Intermediate โฑ 90 min ๐Ÿ“‹ 10 Steps

Assess & Remediate Vulnerabilities with Defender Vulnerability Management

Configure Defender Vulnerability Management, discover exposed assets, assess vulnerabilities by exploitability and business impact, create remediation tasks, track remediation progress, evaluate security baselines, and build a vulnerability management dashboard.

๐Ÿ“‹ Overview

About This Lab

Defender Vulnerability Management (DVM) provides continuous asset visibility and risk-based vulnerability assessments. Unlike traditional scanning tools that flood you with thousands of CVEs ranked by generic CVSS scores, DVM uses real-time threat intelligence, exploit predictions, and business context to prioritize the vulnerabilities that actually matter. It integrates natively with Microsoft Defender for Endpoint, leveraging the existing sensor to provide agentless vulnerability discovery without additional network scanning infrastructure.

๐Ÿข Enterprise Use Case

An enterprise organization with 5,000 endpoints discovers 12,000 CVEs across their estate. Traditional CVSS scoring ranks 3,000 of them as “Critical” (CVSS ≥ 9.0), leaving the vulnerability management team overwhelmed. By enabling Defender Vulnerability Management’s risk-based scoring. which factors in exploit availability, active threat campaigns, exposed attack surfaces, and business-critical asset context. the true priority list shrinks to 200 exploitable vulnerabilities with exposed attack paths. The team remediates those 200 in two weeks and reduces their organization’s exposure score by 40%.

๐ŸŽฏ What You Will Learn

  1. Navigate the Defender Vulnerability Management dashboard and interpret the exposure score
  2. Browse and filter the software inventory by vendor, end-of-life status, and known vulnerabilities
  3. Assess vulnerabilities using exploit availability, internet exposure, and DVM exposure scoring
  4. Evaluate device security baselines against CIS and Microsoft benchmarks
  5. Inventory and assess browser extensions for risky permissions and unverified publishers
  6. Create remediation activities and assign them to IT teams with deadlines
  7. Track remediation progress, verify patches, and monitor exposure score trends
  8. Configure and prioritize security recommendations with exceptions and automated remediation
  9. Build a KQL-powered vulnerability management workbook with trend visualizations
  10. Establish an ongoing vulnerability management cadence with metrics and reporting

๐Ÿ”‘ Why This Matters

Traditional vulnerability management is broken. teams drown in thousands of CVEs without knowing which ones attackers will actually exploit. According to research, fewer than 5% of published CVEs are ever exploited in the wild, yet CVSS alone cannot distinguish between a theoretical risk and an actively weaponized vulnerability. Defender Vulnerability Management solves this by combining Microsoft’s threat intelligence, exploit prediction models, and real-time attack surface data to surface the vulnerabilities that represent genuine risk. The result is fewer patches, faster remediation, and measurably reduced exposure.

โš™๏ธ Prerequisites

  • Microsoft Defender for Endpoint P2. or Defender Vulnerability Management add-on license
  • Devices onboarded to MDE. at least one Windows device reporting to the Defender portal
  • Security Administrator role. in the Microsoft Defender portal for vulnerability management access
  • Microsoft Intune (optional). for integrated remediation ticket creation
  • PowerShell 7+ with Microsoft Graph SDK. for API-based queries and automation
  • Log Analytics workspace (optional). for building KQL workbooks with advanced hunting data
๐Ÿ’ก Pro Tip: If you don’t have a Defender for Endpoint P2 license, the Defender Vulnerability Management add-on can be added to Defender for Endpoint P1 or even Microsoft 365 E3. Check your licensing options before starting.

Step 1 ยท Navigate to the Vulnerability Management Dashboard

The Vulnerability Management dashboard provides a single-pane view of your organization’s exposure score, vulnerable devices, top security recommendations, and remediation activity. Start here to understand your current vulnerability posture.

Portal Instructions

  1. Navigate to Microsoft Defender portal > Vulnerability management > Dashboard
  2. Review the Exposure score. a 0–100 score reflecting overall vulnerability posture (lower is better)
  3. Review Microsoft Secure Score for Devices. measures security configuration hygiene
  4. Check Exposed devices. devices with exploitable vulnerabilities
  5. Review Top security recommendations. prioritized actions to reduce exposure
  6. Check Remediation activities. active tickets and their completion status
  7. Note the Exposure score trend. track improvement over time

Query Exposure Score via API

# WHAT: Query the Defender Vulnerability Management exposure and secure scores via the MDE API
# WHY: Programmatically track your organization's vulnerability posture over time
#      for dashboards, automated reporting, and trend analysis
# PREREQUISITES: Requires an Entra ID app registration with Machine.Read.All permission
#   in the WindowsDefenderATP resource (Microsoft Defender for Endpoint API)

$tenantId     = "YOUR_TENANT_ID"
$clientId     = "YOUR_CLIENT_ID"
$clientSecret = "YOUR_CLIENT_SECRET"

# Authenticate using OAuth 2.0 client credentials flow
# The scope targets the MDE API (securitycenter.microsoft.com)
$body = @{
    grant_type    = "client_credentials"
    client_id     = $clientId
    client_secret = $clientSecret
    scope         = "https://api.securitycenter.microsoft.com/.default"
}
$token = (Invoke-RestMethod -Uri "https://login.microsoftonline.com/$tenantId/oauth2/v2.0/token" `
    -Method POST -Body $body).access_token

$headers = @{ Authorization = "Bearer $token" }

# Get exposure score (0-100, LOWER is better)
# The exposure score reflects overall vulnerability posture factoring in:
# exploitability, internet exposure, active threats, and device criticality
# Refreshes every ~4 hours; don't expect instant changes after patching
$exposure = Invoke-RestMethod -Uri "https://api.securitycenter.microsoft.com/api/exposureScore" `
    -Headers $headers
Write-Host "Exposure Score: $($exposure.score)" -ForegroundColor Yellow

# Get secure score for devices (0-100, HIGHER is better)
# Measures security configuration hygiene: OS updates, security features enabled,
# firewall status, BitLocker, credential guard, etc.
$secureScore = Invoke-RestMethod -Uri "https://api.securitycenter.microsoft.com/api/configurationScore" `
    -Headers $headers
Write-Host "Secure Score for Devices: $($secureScore.score)" -ForegroundColor Cyan
๐Ÿ’ก Pro Tip: The exposure score refreshes every 4 hours. Don’t expect instant changes after patching. Use the trend chart to track improvement over days and weeks rather than checking hourly.

Step 2 ยท Review the Software Inventory

The software inventory provides a complete view of all software installed across your managed devices, including version numbers, vendor details, known vulnerabilities, and end-of-life status.

Portal Instructions

  1. Navigate to Vulnerability management > Software inventory
  2. Filter by Vendor. focus on high-risk vendors (Adobe, Apache, Oracle)
  3. Filter by End of Life. identify software that no longer receives security updates
  4. Sort by Vulnerabilities column. find software with the most known CVEs
  5. Click on a software entry to see affected devices, CVE details, and installed versions

KQL: Software Inventory Queries

// WHAT: Comprehensive software inventory with vulnerability counts per application
// WHY: Identifies which installed software carries the most known CVEs,
//      helping prioritize patch cycles and EOL software replacement
// TABLE: DeviceTvmSoftwareInventory - all software detected on MDE-onboarded devices
// KEY FIELDS:
//   SoftwareName / SoftwareVendor - the application and its publisher
//   SoftwareVersion - installed version (may differ across devices)
//   EndOfSupportStatus - "EOS" if past end-of-life (no more security patches)
//   EndOfSupportDate - the actual EOL date
// JOIN: DeviceTvmSoftwareVulnerabilities - maps software to known CVEs
// OUTPUT: Software name, vendor, device count, vulnerability count, and installed versions
DeviceTvmSoftwareInventory
| summarize DeviceCount=dcount(DeviceId), Versions=make_set(SoftwareVersion)
    by SoftwareName, SoftwareVendor
| join kind=leftouter (
    DeviceTvmSoftwareVulnerabilities
    | summarize VulnCount=dcount(CveId) by SoftwareName
) on SoftwareName
| project SoftwareName, SoftwareVendor, DeviceCount, VulnCount, Versions
| order by VulnCount desc

// WHAT: Find end-of-life software still installed on managed devices
// WHY: EOL software receives NO security patches - any new CVE is permanently unpatched.
//      This is a top audit finding for PCI-DSS, ISO 27001, and SOC2 compliance.
// EndOfSupportStatus values: "EOS" (end of support) or empty (still supported)
DeviceTvmSoftwareInventory
| where EndOfSupportStatus == "EOS"  
| summarize DeviceCount=dcount(DeviceId) by SoftwareName, SoftwareVersion, SoftwareVendor
| order by DeviceCount desc

// WHAT: Find software past its end-of-support date with no vendor patches available
// WHY: These represent permanent vulnerabilities requiring compensating controls
//      (network segmentation, application whitelisting) or replacement
DeviceTvmSoftwareInventory
| where isnotempty(EndOfSupportDate) and EndOfSupportDate < now()
| summarize AffectedDevices=dcount(DeviceId) by SoftwareName, SoftwareVersion
| order by AffectedDevices desc
โš ๏ธ Important: End-of-life software with known vulnerabilities is a top audit finding. If you cannot remove EOL software, document a risk exception and implement compensating controls (network segmentation, application whitelisting).

Step 3 ยท Assess Vulnerabilities by Risk

Not all CVEs are equal. DVM scores vulnerabilities by factoring in exploit availability, active threat campaigns, internet exposure, and device criticality. giving you a risk-based priority that goes far beyond generic CVSS.

Portal Instructions

  1. Navigate to Vulnerability management > Weaknesses
  2. Filter by Exploit available. show only CVEs with known exploits
  3. Filter by Exposed to internet. focus on internet-facing vulnerabilities
  4. Compare CVSS score vs DVM exposure score for each vulnerability
  5. Click on a CVE to view: affected devices, exploit details, threat analytics link, and recommended actions
  6. Identify CVEs with Active threat tags. these are being exploited in current campaigns

KQL: Risk-Based Vulnerability Assessment

// WHAT: Find exploitable vulnerabilities on internet-facing devices
// WHY: Internet-facing + exploit available = highest real-world risk.
//      These are the CVEs attackers will target first in any campaign.
// TABLE: DeviceTvmSoftwareVulnerabilities - maps devices to CVEs
// KEY FIELDS:
//   IsExploitAvailable - true/false: whether a public exploit exists (Metasploit, PoC, etc.)
//   CveId - the CVE identifier (e.g., CVE-2024-12345)
//   VulnerabilitySeverityLevel - Critical | High | Medium | Low (based on CVSS + DVM scoring)
//   CvssScore - CVSS v3 base score (0.0-10.0):
//     9.0-10.0 = Critical, 7.0-8.9 = High, 4.0-6.9 = Medium, 0.1-3.9 = Low
// JOIN: DeviceInfo (IsInternetFacing = true) to focus on publicly exposed devices
// OUTPUT: CVEs with exploit available on internet-facing devices, sorted by severity
DeviceTvmSoftwareVulnerabilities
| where IsExploitAvailable == true
| join kind=inner (
    DeviceInfo
    | where IsInternetFacing == true
    | distinct DeviceId, DeviceName
) on DeviceId
| summarize ExposedDevices=dcount(DeviceId) by CveId, SoftwareName, 
    VulnerabilitySeverityLevel, CvssScore
| order by CvssScore desc, ExposedDevices desc

// WHAT: Compare CVSS severity scores vs actual exploitability to build risk categories
// WHY: Only ~5% of CVEs are ever exploited in the wild. A CVSS 9.0 vulnerability
//      with no known exploit is lower real-world risk than a CVSS 7.0 with a
//      Metasploit module. This query creates actionable priority buckets.
// RiskCategory logic:
//   Exploit available + CVSS >= 9.0 = "Critical. Patch Now" (immediate action)
//   Exploit available + CVSS >= 7.0 = "High. Patch This Week" (urgent)
//   No exploit + CVSS >= 9.0        = "High CVSS but No Exploit" (monitor, lower priority)
//   Everything else                 = "Monitor" (track but deprioritize)
DeviceTvmSoftwareVulnerabilities
| summarize 
    TotalDevices=dcount(DeviceId),
    ExploitAvailable=max(toint(IsExploitAvailable))
    by CveId, VulnerabilitySeverityLevel, CvssScore
| extend RiskCategory = case(
    ExploitAvailable == 1 and CvssScore >= 9.0, "Critical. Patch Now",
    ExploitAvailable == 1 and CvssScore >= 7.0, "High. Patch This Week",
    ExploitAvailable == 0 and CvssScore >= 9.0, "High CVSS but No Exploit",
    "Monitor")
| summarize CVEs=count(), Devices=sum(TotalDevices) by RiskCategory
| order by CVEs desc

// WHAT: Find exploitable vulnerabilities affecting 5+ devices in the environment
// WHY: Wide-impact exploitable CVEs represent the highest organizational risk;
//      patching these delivers the largest exposure score reduction per patch cycle
DeviceTvmSoftwareVulnerabilities
| where IsExploitAvailable == true
| summarize AffectedDevices=dcount(DeviceId), Software=make_set(SoftwareName) 
    by CveId, CvssScore, VulnerabilitySeverityLevel
| where AffectedDevices > 5
| order by CvssScore desc
๐Ÿ’ก Pro Tip: A CVE with a CVSS score of 10.0 but no public exploit and no internet exposure is less urgent than a CVSS 7.5 vulnerability with a Metasploit module targeting your internet-facing web servers. Always prioritize by actual risk, not CVSS alone.

Step 4 ยท Evaluate Security Baselines

Security baselines ensure your devices meet configuration standards from CIS Benchmarks and Microsoft security recommendations. DVM continuously assesses device configurations against these benchmarks and highlights non-compliant settings.

Portal Instructions

  1. Navigate to Vulnerability management > Baselines assessment
  2. Review available baselines: CIS Benchmarks and Microsoft Benchmarks
  3. Select a baseline profile. e.g., CIS Microsoft Windows 11 Enterprise
  4. Review the compliance summary: compliant vs non-compliant settings per device
  5. Click on non-compliant configurations to see remediation guidance
  6. Export the compliance report for audit evidence

KQL: Security Configuration Assessment

// Devices with misconfigured security settings
DeviceTvmSecureConfigurationAssessment
| where IsCompliant == false
| summarize NonCompliantSettings=count() by DeviceName, DeviceId
| order by NonCompliantSettings desc
| take 20

// Top misconfigured settings across all devices
DeviceTvmSecureConfigurationAssessment
| where IsCompliant == false
| summarize AffectedDevices=dcount(DeviceId) by ConfigurationId, 
    ConfigurationName, ConfigurationCategory
| order by AffectedDevices desc
| take 15

// Compliance rate by configuration category
DeviceTvmSecureConfigurationAssessment
| summarize 
    Total=count(),
    Compliant=countif(IsCompliant == true),
    NonCompliant=countif(IsCompliant == false)
    by ConfigurationCategory
| extend ComplianceRate = round(todouble(Compliant) / Total * 100, 1)
| order by ComplianceRate asc
๐Ÿ’ก Pro Tip: Don’t try to remediate every baseline finding at once. Focus on the settings with the highest security impact first: credential guard, attack surface reduction rules, and OS-level protections. Track compliance rate weekly to show progress.

Step 5 ยท Assess Browser Extensions

Browser extensions are a growing attack vector. Malicious or overprivileged extensions can steal credentials, exfiltrate data, and inject content into web pages. DVM inventories all browser extensions across your managed devices and flags risky ones.

Portal Instructions

  1. Navigate to Vulnerability management > Browser extensions
  2. Review extensions by permission level: high, medium, low
  3. Filter by High permissions. extensions requesting access to all URLs, cookies, or browsing history
  4. Check for extensions from unknown or unverified publishers
  5. Identify extensions installed on many devices but with low store ratings
  6. Cross-reference with your organization’s approved extension list

KQL: Browser Extension Queries

// List all browser extensions with device counts
DeviceTvmBrowserExtensions
| summarize InstalledDevices=dcount(DeviceId) by ExtensionName, 
    BrowserName, ExtensionVersion, ExtensionVendor
| order by InstalledDevices desc

// Find extensions with high-risk permissions
DeviceTvmBrowserExtensions
| where PermissionRisk == "High"
| summarize InstalledDevices=dcount(DeviceId), 
    Permissions=make_set(ExtensionPermissions)
    by ExtensionName, BrowserName, ExtensionVendor
| order by InstalledDevices desc

// Extensions requesting access to all URLs
DeviceTvmBrowserExtensions
| where ExtensionPermissions has "allUrls" or ExtensionPermissions has "<all_urls>"
| summarize InstalledDevices=dcount(DeviceId) by ExtensionName, 
    ExtensionVendor, BrowserName
| order by InstalledDevices desc
โš ๏ธ Important: An extension with “Read and change all your data on all websites” permission can intercept banking credentials, session tokens, and sensitive corporate data. Treat high-permission extensions from unverified publishers as potential supply-chain risks.

Step 6 ยท Create Remediation Activities

Remediation activities bridge the gap between the security team (who identifies vulnerabilities) and the IT operations team (who patches them). DVM lets you create remediation requests with deadlines, assign them to teams, and track completion.

Portal Instructions

  1. Navigate to Vulnerability management > Recommendations
  2. Select a recommendation. e.g., Update Google Chrome
  3. Click Request remediation
  4. Set priority: Urgent, High, Medium, or Low
  5. Set a due date. align with your patching SLA
  6. Add notes. include context, impacted teams, or risk justification
  7. If Intune is connected, the remediation can generate an Intune deployment ticket automatically
  8. Click Submit request

PowerShell: Create Remediation via API

# Create a remediation activity via MDE API
$body = @{
    title       = "Update Chrome to latest version"
    description = "Chrome 120.x has 3 critical CVEs with active exploits. Update to 121+ across all devices."
    priority    = "High"
    dueDate     = (Get-Date).AddDays(7).ToString("yyyy-MM-ddTHH:mm:ssZ")
    category    = "Software"
    relatedComponent = "Google Chrome"
    fixedAssetIds    = @()  # Targets all affected devices
} | ConvertTo-Json

$remediation = Invoke-RestMethod `
    -Uri "https://api.securitycenter.microsoft.com/api/remediationTasks" `
    -Headers $headers `
    -Method POST `
    -Body $body `
    -ContentType "application/json"

Write-Host "Remediation task created: $($remediation.id)" -ForegroundColor Green

# List all active remediation activities
$tasks = Invoke-RestMethod `
    -Uri "https://api.securitycenter.microsoft.com/api/remediationTasks" `
    -Headers $headers
$tasks.value | Select-Object id, title, status, priority, dueDate | Format-Table
๐Ÿ’ก Pro Tip: Define patching SLAs by risk level: Critical exploitable. 48 hours; High. 7 days; Medium. 30 days; Low. 90 days. Link remediation deadlines to these SLAs so IT operations teams have clear expectations.

Step 7 ยท Track Remediation Progress

After creating remediation activities, monitor their status to ensure patches are applied, exposure scores decrease, and your SLAs are met.

Portal Instructions

  1. Navigate to Vulnerability management > Remediation
  2. Review the Activity tab. see all open, completed, and overdue tasks
  3. Click on a task to view:
    • Remediated devices. how many devices have been patched
    • Remaining devices. devices still vulnerable
    • Completion percentage. overall progress
  4. Check the Exceptions tab. review approved risk exceptions for vulnerabilities that cannot be patched
  5. Return to the Dashboard and verify the exposure score is trending downward

KQL: Remediation Tracking Queries

// Track vulnerability count trend over time
DeviceTvmSoftwareVulnerabilities
| where TimeGenerated > ago(30d)
| summarize VulnCount=dcount(CveId), 
    AffectedDevices=dcount(DeviceId) by bin(TimeGenerated, 1d)
| render timechart

// Verify patching: check if specific CVE is still present
DeviceTvmSoftwareVulnerabilities
| where CveId == "CVE-2024-1234"
| summarize RemainingDevices=dcount(DeviceId) by SoftwareName, SoftwareVersion
| order by RemainingDevices desc

// Exposure score trend (requires custom logging via API)
// Alternative: use the DVM dashboard's built-in trend chart
DeviceTvmSoftwareVulnerabilities
| where IsExploitAvailable == true
| summarize ExploitableVulns=dcount(CveId), 
    ExposedDevices=dcount(DeviceId) by bin(TimeGenerated, 1d)
| render timechart
๐Ÿ’ก Pro Tip: Create a weekly remediation review meeting. Show: new vulnerabilities discovered, remediation tasks completed, overdue items, and exposure score change. This keeps IT operations accountable and demonstrates measurable risk reduction to leadership.

Step 8 ยท Configure Security Recommendations

Security recommendations are prioritized actions that DVM identifies to reduce your exposure. Each recommendation includes the expected exposure reduction, affected devices, and remediation steps. You can accept, dismiss, or create exceptions for each recommendation.

Portal Instructions

  1. Navigate to Vulnerability management > Recommendations
  2. Sort by Exposure impact. recommendations that reduce exposure the most
  3. Review the top 10 recommendations. these give the biggest security improvement per effort
  4. For recommendations you cannot implement:
    • Click Exception > choose reason (compensating control, acceptable risk, third-party mitigation)
    • Set an expiration date for the exception
    • Add justification notes for audit trails
  5. For recommendations you will implement, click Request remediation to create a tracked task

KQL: Recommendation Analysis

// Top security recommendations by affected device count
DeviceTvmSecureConfigurationAssessment
| where IsCompliant == false and IsApplicable == true
| summarize AffectedDevices=dcount(DeviceId) by ConfigurationId, 
    ConfigurationName, ConfigurationCategory, ConfigurationSubcategory
| order by AffectedDevices desc
| take 20

// Recommendations grouped by category
DeviceTvmSecureConfigurationAssessment
| where IsCompliant == false
| summarize Recommendations=dcount(ConfigurationId), 
    AffectedDevices=dcount(DeviceId)
    by ConfigurationCategory
| order by AffectedDevices desc
โš ๏ธ Important: Don’t dismiss recommendations without creating exceptions. Dismissed recommendations disappear from view. Exceptions preserve the audit trail and force periodic re-evaluation when they expire.

Step 9 ยท Build a Vulnerability Dashboard

Create a Sentinel workbook (or Defender advanced hunting dashboard) with KQL tiles that give executives and security teams a comprehensive view of vulnerability management metrics, trends, and remediation velocity.

Workbook Tiles

// Tile 1: Vulnerability Trend (last 30 days)
DeviceTvmSoftwareVulnerabilities
| where TimeGenerated > ago(30d)
| summarize Vulnerabilities=dcount(CveId) by bin(TimeGenerated, 1d), 
    VulnerabilitySeverityLevel
| render timechart

// Tile 2: Most Vulnerable Software (top 10)
DeviceTvmSoftwareVulnerabilities
| summarize CVEs=dcount(CveId), Devices=dcount(DeviceId) by SoftwareName
| top 10 by CVEs
| render barchart

// Tile 3: Remediation Velocity
// Track how quickly vulnerabilities are being patched
DeviceTvmSoftwareVulnerabilities
| where TimeGenerated > ago(30d)
| where IsExploitAvailable == true
| summarize ExploitableVulns=dcount(CveId) by bin(TimeGenerated, 1d)
| render timechart

// Tile 4: Exposure Score Over Time
// Uses custom logging. alternative: screenshot from dashboard
DeviceTvmSoftwareVulnerabilities
| summarize TotalVulns=dcount(CveId), 
    CriticalVulns=dcountif(CveId, VulnerabilitySeverityLevel == "Critical"),
    ExploitableVulns=dcountif(CveId, IsExploitAvailable == true)
    by bin(TimeGenerated, 1d)
| render timechart

// Tile 5: Security Baseline Compliance Rate
DeviceTvmSecureConfigurationAssessment
| summarize 
    Total=count(),
    Compliant=countif(IsCompliant == true)
    by ConfigurationCategory
| extend CompliancePercent = round(todouble(Compliant) / Total * 100, 1)
| render barchart

// Tile 6: Devices by Vulnerability Count
DeviceTvmSoftwareVulnerabilities
| summarize VulnCount=dcount(CveId) by DeviceName
| extend RiskBucket = case(
    VulnCount > 100, "Critical (>100)",
    VulnCount > 50, "High (50-100)",
    VulnCount > 20, "Medium (20-50)",
    "Low (<20)")
| summarize Devices=count() by RiskBucket
| render piechart

Deploy the Workbook

  1. Navigate to Microsoft Sentinel > Workbooks > Add workbook
  2. Click Edit > Advanced Editor
  3. Add each query as a separate tile with visualisations (timechart, barchart, piechart)
  4. Add parameter filters: TimeRange, SeverityLevel, SoftwareVendor
  5. Save as DVM. Vulnerability Management Dashboard
  6. Share with the vulnerability management team and pin to the operations dashboard
๐Ÿ’ก Pro Tip: Create an executive summary tile at the top of your workbook with three key numbers: total exploitable vulnerabilities, exposure score, and average remediation time. Executives want trends and benchmarks, not raw CVE lists.

Step 10 ยท Clean Up & Next Steps

Review what you’ve built and plan your ongoing vulnerability management operations.

What You Accomplished

  1. Dashboard. Understood the DVM exposure score and how it reflects real risk
  2. Software Inventory. Identified EOL software and high-vulnerability applications
  3. Risk Assessment. Prioritized CVEs by exploitability and exposure, not just CVSS
  4. Baselines. Evaluated device configurations against CIS and Microsoft benchmarks
  5. Browser Extensions. Discovered and assessed risky browser extensions
  6. Remediation. Created tracked remediation tasks with deadlines and ownership
  7. Tracking. Monitored remediation progress and exposure score trends
  8. Recommendations. Configured security recommendations with exceptions
  9. Dashboard. Built a KQL workbook with vulnerability management metrics

Ongoing Vulnerability Management Cadence

# Recommended cadence for vulnerability management operations
# Daily:   Check for new critical/exploitable vulnerabilities
# Weekly:  Review remediation progress, update ticket statuses
# Monthly: Executive dashboard review, SLA compliance report
# Quarterly: Full baseline assessment, exception review, policy updates

# Quick daily check script
$headers = @{ Authorization = "Bearer $token" }

# Get new vulnerabilities discovered in last 24 hours
$newVulns = Invoke-RestMethod `
    -Uri "https://api.securitycenter.microsoft.com/api/vulnerabilities?`$filter=publishedOn gt $(
        (Get-Date).AddDays(-1).ToString('yyyy-MM-ddTHH:mm:ssZ'))" `
    -Headers $headers

Write-Host "New vulnerabilities in last 24h: $($newVulns.value.Count)" -ForegroundColor Yellow
$newVulns.value | Where-Object { $_.exploitInKit -eq $true } | 
    Select-Object id, name, severity | Format-Table

Next Steps

๐Ÿ’ก Pro Tip: Track four key metrics monthly: total exploitable vulnerabilities (target: decreasing), mean time to remediate critical CVEs (target: <48 hours), exposure score (target: decreasing), and baseline compliance rate (target: >90%). These metrics demonstrate measurable security improvement to leadership and auditors.

๐Ÿ“š Documentation Resources

ResourceDescription
Defender Vulnerability Management overviewProduct overview and feature documentation
Vulnerability management dashboardUnderstand exposure score and dashboard metrics
Software inventoryBrowse and analyze installed software across devices
Vulnerabilities in your organizationAssess and prioritize CVEs by risk
Security recommendationsPrioritized actions to reduce exposure
Remediation and exceptionCreate and track remediation activities
Browser extensions assessmentAssess risky browser extensions
MDE APIsProgrammatic access to vulnerability management data
← All Labs Next Lab →