2.8 Threat and Vulnerability Management

10-14 hours · Module 2

Threat and Vulnerability Management

SC-200 Exam Objective

Domain 1 — Manage a SOC Environment: "Identify and remediate devices at risk by using Microsoft Defender Vulnerability Management" and "Mitigate risk by using Exposure Management in Microsoft Defender XDR."

Introduction

Every previous subsection in this module focused on detecting and responding to active attacks — malware execution, credential theft, lateral movement, C2 communication. Threat and Vulnerability Management (TVM) addresses the other side of the equation: reducing the attack surface so that fewer attacks succeed in the first place.

TVM continuously assesses every onboarded device for known vulnerabilities (unpatched software, insecure configurations) and provides prioritized recommendations for remediation. It answers the question that most SOCs struggle with: “Which of our 10,000 vulnerabilities should we fix first?” The answer is not the one with the highest CVSS score — it is the one most likely to be exploited in your specific environment, considering which devices are affected, whether exploit code exists in the wild, and whether the vulnerability aligns with active threat campaigns.

This subsection teaches you to navigate the TVM dashboard, interpret vulnerability assessments and security recommendations, understand the exposure score and device risk calculations, track remediation progress, and use Advanced Hunting to investigate vulnerability data at scale.

The TVM dashboard

The TVM dashboard (Vulnerability Management → Dashboard in the Defender portal) provides an overview of your organization’s vulnerability posture. The key metrics are:

Exposure score represents your overall vulnerability posture on a scale from 0 to 100. Lower is better. The score considers the number of vulnerabilities, their severity, the affected devices’ criticality, and whether exploit code exists. An exposure score of 30 indicates a relatively well-patched environment. A score of 70 indicates significant exposure. The trend line shows whether your posture is improving (decreasing score) or degrading (increasing score) over time.

Microsoft Secure Score for Devices measures your configuration posture — whether recommended security settings are enabled across your device fleet. This overlaps with the broader Secure Score in the M365 portal but focuses specifically on endpoint configuration: is Defender Antivirus cloud protection enabled? Are ASR rules in block mode? Is firewall enabled? Is tamper protection active? Each enabled configuration adds to your device security score.

Vulnerable devices shows how many onboarded devices have at least one known vulnerability. Click into this metric to see the breakdown by severity (critical, high, medium, low).

Top security recommendations lists the actions that would have the most impact on reducing your exposure score. These are prioritized by impact — the recommendation at the top is the single action that would reduce the most risk across the most devices. This is where TVM converts raw vulnerability data into actionable remediation tasks.

Vulnerability assessment

TVM’s vulnerability assessment engine scans the software inventory on every onboarded device and cross-references installed software versions against the National Vulnerability Database (NVD) and Microsoft’s own vulnerability intelligence. When a device runs software with a known CVE, TVM records the vulnerability and maps it to the device.

Figure 2.11: TVM prioritization considers four factors beyond CVSS base score. A CVSS 7.0 vulnerability with a public exploit targeting your internet-facing Exchange server ranks higher than a CVSS 9.8 vulnerability that requires physical access to a workstation in a locked room. TVM computes this prioritization automatically — the Recommendations page shows results sorted by impact.

Navigate to Vulnerability Management → Weaknesses to see all known vulnerabilities across your organization. Each vulnerability shows the CVE identifier, the affected software, the CVSS base score, the number of exposed devices, the age of the vulnerability (how long it has been known), and critically, whether exploit code is publicly available.

Exploitability is more important than CVSS score. A CVE with CVSS 7.0 and a publicly available exploit tool is a more urgent fix than a CVE with CVSS 9.8 that has no known exploit and requires local physical access. TVM’s prioritization algorithm accounts for this — it ranks vulnerabilities by a combination of severity, exploitability, threat context (is this CVE being exploited in active campaigns reported in Microsoft Threat Analytics?), and affected device exposure (is the vulnerable device internet-facing or in a privileged network segment?).

1
2
3
4
5
6
7
8
9
// Find devices with critical vulnerabilities that have known exploits
DeviceTvmSoftwareVulnerabilities
| where VulnerabilitySeverityLevel == "Critical"
| where IsExploitAvailable == true
| summarize VulnCount = dcount(CveId),
    CVEs = make_set(CveId, 10)
    by DeviceName, SoftwareName, SoftwareVersion
| order by VulnCount desc
| take 20

Expected Output — Devices with Exploitable Critical Vulnerabilities

DeviceName	Software	Version	VulnCount	CVEs
SRV-EXCH01	Microsoft Exchange Server	15.1.2507.21	4	["CVE-2024-21410",...]
DESKTOP-NGE003	Google Chrome	120.0.6099.71	3	["CVE-2024-0519",...]

Remediation priority: The Exchange server has 4 critical vulnerabilities with available exploits. Exchange servers are high-value targets (email access, credential exposure) and often internet-facing. This is the highest-priority remediation item. The Chrome vulnerability on a workstation is also important but lower priority — Chrome auto-updates, so confirming the update deployed may be sufficient.

Security recommendations

Security recommendations are TVM’s actionable output. Each recommendation describes a specific action (install a patch, update software, change a configuration), the affected devices, the impact on your exposure score, and the remediation steps.

Navigate to Vulnerability Management → Recommendations to see all recommendations sorted by impact. Each recommendation includes:

Impact on exposure score — how many points your exposure score will decrease if you remediate this recommendation across all affected devices. This is the primary prioritization metric.

Affected devices — how many devices in your organization have this vulnerability. A vulnerability affecting 500 devices is more impactful than one affecting 5, even if the CVSS score is the same.

Remediation options — TVM provides specific remediation guidance: which patch to install (with KB number for Windows updates), which software version to upgrade to, or which configuration to change. For Intune-managed devices, some recommendations include a “Request remediation” button that creates a remediation task directly in Intune.

Status tracking — after you initiate remediation, TVM tracks progress. As devices are patched, the affected device count decreases and the exposure score improves. This gives you measurable evidence of security improvement to report to management.

The Request remediation workflow integrates TVM with Intune and ServiceNow. When you request remediation for a recommendation, TVM creates a remediation activity that tracks which devices need the update, which devices have received it, and which remain exposed. If your organization uses ServiceNow for IT operations, TVM can create a ServiceNow ticket for the remediation — connecting the security team’s vulnerability findings to the IT operations team’s patch management workflow.

Software inventory analysis

TVM maintains a complete software inventory for every onboarded device, with version numbers, vendor information, and vulnerability counts. Navigate to Vulnerability Management → Software inventory to browse the inventory.

The software inventory is valuable for investigation as well as vulnerability management. During an incident, checking the software inventory for the compromised device reveals whether vulnerable software provided the attack vector, whether the attacker installed tools (remote access software, hacking utilities), and whether other devices have the same vulnerable software (expanding the scope of devices to investigate).

1
2
3
4
5
6
7
// Find software installed on fewer than 5 devices (potential attacker tools or shadow IT)
DeviceTvmSoftwareInventory
| summarize DeviceCount = dcount(DeviceName) by SoftwareName, SoftwareVersion
| where DeviceCount < 5
| where SoftwareName !has "Microsoft" and SoftwareName !has "Windows"
| order by DeviceCount asc, SoftwareName asc
| take 30

This query surfaces software that appears on very few devices — which may indicate attacker-installed tools (AnyDesk on one device, Mimikatz on another) or shadow IT applications that bypassed procurement. Low-prevalence software is worth investigating because legitimate enterprise software typically appears on many devices (it was deployed through standard channels), while attacker tools and unauthorized applications appear on few.

Exposure Management

Exposure Management extends TVM’s vulnerability focus to include the broader attack surface: not just unpatched software, but also configuration weaknesses, identity risks, and attack path analysis.

Attack paths are the most powerful Exposure Management feature. An attack path shows how an attacker could chain multiple vulnerabilities and misconfigurations to reach a critical asset. For example: an internet-facing web server has an unpatched vulnerability (initial access) → the web server has a cached domain service account credential (credential theft) → the service account has excessive privileges (privilege escalation) → the service account can access the domain controller (domain compromise). Each step in the path is a fixable weakness. Breaking any single link in the chain disrupts the entire attack path.

Navigate to Exposure Management → Attack paths to see the paths identified in your environment. Each path shows the entry point, the intermediate steps, and the critical asset target. Prioritize remediation based on which paths lead to the most critical assets and which links are easiest to break.

Security initiatives are organizational security goals that track progress across multiple recommendations. You can create initiatives aligned with compliance frameworks (CIS benchmarks, NIST), security standards (Zero Trust maturity), or organizational priorities (secure all internet-facing assets). Each initiative shows a progress score and the specific recommendations that contribute to it.

1
2
3
4
5
6
7
// Devices with the highest overall risk score
DeviceInfo
| where Timestamp > ago(1d)
| summarize arg_max(Timestamp, *) by DeviceId
| where isnotempty(ExposureLevel)
| summarize DeviceCount = count() by ExposureLevel
| order by case(ExposureLevel, "High", 1, "Medium", 2, "Low", 3, 4)

TVM in the investigation workflow

TVM data is not just for proactive vulnerability management — it is investigation context. When you investigate a compromised device, TVM answers the question “how did the attacker get in?”

Pre-investigation context: Before diving into the device timeline, check the device’s TVM profile. If the device has critical unpatched vulnerabilities with known exploits, those are the likely attack vectors. This narrows your timeline investigation — look for exploitation activity related to the specific vulnerable software.

Post-incident hardening: After resolving an incident, use TVM to ensure the vulnerability that was exploited is remediated across all devices, not just the compromised one. If the attacker exploited CVE-2024-21410 on the Exchange server, query TVM for every device running the vulnerable Exchange version and ensure they are all patched.

Recurring vulnerability reporting: Use TVM data to produce monthly vulnerability reports for management. Track the exposure score trend, the number of critical vulnerabilities remediated, the average time from disclosure to patch, and the number of devices with known-exploitable vulnerabilities. These metrics demonstrate the value of vulnerability management to non-technical stakeholders.

Try it yourself

Navigate to Vulnerability Management → Dashboard in your Defender portal. Note your exposure score and the top security recommendations. Click into the Recommendations page and explore the details for the top recommendation — what software is affected, how many devices are exposed, and what the remediation steps are. Then run the critical vulnerability query from this subsection in Advanced Hunting to see which of your lab devices have exploitable vulnerabilities. In a lab environment with minimal software, the results may be limited — but the query structure is what you use in production to prioritize patching across thousands of devices.

What you should observe

The TVM dashboard shows your lab environment's vulnerability posture. Even a freshly installed lab device typically has some vulnerabilities — Windows updates that have not been applied, browser versions that are one update behind. The recommendations page shows which actions would have the most impact on your score. The Advanced Hunting query surfaces the specific CVEs and software versions on each device. In a production environment with hundreds of devices, this data drives your entire patch management prioritization.

Knowledge check

Check your understanding

1. Your organization has 200 known critical CVEs across its device fleet. You can only patch 20 this week. How do you prioritize using TVM?

Prioritize by TVM's combined assessment: CVEs with publicly available exploit code AND affecting devices with high exposure levels (internet-facing, holding sensitive data, or part of attack paths to critical assets). A CVE with CVSS 7.0 and a Metasploit module targeting your internet-facing Exchange server is a higher priority than a CVE with CVSS 9.8 that requires local physical access to a workstation in a locked server room. TVM's recommendations page already ranks by impact — start from the top.

Patch the 20 with the highest CVSS scores

Patch the oldest CVEs first

Patch randomly — all 200 are equally important

CVSS score alone is insufficient for prioritization. TVM's value is contextual prioritization: which vulnerabilities are most likely to be exploited in your specific environment, considering exploit availability, threat campaign alignment, device exposure, and attack path analysis. The recommendations page pre-computes this prioritization — the top recommendation is the single action with the highest security impact for your organization.

2. During an incident investigation, you discover the attacker exploited CVE-2024-21410 on an Exchange server to gain initial access. What TVM action should you take after resolving the incident?

Query TVM for every device running the vulnerable Exchange version and ensure all are patched — not just the compromised server. If the attacker exploited this CVE once, they will exploit it again on any other vulnerable server they can reach. Use TVM's Request remediation workflow to track patching progress across all affected servers. Also check TVM's attack path analysis to determine whether the patched vulnerability was part of a longer attack chain that requires additional remediation at other links.

Patch only the compromised server — it was the only one attacked

File a report and move on — the incident is resolved

Disable the vulnerable feature on all Exchange servers instead of patching

Incident response does not end with remediating the compromised device. The vulnerability that enabled the attack exists on every device running the same software version. If you patch only the attacked server, the attacker (or a different attacker) can exploit the same vulnerability on any other unpatched server. TVM's remediation tracking ensures every affected device is identified and patched, closing the vulnerability across your entire environment.

← 2.7 Automated Investigation and Response (AIR) 2.9 Module Summary →