Επεξεργασία

Κοινή χρήση μέσω

Software inventory

  • Άρθρο

Applies to:

The software inventory in Defender Vulnerability Management is a list of known software in your organization. The default filter on the software inventory page displays all software with official Common Platform Enumerations (CPE). The view includes details such as the name of the vendor, number of weaknesses, threats, and number of exposed devices.

You can remove the CPE Available filter to gain further visibility and increase your search scope across all installed software in your organization. When you clear this filter, all software, including software without a CPE, displays in the software inventory list.

Note

CPEs are used by vulnerability management to identify software and any vulnerabilities. Software products without a CPE are shown in the software inventory page, but they're not supported by vulnerability management. Information like exploits, number of exposed devices, and weaknesses aren't available for software products without a CPE.

How it works

In the field of discovery, we're using the same set of signals that is responsible for detection and vulnerability assessment in Microsoft Defender for Endpoint detection and response capabilities.

Since it's real time, in a matter of minutes, you see vulnerability information as they get discovered. The engine automatically grabs information from multiple security feeds. In fact, you see if a particular software is connected to a live threat campaign. It also provides a link to a Threat Analytics report soon as it's available.

Navigate to the Software inventory page

Access the software inventory page by selecting Software inventory from the Vulnerability management navigation menu in the Microsoft Defender portal.

Note

If you search for software using the Microsoft Defender for Endpoint global search, make sure to put an underscore instead of a space. For example, for the best search results you'd write windows_10 or windows_11 instead of Windows 10 or Windows 11.

Software inventory overview

The Software inventory page opens with a list of software installed in your network, including the vendor name, weaknesses found, threats associated with them, exposed devices, impact to exposure score, and tags.

The data is updated every three to four hours. There's currently no way to force a sync.

By default, the view is filtered by Product Code (CPE): Available. You can also filter the list view based on weaknesses found in the software, threats associated with them, and tags like whether the software has reached end-of-support.

Example of the landing page for software inventory.

Select the software that you want to investigate. A flyout panel opens with a more compact view of the information on the page. You can either dive deeper into the investigation and select Open software page, or flag any technical inconsistencies by selecting Report inaccuracy.

Software that isn't supported

Software that isn't currently supported by vulnerability management might be present in the software inventory page. Because it isn't supported, only limited data are available. Filter by unsupported software with the "Not available" option in the "Weakness" section.

Unsupported software filter.

Here's how to tell whether software isn't supported:

  • The Weaknesses field shows Not available
  • The Exposed devices field shows a dash
  • Informational text is added in the side panel and in the software page
  • The software page doesn't have security recommendations, discovered vulnerabilities, or event timeline sections

Software inventory on devices

  1. In the Microsoft Defender portal, in the navigation pane, select Device inventory.

  2. Select the name of a device to open its device page.

  3. Select the Software inventory tab to see a list of all the known software present on the device.

  4. Select a specific software entry to open the flyout with more information.

Software might be visible at the device level, even if it's currently not supported by vulnerability management. However, only limited data is available. You know if software is unsupported because it has Not available listed in the Weakness column. Software with no CPE can also show up under this device-specific software inventory.

Software evidence

See evidence of where we detected a specific software on a device from the registry, disk, or both. You can find it on any device in the device software inventory.

Select a software name to open the flyout, and look for the section called "Software Evidence."

Software evidence example of Windows 10 from the devices list, showing software evidence registry path.

Software pages

You can view software pages a few different ways:

  • Software inventory page > Select a software name > Select Open software page in the flyout
  • Security recommendations page > Select a recommendation > Select Open software page in the flyout
  • Event timeline page > Select an event > Select the hyperlinked software name (like Visual Studio 2017) in the section called "Related component" in the flyout

A full page appears with all the details of a specific software and the following information:

  • Side panel with vendor information, prevalence of the software in the organization (including number of devices it's installed on, and exposed devices that aren't patched), whether and exploit is available, and impact to exposure score.
  • Data visualizations showing the number of, and severity of, vulnerabilities and misconfigurations. Also, graphs with the number of exposed devices.
  • Tabs showing information such as:

    • Corresponding security recommendations for the weaknesses and vulnerabilities identified.

    • Named CVEs of discovered vulnerabilities.

    • Devices that have the software installed (along with device name, domain, OS, and more).

    • Software version list (including number of devices the version is installed on, the number of discovered vulnerabilities, and the names of the installed devices).

      Software example page for Visual Studio 2017 with the software details, weaknesses, exposed devices, and more.

Report inaccuracy

Report an inaccuracy when you see vulnerability information and assessment results that are incorrect.

  1. Open the software flyout on the Software inventory page.

  2. Select Report inaccuracy.

  3. From the flyout pane, choose an issue to report from:

    • a software detail is wrong
    • the software isn't installed on any device in my org
    • the number of installed or exposed devices is wrong

  4. Fill in the requested details about the inaccuracy.

    Report inaccuracy

  5. Select Submit. Your feedback is immediately sent to the vulnerability management experts.

Software inventory APIs

You can use APIs to view information on the software installed in your organization. The information returned by the APIs includes the devices it's installed on, software name, software publisher, installed versions, and number of weaknesses. For more information, see: