Summary
Customers leverage the Microsoft Defender Advanced Threat Protection (ATP) built-in Threat & Vulnerability Management (TVM) capability to discover, prioritize, and remediate endpoint vulnerabilities. Managed in the cloud and powered by integrated Windows endpoint discovery via the OS, Microsoft Defender for Endpoint TVM (MSDTVM) provides comprehensive insight into your environment, on-prem or in the cloud, within seconds. By bringing in data from Microsoft Defender for Endpoint TVM, you combine the ubiquity of reach from Microsoft Defender and the holistic view across numerous vulnerability management solutions from Kenna.
Connector Scope
In scope and included for this release
- API Endpoint of Vulnerabilities and Assets
- List vulnerabilities by machine (https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/get-assessment-software-vulnerabilities)
- List machines (https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/get-machines)
- Collect asset specific details and data
Out of scope for this release
- List changed vulnerabilities by machine (https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/get-assessment-software-vulnerabilities)
- Incremental runs are out of scope for this release.
- For incremental runs, Kenna looks back to the start date time of the last successful connector run.
- Fix/Fixes (https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/get-all-recommendations) data from Microsoft Defender is not in this release.
- Kenna supplemental fix data is available for each vulnerability sourced from Microsoft Defender for Endpoint TVM.
User Prerequisites/Microsoft Defender TVM setup
Please refer to this help article on the Microsoft Defender ATP Required Setup.
Configuring Your Microsoft Defender TVM Connector in Kenna
Important: Only Kenna Administrators have the permissions to add a connector.
1) Click the “Connectors” link at the top of the Kenna.VM homepage.
2) Click the green “Add Connector” button in the top right corner of the page.
3) Scroll down to the “Vulnerability Management” section and look for the MS Defender Connector. Click it.
4) Submit the following when setting up the Microsoft Defender TVM connector.
|
Field Name |
Value |
Notes |
|
Name |
MS Defender TVM |
Could be any name that you would use to easily identify the connector. |
|
Client ID (1) |
<customer specific ID> |
Enter your Microsoft Client ID |
|
Client Secret (2) |
<customer specific secret> |
Please enter your secret key |
|
Host |
api.securitycenter.microsoft.com |
|
|
Tenant ID (3) |
<customer specific ID> |
Enter your Microsoft tenant ID |
5) Click the green “Save and Verify” button. The connector is now visible in the list of configured Connectors.
Locations in Azure to find MSDTVM connector configuration fields
Vulnerability Date Information
Within Kenna, you will notice several dates in the Vulnerabilities tab. When importing your Microsoft Defender data, the following criteria are used to populate these date fields.
- "Found" within Kenna is when Microsoft first detected the vulnerability and maps to the ‘firstSeenTimestamp’ field in Microsoft Defender TVM.
- "Last Seen" within Kenna is the last date Microsoft detected the vulnerability and maps to the ‘lastSeenTimestamp’ field in Microsoft Defender TVM.
- "Created" within Kenna is the date the vulnerability was passed to Kenna via the Microsoft Defender TVM integration. This date is not the result of a mapping from a field from Microsoft.
Asset Information
Similar to Vulnerability Date data, notice the asset data in the Asset tab. The following are clarifications to asset data that may differ from Microsoft Defender TVM.
- For each asset seen in Connector runs, its activity is set to “active”. Kenna assumes that assets arriving via Connector runs are active. Assets from MS Defender TVM may be systematically inactivated if it is not seen for the duration specified in the “Asset Inactivity Period”.
Microsoft Defender TVM Connector Data Mapping
|
MS Defender TVM Field (Endpoint/Property) |
Kenna Field |
Notes |
|
Vulnerability Fields |
||
|
SoftwareVulnerabilitiesByMachine vulnerabilitySeverityLevel |
Scanner Score |
Other - 0 SeverityLow - 3 SeverityMedium - 6 SeverityHigh - 8 SeverityCritical - 10 |
|
<none> |
Description |
Vulnerability description is not available via the utilized Microsoft Defender endpoints. Vulnerability description is provided via Kenna vulnerability intel data. |
|
SoftwareVulnerabilitiesByMachine cveId |
CVE |
|
|
<none> |
Ports |
|
|
SoftwareVulnerabilitiesByMachine lastSeenTimestamp |
Last Seen |
|
|
SoftwareVulnerabilitiesByMachine firstSeenTimestamp |
Found |
|
|
<none> |
Created |
Date the vulnerability was first imported to Kenna. Not mapped to a scanner field. |
|
<none> |
Closed |
Uses Kenna’s auto-close logic. If a vulnerability for a particular asset is not seen in the latest connector run, it is considered to be closed. Not mapped to a scanner field. |
|
Asset Fields |
||
|
SoftwareVulnerabilitiesByMachine deviceId |
External ID |
|
|
machines osPlatform osBuild version |
Operating System |
If osBuild is empty then the value from version is used for the OS Version. If osBuild is not empty, then osBuild and version are combined for the OS Version. |
|
machines lastSeen |
Last Seen |
When the asset was last seen by Defender. |
|
machines healthStatus |
Status |
MS Defender query specifies “healthStatus=’Active’”, so exported asset status value will always be “Active. |
|
machines computerDnsName |
FQDN |
If the value in computerDnsName includes multiple components. |
|
machines computerDnsName |
Hostname |
Truncated to the string before the first “.” character. If there are no “.” characters in the value, the entire value is used. |
|
machines lastIpAddress |
IP Address |
|
|
machines ipAddress.macAddress |
MAC Address |
The value from lastIpAddress is used to identify the appropriate macAddress from the list of possible ipAddresses. OperationalStatus must also be “Up” for the entry. |
|
machines computerDnsName |
NetBIOS |
TruncatedConcatenated to the string before the first “.” character. If there are no “.” in the value, the entire value is used. |
|
<none> |
EC2 Locator |
|
|
machines machineTags rbacGroupName |
Tags |
The value from rbacGroupName is prefixed with ‘rbacGroup: ‘ and appended to the machineTags list. |
Comments
Please sign in to leave a comment.