Microsoft Defender for Endpoint TVM Connector

Summary

Customers leverage the Microsoft Defender Advanced Threat Protection (ATP) built-in Threat & Vulnerability Management (TVM) capability to discover, prioritize, and remediate endpoint vulnerabilities. Managed in the cloud and powered by integrated Windows endpoint discovery via the OS, Microsoft Defender for Endpoint TVM (MSDTVM) provides comprehensive insight into your environment, on-prem or in the cloud, within seconds. By bringing in data from Microsoft Defender for Endpoint TVM, you combine the ubiquity of reach from Microsoft Defender and the holistic view across numerous vulnerability management solutions from Cisco Vulnerability Management.

 

Connector Scope

In scope and included for this release

Out of scope for this release

 

User Prerequisites/Microsoft Defender TVM setup

Please refer to this help article on the Microsoft Defender ATP Required Setup.

 

Configuring Your Microsoft Defender TVM Connector in Cisco Vulnerability Management

Important: Only Cisco Vulnerability Management Administrators have the permissions to add a connector.

 

1) Click the “Connectors” link at the top of the Cisco Vulnerability Management homepage.

 

2) Click the green “Add Connector” button in the top right corner of the page.

 

3) Scroll down to the “Vulnerability Management” section and look for the MS Defender Connector. Click it.

1ConfiguringYourMSDTVM.png

 

4) Submit the following when setting up the Microsoft Defender TVM connector.

2MSDTVMDialog.png

Field Name

Value

Notes

Name

MS Defender TVM

Could be any name that you would use to easily identify the connector.

Client ID (1)

<customer specific ID>

Enter your Microsoft Client ID

Client Secret (2)

<customer specific secret>

Please enter your secret key

Host

api.securitycenter.microsoft.com

 

Tenant ID (3)

<customer specific ID>

Enter your Microsoft tenant ID

 

5) Click the green “Save and Verify” button. The connector is now visible in the list of configured Connectors.

Locations in Azure to find MSDTVM connector configuration fields

3LocationsInAzure.png4LocationsInAzure.png

 

Vulnerability Date Information

Within Cisco Vulnerability Management, you will notice several dates in the Vulnerabilities tab. When importing your Microsoft Defender data, the following criteria are used to populate these date fields.

  • "Found" within Cisco Vulnerability Management is when Microsoft first detected the vulnerability and maps to the ‘firstSeenTimestamp’ field in Microsoft Defender TVM.
  • "Last Seen" within Cisco Vulnerability Management is the last date Microsoft detected the vulnerability and maps to the ‘lastSeenTimestamp’ field in Microsoft Defender TVM.
  • "Created" within Cisco Vulnerability Management is the date the vulnerability was passed to Cisco Vulnerability Management via the Microsoft Defender TVM integration. This date is not the result of a mapping from a field from Microsoft.

 

Asset Information

Similar to Vulnerability Date data, notice the asset data in the Asset tab. The following are clarifications to asset data that may differ from Microsoft Defender TVM.

  • For each asset seen in Connector runs, its activity is set to “active”. Cisco Vulnerability Management assumes that assets arriving via Connector runs are active. Assets from MS Defender TVM may be systematically inactivated if it is not seen for the duration specified in the “Asset Inactivity Period”.

 

Microsoft Defender TVM Connector Data Mapping

MS Defender TVM Field (Endpoint/Property)

Cisco Vulnerability Management Field

Notes

Vulnerability Fields

SoftwareVulnerabilitiesByMachine


vulnerabilitySeverityLevel

Scanner Score

Other - 0

SeverityLow - 3

SeverityMedium - 6

SeverityHigh - 8

SeverityCritical - 10

<none>

Description

Vulnerability description is not available via the utilized Microsoft Defender endpoints.


Vulnerability description is provided via Cisco Vulnerability Management vulnerability intel data.

SoftwareVulnerabilitiesByMachine 


cveId

CVE

 

<none>

Ports

 

SoftwareVulnerabilitiesByMachine


lastSeenTimestamp

Last Seen

 

SoftwareVulnerabilitiesByMachine


firstSeenTimestamp

Found

 

<none>

Created

Date the vulnerability was first imported to Cisco Vulnerability Management. Not mapped to a scanner field.

<none>

Closed

Uses Cisco Vulnerability Management's auto-close logic. If a vulnerability for a particular asset is not seen in the latest connector run, it is considered to be closed.


Not mapped to a scanner field.

Asset Fields

SoftwareVulnerabilitiesByMachine


deviceId

External ID

 

machines


osPlatform

osBuild

version

Operating System

If osBuild is empty then the value from version is used for the OS Version.


If osBuild is not empty, then osBuild and version are combined for the OS Version.

machines


lastSeen

Last Seen

When the asset was last seen by Defender.

machines


healthStatus

Status

MS Defender query specifies “healthStatus=’Active’”, so exported asset status value will always be “Active.

machines


computerDnsName

FQDN

If the value in computerDnsName includes multiple components.

machines


computerDnsName

Hostname

Truncated to the string before the first “.” character.

If there are no “.” characters in the value, the entire value is used.

machines


lastIpAddress

IP Address

 

machines


ipAddress.macAddress
ipAddress.operationalStatus

MAC Address

The value from lastIpAddress is used to identify the appropriate macAddress from the list of possible ipAddresses. OperationalStatus must also be “Up” for the entry.

machines


computerDnsName

NetBIOS

TruncatedConcatenated to the string before the first “.” character.


If there are no “.” in the value, the entire value is used.

<none>

EC2 Locator

 

machines


machineTags

rbacGroupName

Tags

The value from rbacGroupName is prefixed with ‘rbacGroup: ‘ and appended to the machineTags list.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

0 comments

Please sign in to leave a comment.