Edit

Vulnerabilities in my organization

  • Article
  • 5 minutes to read

Applies to:

Want to experience Microsoft Defender Vulnerability Management? Find out how to sign up for a free trial.

Important

Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.

Important

Defender Vulnerability Management can help identify Log4j vulnerabilities in applications and components. Learn more.

Microsoft Defender Vulnerability Management uses the same signals in Defender for Endpoint's endpoint protection to scan and detect vulnerabilities.

The Weaknesses page lists the software vulnerabilities your devices are exposed to by listing the Common Vulnerabilities and Exposures (CVE) ID. You can also view the severity, Common Vulnerability Scoring System (CVSS) rating, prevalence in your organization, corresponding breach, threat insights, and more.

Note

If there is no official CVE-ID assigned to a vulnerability, the vulnerability name is assigned by Microsoft Defender Vulnerability Management, formerly known as threat and vulnerability management.

Tip

To get emails about new vulnerability events, see Configure vulnerability email notifications in Microsoft Defender for Endpoint

Navigate to the Weaknesses page

Access the Weaknesses page a few different ways:

  1. Go to the global search drop-down menu.
  2. Select Vulnerability and key in the Common Vulnerabilities and Exposures (CVE) ID that you're looking for, for example "CVE-2018-5568", then select the search icon. The Weaknesses page opens with the CVE information that you're looking for.
  3. Select the CVE to open a flyout panel with more information, including the vulnerability description, details, threat insights, and exposed devices.

To see the rest of the vulnerabilities in the Weaknesses page, type CVE, then select search.

Weaknesses overview

Remediate the vulnerabilities in exposed devices to reduce the risk to your assets and organization. If the Exposed Devices column shows 0, that means you aren't at risk.

Screenshot of the weaknesses landing page

Breach and threat insights

View any related breach and threat insights in the Threats column when the icons are colored red.

Note

Always prioritize recommendations that are associated with ongoing threats. These recommendations are marked with the threat insight icon Simple drawing of a red bug. and breach insight icon Simple drawing of an arrow hitting a target..

The breach insights icon is highlighted if there's a vulnerability found in your organization. Example of a breach insights text that could show up when hovering over icon. This one says "possible active alert is associated with this recommendation.

The threat insights icon is highlighted if there are associated exploits in the vulnerability found in your organization. Hovering over the icon shows whether the threat is a part of an exploit kit, or connected to specific advanced persistent campaigns or activity groups. When available, there's a link to a Threat Analytics report with zero-day exploitation news, disclosures, or related security advisories.

Threat insights text that that could show up when hovering over icon. This one has multiple bullet points and linked text.

Gain vulnerability insights

If you select a CVE, a flyout panel will open with more information such as the vulnerability description, details and threat insights. For each CVE, you can see a list of the exposed devices and the software affected.

When a security recommendation is available you can select Go to the related security recommendation for details on how to remediate the vulnerability.

Weakness flyout example.

Recommendations for a CVE are often to remediate the vulnerability through a security update for the related software. However, Some CVEs won't have a security update available. This might apply to all the related software for a CVE or just a subset, for example, a software vendor might decide not to fix the issue on a particular vulnerable version.

When a security update is only available for some of the related software, the CVE will have the tag 'Some updates available'. Once there is at least one update available, you'll have the option to go to the related security recommendation.

Some updates available and no updates available tag examples.

If there is no security update available, the CVE will have the tag 'No security update'. There will be no option to go to the related security recommendation as software that doesn't have a security update available is excluded from the Security recommendations page.

Note

Security recommendations only include devices and software packages that have security updates available.

The information on security update availability is also visible in the Update availability column on the Exposed devices and Related software tabs.

Related software tab example.

Software that isn't supported

A CVE for software that isn't currently supported by vulnerability management still appears in the Weaknesses page. Because the software is not supported, only limited data will be available.

Exposed device information will not be available for CVEs with unsupported software. Filter by unsupported software by selecting the "Not available" option in the "Exposed devices" section.

Exposed devices filter.

View Common Vulnerabilities and Exposures (CVE) entries in other places

Top vulnerable software in the dashboard

  1. Go to the Defender Vulnerability Management dashboard and scroll down to the Top vulnerable software widget. You will see the number of vulnerabilities found in each software, along with threat information and a high-level view of device exposure over time.

Top vulnerable software card.

  1. Select the software you want to investigate.
  2. Select the Discovered vulnerabilities tab.
  3. Select the vulnerability you want to investigate for more information on the vulnerability details.

Discover vulnerabilities in the device page

View related weaknesses information in the device page.

  1. Select Device inventory from the Assets navigation menu in the Microsoft 365 Defender portal.

  2. In the Device inventory page, select the device name that you want to investigate.

  3. Select Discovered vulnerabilities from the device page.

    Device page with details and response options.

  4. Select the vulnerability that you want to investigate to open up a flyout panel with the CVE details, such as, vulnerability description, threat insights, and detection logic.

CVE Detection logic

Similar to the software evidence, we show the detection logic we applied on a device in order to state that it's vulnerable.

To see the detection logic:

  1. Select a device from the Device inventory page.
  2. Select Discovered vulnerabilities from the device page.
  3. Select the vulnerability you want to investigate.

A flyout will open and the Detection logic section shows the detection logic and source.

Detection Logic example which lists the software detected on the device and the KBs.

The "OS Feature" category is also shown in relevant scenarios. This is when a CVE would affect devices that run a vulnerable OS if a specific OS component is enabled. For example, if Windows Server 2019 or Windows Server 2022 has vulnerability in its DNS component we'll only attach this CVE to the Windows Server 2019 and Windows Server 2022 devices with the DNS capability enabled in their OS.

Report inaccuracy

Report a false positive when you see any vague, inaccurate, or incomplete information. You can also report on security recommendations that have already been remediated.

  1. Open the CVE on the Weaknesses page.
  2. Select Report inaccuracy and a flyout pane will open.
  3. From the flyout pane, choose an issue to report.
  4. Fill in the requested details about the inaccuracy. This will vary depending on the issue you're reporting.
  5. Select Submit. Your feedback is immediately sent to the Microsoft Defender Vulnerability Management experts.

Report inaccuracy options.