Using Export API with Defender Vulnerability Management
Microsoft Defender Vulnerability Management helps organizations identify and remediate security vulnerabilities in their environment.
It provides a centralized view of vulnerabilities across all device types in an organization and prioritizes them based on severity and exploitability.
Defender Vulnerability Management provides an export API that allows programmatic access to vulnerability data. The API can be used to automate vulnerability management tasks, integrate vulnerability data with other security tools, and generate custom reports and dashboards.
In this blog, we will share guidance and best practices for using Defender Vulnerability Management Export API including:
Overview of the Export API
Available API methods using Export API
Using API Explorer
Managing large data sets and ensuring exports are up to date
Use Export API to build custom dashboards/reports
Defender Vulnerability Management data integrated in other tools
Overview of the Export API data types
Export API is used for publishing raw data of all known software vulnerabilities and their details for devices in the organization.
There are two export API methods: JSON response and files.
Method
Explanation
JSON response
Can be used to get Defender Vulnerability Management snapshot of all data in the organization or can be used to query delta changes in the last X days (where X is up to 15 days)
Delta export indicates per CVE record the CVE status (New, Updated or Resolved)
Can be saved as excel file, opened in Notepad or VScode, and can be extracted using different scripts
Files
Can be used to get Defender Vulnerability Management snapshot of all data in the organization
Recommended for large organizations with more than 100K devices
Each file contains 100K records
To get the next results batch, use skip token (@odata.nextLink field)
Result in files format is valid for 3 hours to download (sass URL)
The files also contain information about devices that are not yet onboarded to Defender
Export software vulnerabilities assessment f, $skiptoken, $top, pageSize
Delta export software vulnerabilities assessment filter options: RbacName , $skiptoken, $top, pageSize, sinceTime
More details can be seen here: Export software vulnerabilities assessment per device | Microsoft Learn
Available API methods using Export API
via files:
API Method
Details
SoftwareVulnerabilitiesExport
Software vulnerabilities data by machine
Export software vulnerabilities assessment per device | Microsoft Learn
SoftwareInventoryExport
software data by machine
Export software inventory assessment per device | Microsoft Learn
InfoGatheringExport
Export information gathering assessment | Microsoft Learn
SoftwareInventoryNonCpeExport
non cpe products by machine
Export non product code software inventory assessment per device | Microsoft Learn
SecureConfigurationsAssessmentExport
SCA data by machine(configurations)
Export secure configuration assessment per device | Microsoft Learn
HardwareFirmwareInventoryExport
firmware data by machine
Hardware and firmware assessment methods and properties per device | Microsoft Learn
BrowserExtensionsInventoryExport
browser extensions by machine
Export browser extensions assessment | Microsoft Learn
BaselineComplianceAssessmentExport
Baseline data by machine
Security baseline assessment methods and properties per device | Microsoft Learn
CertificateAssessmentExport
certificates data by machine
Certificate assessment methods and properties per device | Microsoft Learn
JSON response:
SoftwareVulnerabilitiesByMachine
vulnerabilities data by machine
Export software vulnerabilities assessment per device | Microsoft Learn
SecureConfigurationsAssessmentByMachine
SCA data by machine(configurations)
Export secure configuration assessment per device | Microsoft Learn
SoftwareVulnerabilityChangesByMachine
delta
Export software vulnerabilities assessment per device | Microsoft Learn
SoftwareInventoryByMachine
software data by machine
Export software inventory assessment per device | Microsoft Learn
SoftwareInventoryNoProductCodeByMachine
non cpe products by machine
Export non product code software inventory assessment per device | Microsoft Learn
BrowserExtensionsInventoryByMachine
browser extensions by machine
Export browser extensions assessment | Microsoft Learn
HardwareFirmwareInventoryByMachine
firmware data by machine
Hardware and firmware assessment methods and properties per device | Microsoft Learn
BaselineComplianceAssessmentByMachine
baseline data by machine
Security baseline assessment methods and properties per device | Microsoft Learn
CertificateAssessmentByMachine
certificates data by machine
Certificate assessment methods and properties per device | Microsoft Learn
Using API Explorer from security portal
With the API Explorer, you can:
Run requests for any method and see responses in real-time
Quickly browse through the API samples and learn what parameters they support
Make API calls with ease
To start, Open Defender portal and navigate to ‘Endpoints-Partners and API-API Explorer ‘
Based on the required data to explore, add the suffix to the API call.
In the example, we will use software vulnerabilities:
https://api.security.microsoft.com/api/machines/SoftwareVulnerabilitiesExport
Run the query
To check its working and export to excel:
Copy one of the files URL from the results:
Open it in website and save the JSON file
Extract the JSON file
Open excel , click on ‘Data’ tab->get data->from file->from JSON and choose the file you saved above
Managing large data sets and ensuring exports are up to date
In case of large amounts of data, Organizations can use the below steps to avoid pulling all defender vulnerability management data every day and still ensure data in export is up to date:
1.Pull ‘Export software vulnerabilities assessment’ once a week
2.Pull ‘Delta export software vulnerabilities assessment’ once a day
3.Join the full snapshot with the delta file based on Device ID, Software name and version and CVE ID
4.Latest ‘Event time stamp’ indicate on the latest status of a specific CVE
Use Export API to build custom dashboards/reports
Using Defender Vulnerability Management Export API customers can build custom reports and dashboards per the organization needs. We have seen organizations build anything executive or management reports to detailed vulnerability management dashboards.
There are variety of methods to use the API such as Power-Automate, Power BI, , Advanced hunting using Python, Advanced hunting using PowerShell, Using OData queries.
One example to get started is to use Defender Vulnerability Management Power BI templates which enable out of the box reports such as Organization existing vulnerabilities, Software inventory, Missing Windows security updates and more.
You can download the templates here.
Defender Vulnerability Management data integrated in other tools
Defender Vulnerability Management data can be integrated in other security tools. Below examples of both Microsoft and non-Microsoft tools:
Microsoft Intune
Integration with Microsoft Intune allows customers to ‘Request Remediation’ to vulnerability security recommendations. This will create an Intune package deployment request and remediation activity item within the security portal, which can be used for monitoring the remediation progress for this recommendation.
ServiceNow Vulnerability Response
Microsoft Sentinel
Use Sentinel to store Defender Vulnerability Management history data. This can be used to integrate vulnerability data with other XDR workflows data, build a custom dashboard and as part of it reflect vulnerability management trends and more. To store Defender Vulnerability Management data, please follow the below:
Please make sure any analytic rules/hunting queries/workbooks or any content that is related to Defender Vulnerability Management data is directed to the tables you have created.
Microsoft Security Exposure Management
Exposure Management integrates with Defender Vulnerability Management helping security managers to continuously assess and analyze vulnerabilities and misconfigurations across the organization’s digital landscape. In the Vulnerability Assessment initiative users can actively identify, prioritize, track and delegate vulnerabilities within the IT infrastructure and the cloud. Users gain real-time visibility into the security posture of their organization, enabling data-driven decision-making for resource investment and placement.
To learn more about, see documentation about security initiatives or blog series introducing Exposure Management.
for additional Defender Vulnerability Management, please visit Documentation page and Ninja page
Microsoft Tech Community – Latest Blogs –Read More