabilities.fix_hash.diagnosis

Microsoft has provided the following security updates

{SecurityUpdateUrl collected by cve id}

recommend:recommendationName "Update Vmware Tools" vulnerabilities.fix_hash.solution "Update Vmware Tools"  
recommend:vendor "vmware" vulnerabilities.fix_hash.vendor "vmware"  
vuln:SoftwareName "tools" vulnerabilities.fix_hash.product {vuln:SoftwareName collected by cve id} " This field has a 255-character limit. If the product names exceed the limit, the system will truncate the product names beyond the character limit.
recommend:recommendationCategory "Application" vulnerabilities.fix_hash.category "Application"  
recommend:remediationType "Update" vulnerabilities.fix_hash.kind "Update"  


Data Field Logic Information

MacAddress Logic

1. "set-column :_macAddress exp:{v = null; for(item : data_ipAddresses){ if(item.get(\"ipAddress\").getAsString().equals(data_lastIpAddress) && item.get(\"operationalStatus\").getAsString().equalsIgnoreCase(\"Up\")) v = item.get(\"macAddress\")}; v }",

osVersion Logic

1. "set-column :_version exp:{ empty(data_version) ? \"\" : data_version }",
2. "set-column :_osBuild exp:{ empty(data_osBuild) ? \"\" : data_osBuild }",
3. "set-column :_concatenated_version exp:{ concat(_version, \".\", _osBuild) }",
4. "set-column :_os_version exp:{ (empty(_osBuild) || _osBuild.equalsIgnoreCase(\"null\")) ? _version : _concatenated_version}",

FQDN Logic

1. "set-column :_fqdn exp:{ data_computerDnsName.contains(\".\") ? data_computerDnsName.toLowerCase() : null }",

Netbios Logic

"set-column :_netbios exp:{ data_computerDnsName.contains(\".\") ? data_computerDnsName.split(\"\\.\")[0].toUpperCase() : data_computerDnsName.toUpperCase() }",

Scanner_score Logic

"set-column :severity exp: { {\"Critical\":10, \"High\":8, \"Medium\":6,\"Low\":3}.getOrDefault(data_vulnerabilitySeverityLevel, 0) }",



Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1721R)

© 1992-2024 Cisco Systems, Inc. All rights reserved.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request



Please sign in to leave a comment.