7.9 Threat and Vulnerability Management

75 minutes · Module 7

Threat and Vulnerability Management (TVM)

By the end of this subsection, you will understand how TVM provides continuous vulnerability assessment, query vulnerability data with KQL, detect zero-day exposure, and prioritize remediation using exploit availability and device count.

TVM turns every onboarded device into a continuous vulnerability scanner. No scheduled scans, no separate infrastructure — the Defender sensor assesses installed software against the Microsoft vulnerability database and reports in near-real-time.

What TVM replaces

Traditional approach	TVM approach
Scheduled vulnerability scans (weekly/monthly)	Continuous assessment — every software change is evaluated
Separate scanning infrastructure (Nessus, Qualys)	Built into the Defender sensor — no additional agents
Point-in-time snapshot	Real-time inventory and vulnerability status
Manual prioritization	Exploit availability + device count = automated priority

Critical vulnerability detection

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
DeviceTvmSoftwareVulnerabilities
| where TimeGenerated > ago(1d)
| where VulnerabilitySeverityLevel == "Critical"
| summarize
    AffectedDevices = dcount(DeviceId),
    CVEs = dcount(CveId),
    SampleCVEs = make_set(CveId, 5)
    by SoftwareName, SoftwareVersion
| where AffectedDevices > 5
| sort by AffectedDevices desc
| take 10

Expected Output

SoftwareName	SoftwareVersion	AffectedDevices	CVEs
Google Chrome	121.0.6167.85	342	3
Adobe Acrobat Reader	23.008.20470	187	2
7-Zip	23.01	12	1

What to look for: AffectedDevices is your blast radius. Chrome at 342 + Adobe at 187 are top priorities. The KQL pattern — summarize by software, filter by device count, sort descending — gives you a prioritized patch list in seconds.

Exploitable vulnerability detection

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
DeviceTvmSoftwareVulnerabilities
| where TimeGenerated > ago(1d)
| where IsExploitAvailable == true
| where VulnerabilitySeverityLevel in ("Critical", "High")
| summarize
    ExploitableDevices = dcount(DeviceId),
    Software = make_set(SoftwareName, 3)
    by CveId, VulnerabilitySeverityLevel
| sort by ExploitableDevices desc
| take 10

Expected Output

CveId	Severity	ExploitableDevices	Software
CVE-2024-1234	Critical	342	["Google Chrome"]
CVE-2024-5678	High	89	["Microsoft Edge"]

What to look for: IsExploitAvailable == true means a public exploit exists. This is an active threat — attackers can weaponize it today. Escalate immediately with CVE ID, exploit status, device count, and affected software as justification for emergency patching.

End-of-life software detection

1
2
3
4
5
6
7
DeviceTvmSoftwareInventory
| where TimeGenerated > ago(1d)
| where EndOfSupportStatus in ("EOS", "Upcoming EOS")
| summarize DeviceCount = dcount(DeviceId)
    by SoftwareName, SoftwareVersion, EndOfSupportDate
| where DeviceCount > 1
| sort by DeviceCount desc

Expected Output

SoftwareName	SoftwareVersion	EndOfSupportDate	DeviceCount
Windows 10 21H2	10.0.19044	2024-06-13	47
Adobe Flash Player	32.0.0.465	2020-12-31	3

What to look for: End-of-life software receives no patches — every future CVE is permanent. 47 devices on Windows 10 21H2 are permanently vulnerable. Flash Player on 3 devices is a hygiene issue indicating poorly managed machines. Both need remediation plans.

1
2
3
4
5
6
DeviceTvmSoftwareVulnerabilities
| where TimeGenerated > ago(30d)
| where VulnerabilitySeverityLevel in ("Critical", "High")
| summarize VulnDevicePairs = dcount(strcat(DeviceId, CveId))
    by bin(TimeGenerated, 1d)
| sort by TimeGenerated asc

Expected Output

TimeGenerated	VulnDevicePairs
2026-02-20	1,247
2026-02-27	1,089
2026-03-06	1,342
2026-03-13	987
2026-03-20	812

What to look for: VulnDevicePairs counts unique (device + CVE) combinations — a single metric for overall vulnerability exposure. The trend should be downward (you are patching faster than new CVEs emerge). The March 6 spike (1,342) was likely a Patch Tuesday that disclosed new CVEs before patches were deployed. The subsequent drop to 812 shows successful remediation. If the trend is consistently upward, your patching cadence is not keeping up with disclosure rate.

TVM + custom indicators = proactive defense

When TVM identifies a critical vulnerability with a public exploit, you cannot always patch immediately. While waiting for patching, create custom indicators for the known exploit payload hashes (if available from threat intelligence) or network indicators for the known exploitation patterns. This buys time — the vulnerable software remains, but the specific exploit is blocked at the endpoint level. This is not a substitute for patching but it reduces exposure during the patching window.

Operational workflow: TVM in your weekly routine

Day	Action	Query
Monday	Check for new critical CVEs with exploits	Exploitable vulnerability query (above)
Monday	Review vulnerability trend	Trending query (above)
Wednesday	Validate patch deployment progress	Re-run critical CVE query, compare device count to Monday
Friday	Check for new end-of-life software	EOL detection query (above)
Monthly	Generate executive vulnerability report	Combine trending + top CVEs + remediation progress

Try it yourself

Write a KQL query that combines vulnerability data with device group data to show which device groups have the highest exposure. This helps you prioritize: are the vulnerable devices in the "Servers-Production" group (critical) or "Developer-Machines" group (lower risk)?

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
DeviceTvmSoftwareVulnerabilities
| where TimeGenerated > ago(1d)
| where IsExploitAvailable == true
| where VulnerabilitySeverityLevel == "Critical"
| distinct DeviceId, CveId
| join kind=inner (
    DeviceInfo
    | where TimeGenerated > ago(1d)
    | summarize arg_max(TimeGenerated, *) by DeviceId
    | project DeviceId, MachineGroup
) on DeviceId
| summarize
    VulnerableDevices = dcount(DeviceId),
    UniqueCVEs = dcount(CveId)
    by MachineGroup
| sort by VulnerableDevices desc

If “Servers-Production” shows 12 vulnerable devices with critical exploitable CVEs, that is a higher priority than 50 vulnerable developer workstations — the blast radius of a server compromise is larger.

Check your understanding

1. TVM shows a critical CVE with a public exploit affecting 342 devices. IT says they will patch in the next monthly cycle (3 weeks). Is this acceptable?

No. Public exploit + critical severity + 342 devices = emergency patching. Attackers can use this exploit today. 3 weeks of exposure is unacceptable. Use the TVM data to justify emergency patching to IT leadership.

Yes — monthly patching is standard

Depends on the software vendor

Exploit availability changes the urgency from "plan to patch" to "patch now." Monthly cycles are for CVEs without exploits. The TVM data (CVE + exploit + device count) is your escalation evidence.

2. 47 devices run Windows 10 21H2 (end of support June 2024). What is the security implication?

These devices will never receive security patches again. Every future CVE discovered in Windows 10 21H2 is a permanent, unpatched vulnerability. The only remediation is upgrading to a supported version. Until upgraded, these devices are permanently at risk.

They still receive critical patches

End of support only affects feature updates

End of support means end of patches — no exceptions. Extended Security Updates (ESU) may be available for some products at additional cost, but standard support is over. Plan the upgrade before a critical exploit emerges.

← 7.8 Device Compliance and Conditional Access 7.10 Module Assessment →

7.9 Threat and Vulnerability Management

Threat and Vulnerability Management (TVM)

What TVM replaces

Critical vulnerability detection

Exploitable vulnerability detection

End-of-life software detection

Vulnerability trending — are you getting better or worse?

Operational workflow: TVM in your weekly routine

Try it yourself

Check your understanding