Summary
Customers leverage the Microsoft Defender Advanced Threat Protection (ATP) built-in Threat & Vulnerability Management (TVM) capability to discover, prioritize, and remediate endpoint vulnerabilities. Managed in the cloud and powered by integrated Windows endpoint discovery via the OS, Microsoft Defender for Endpoint TVM (MSDTVM) provides comprehensive insight into your environment, on-prem or in the cloud, within seconds. By bringing in data from Microsoft Defender for Endpoint TVM, you combine the ubiquity of reach from Microsoft Defender and the holistic view across numerous vulnerability management solutions from Cisco Vulnerability Management.
Connector Scope
In scope and included for this release
- API Endpoint of Vulnerabilities and Assets
- List vulnerabilities by machine (https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/get-assessment-software-vulnerabilities)
- List machines (https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/get-machines)
- Collect asset specific details and data
Out of scope for this release
- List changed vulnerabilities by machine (https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/get-assessment-software-vulnerabilities)
- Incremental runs are out of scope for this release.
- For incremental runs, Cisco Vulnerability Management looks back to the start date time of the last successful connector run.
- Fix/Fixes (https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/get-all-recommendations) data from Microsoft Defender is not in this release.
- Cisco Vulnerability Management supplemental fix data is available for each vulnerability sourced from Microsoft Defender for Endpoint TVM.
User Prerequisites/Microsoft Defender TVM setup
Please refer to this help article on the Microsoft Defender ATP Required Setup.
Configuring Your Microsoft Defender TVM Connector in Cisco Vulnerability Management
Important: Only Cisco Vulnerability Management Administrators have the permissions to add a connector.
1) Click the “Connectors” link at the top of the Cisco Vulnerability Management homepage.
2) Click the green “Add Connector” button in the top right corner of the page.
3) Scroll down to the “Vulnerability Management” section and look for the MS Defender Connector. Click it.
4) Submit the following when setting up the Microsoft Defender TVM connector.
|
Field Name |
Value |
Notes |
|
Name |
MS Defender TVM |
Could be any name that you would use to easily identify the connector. |
|
Client ID (1) |
<customer specific ID> |
Enter your Microsoft Client ID |
|
Client Secret (2) |
<customer specific secret> |
Please enter your secret key |
|
Host |
api.securitycenter.microsoft.com |
|
|
Tenant ID (3) |
<customer specific ID> |
Enter your Microsoft tenant ID |
5) Click the green “Save and Verify” button. The connector is now visible in the list of configured Connectors.
Locations in Azure to find MSDTVM connector configuration fields
Vulnerability Date Information
Within Cisco Vulnerability Management, you will notice several dates in the Vulnerabilities tab. When importing your Microsoft Defender data, the following criteria are used to populate these date fields.
- "Found" within Cisco Vulnerability Management is when Microsoft first detected the vulnerability and maps to the ‘firstSeenTimestamp’ field in Microsoft Defender TVM.
- "Last Seen" within Cisco Vulnerability Management is the last date Microsoft detected the vulnerability and maps to the ‘lastSeenTimestamp’ field in Microsoft Defender TVM.
- "Created" within Cisco Vulnerability Management is the date the vulnerability was passed to Cisco Vulnerability Management via the Microsoft Defender TVM integration. This date is not the result of a mapping from a field from Microsoft.
Asset Information
Similar to Vulnerability Date data, notice the asset data in the Asset tab. The following are clarifications to asset data that may differ from Microsoft Defender TVM.
- For each asset seen in Connector runs, its activity is set to “active”. Cisco Vulnerability Management assumes that assets arriving via Connector runs are active. Assets from MS Defender TVM may be systematically inactivated if it is not seen for the duration specified in the “Asset Inactivity Period”.
Microsoft Defender TVM Connector Data Mapping
|
MS Defender TVM Field (Endpoint/Property) |
Cisco Vulnerability Management Field |
Notes |
|
Vulnerability Fields |
||
|
SoftwareVulnerabilitiesByMachine vulnerabilitySeverityLevel |
Scanner Score |
Other - 0 SeverityLow - 3 SeverityMedium - 6 SeverityHigh - 8 SeverityCritical - 10 |
|
<none> |
Description |
Vulnerability description is not available via the utilized Microsoft Defender endpoints. Vulnerability description is provided via Cisco Vulnerability Management vulnerability intel data. |
|
SoftwareVulnerabilitiesByMachine cveId |
CVE |
|
|
<none> |
Ports |
|
|
SoftwareVulnerabilitiesByMachine lastSeenTimestamp |
Last Seen |
|
|
SoftwareVulnerabilitiesByMachine firstSeenTimestamp |
Found |
|
|
<none> |
Created |
Date the vulnerability was first imported to Cisco Vulnerability Management. Not mapped to a scanner field. |
|
<none> |
Closed |
Uses Cisco Vulnerability Management's auto-close logic. If a vulnerability for a particular asset is not seen in the latest connector run, it is considered to be closed. Not mapped to a scanner field. |
|
Asset Fields |
||
|
SoftwareVulnerabilitiesByMachine deviceId |
External ID |
|
|
machines osPlatform osBuild version |
Operating System |
If osBuild is empty then the value from version is used for the OS Version. If osBuild is not empty, then osBuild and version are combined for the OS Version. |
|
machines lastSeen |
Last Seen |
When the asset was last seen by Defender. |
|
machines healthStatus |
Status |
MS Defender query specifies “healthStatus=’Active’”, so exported asset status value will always be “Active. |
|
machines computerDnsName |
FQDN |
If the value in computerDnsName includes multiple components. |
|
machines computerDnsName |
Hostname |
Truncated to the string before the first “.” character. If there are no “.” characters in the value, the entire value is used. |
|
machines lastIpAddress |
IP Address |
|
|
machines ipAddress.macAddress |
MAC Address |
The value from lastIpAddress is used to identify the appropriate macAddress from the list of possible ipAddresses. OperationalStatus must also be “Up” for the entry. |
|
machines computerDnsName |
NetBIOS |
TruncatedConcatenated to the string before the first “.” character. If there are no “.” in the value, the entire value is used. |
|
<none> |
EC2 Locator |
|
|
machines machineTags rbacGroupName |
Tags |
The value from rbacGroupName is prefixed with ‘rbacGroup: ‘ and appended to the machineTags list. |
Comments
Please sign in to leave a comment.