Listen to this Post
Introduction:
Microsoft Sentinel workbooks have long been the go-to visualization layer for security analysts hunting across log data. But a game-changing capability has quietly arrived: Sentinel workbooks can now directly query Microsoft Defender XDR’s Advanced Hunting tables—including the critical vulnerability tables that expose software weaknesses across your entire device estate. This integration bridges the gap between SIEM visualization and XDR’s raw threat intelligence, enabling security teams to visualize vulnerability severity, publication dates, and affected device counts in real time without jumping between consoles. For organizations running Microsoft’s unified security operations platform, this means faster prioritization, clearer reporting, and a single pane of glass for vulnerability management.
Learning Objectives:
- Understand how Sentinel workbooks can query Defender XDR Advanced Hunting tables, including the TVM (Threat and Vulnerability Management) schema
- Learn to build Kusto Query Language (KQL) queries that surface vulnerability data across devices, severity levels, and publication timelines
- Master the configuration steps to enable workbook-to-XDR data flows, including proper ingestion and permissions setup
- Visualize vulnerability trends using Sentinel workbooks with drill-down capabilities for severity and CVE age
- Identify current limitations and workarounds for tables not yet fully ingested into Sentinel workspaces
- Understanding the Defender XDR Advanced Hunting Schema and Vulnerability Tables
The Advanced Hunting schema in Microsoft Defender XDR is a rich repository of over 50 tables covering devices, alerts, identities, email events, and—critically for this discussion—vulnerability intelligence. The two primary tables for vulnerability management are:
- DeviceTvmSoftwareVulnerabilitiesKB – Contains the master list of all vulnerabilities that Microsoft Defender Vulnerability Management assesses devices against. Key columns include
CveId,CvssScore,VulnerabilitySeverityLevel,IsExploitAvailable,PublishedDate, andAffectedSoftware. -
DeviceTvmSecureConfigurationAssessment – Provides assessment events detailing the security configuration status of devices, including misconfigurations and attack surface reductions.
Critical distinction: In Microsoft Sentinel, these tables are exposed for schema visibility only—meaning autocomplete and query validation work, but queries return no results unless the data is explicitly ingested. The workbook queries the Sentinel Log Analytics workspace by default, not the live Defender XDR hunting schema. To use these tables in workbooks, you must stream the Defender XDR tables into Sentinel or the Sentinel data lake.
KQL Query Example – Top Vulnerabilities by Severity:
DeviceTvmSoftwareVulnerabilitiesKB | where IsExploitAvailable == true | summarize Count = count() by VulnerabilitySeverityLevel, CveId | order by Count desc
- Prerequisites: Enabling the Data Pipeline from Defender XDR to Sentinel
Before any workbook can visualize vulnerability data, you must establish the data ingestion pipeline. Follow this step-by-step configuration guide:
Step 1: Install the Microsoft Defender XDR Solution
- Navigate to Microsoft Sentinel > Content hub (in the Azure portal) or Microsoft Sentinel > Content management > Content hub (in the Defender portal).
- Search for and install the Microsoft Defender XDR solution.
Step 2: Enable the Defender XDR Data Connector
- Go to Microsoft Sentinel > Configuration > Data connectors.
- Select Microsoft Defender XDR and open the connector page.
- Click Connect incidents & alerts to synchronize incidents and alerts.
- For Advanced Hunting tables (including vulnerability tables), you must configure streaming ingestion separately. This is a billable data ingestion option.
Step 3: Configure Table Streaming
- In the Defender XDR portal, go to Settings > Microsoft Defender XDR > Streaming API.
- Add a new streaming setting targeting your Sentinel workspace or data lake.
- Select the tables you want to ingest—ensure you include `DeviceTvmSoftwareVulnerabilitiesKB` and
DeviceTvmSecureConfigurationAssessment.
Step 4: Verify Ingestion
- Run a test query in Sentinel’s Log Analytics:
DeviceTvmSoftwareVulnerabilitiesKB | take 10
- If results appear, ingestion is successful. If not, verify the streaming API configuration and permissions.
Step 5: Connect Your Workspace to the Defender Portal
– In the Microsoft Defender portal, select Connect a workspace in the top banner.
– Follow the onboarding wizard to link your Sentinel workspace.
Windows/Linux Note: This configuration is entirely cloud-based; no on-premises commands are required. However, ensure your Defender for Endpoint sensors are deployed and reporting to Defender XDR—otherwise, the TVM tables remain empty.
3. Building the Vulnerability Visualization Workbook
Once data flows into Sentinel, you can build a workbook that visualizes vulnerabilities across devices. Here’s a step-by-step guide:
Step 1: Create a New Workbook
- In the Defender portal, navigate to Microsoft Sentinel > Threat management > Workbooks.
- Click Add workbook or New to start from scratch.
Step 2: Add a Query Data Source
- Click Add > Add query.
- Set the data source to your Sentinel workspace (or data lake).
- Enter the following KQL query to get vulnerability counts by severity and publication date:
DeviceTvmSoftwareVulnerabilitiesKB | where PublishedDate >= ago(30d) | extend Severity = coalesce(VulnerabilitySeverityLevel, "Unknown") | summarize DevicesAffected = dcount(DeviceId) by Severity, PublishedDate | order by PublishedDate desc
Step 3: Configure Visualization
- In the query settings, choose Time range (e.g., “Last 30 days”).
- Under Visualization, select Column chart or Time chart.
- Set the Time column to `PublishedDate` and Group by to
Severity.
Step 4: Add a Device-Affected Grid
- Add another query to show which devices are affected by which CVEs:
DeviceTvmSoftwareVulnerabilitiesKB | where IsExploitAvailable == true | summarize Devices = make_set(DeviceName) by CveId, VulnerabilitySeverityLevel | extend DeviceCount = array_length(Devices) | project CveId, VulnerabilitySeverityLevel, DeviceCount, Devices | order by DeviceCount desc
- Set visualization to Grid for easy export and filtering.
Step 5: Add a CVE Age Metric
- Calculate average days since publication for unpatched vulnerabilities:
DeviceTvmSoftwareVulnerabilitiesKB
| where IsExploitAvailable == true
| extend DaysSincePublished = datetime_diff('day', now(), PublishedDate)
| summarize AvgAge = avg(DaysSincePublished) by VulnerabilitySeverityLevel
| render barchart
Step 6: Save and Pin
- Save the workbook with a descriptive name (e.g., “Defender Vulnerability Dashboard”).
- Pin it to your Sentinel dashboard for quick access.
4. Advanced KQL Techniques for Deeper Vulnerability Hunting
Beyond basic counts, you can build sophisticated queries to prioritize remediation:
Query 1 – Vulnerabilities with Public Exploits and High Severity:
DeviceTvmSoftwareVulnerabilitiesKB
| where IsExploitAvailable == true
| where VulnerabilitySeverityLevel in ("High", "Critical")
| project CveId, VulnerabilitySeverityLevel, PublishedDate, AffectedSoftware, DeviceName
| order by PublishedDate asc
Query 2 – Devices with the Most Critical Vulnerabilities:
DeviceTvmSoftwareVulnerabilitiesKB | where VulnerabilitySeverityLevel == "Critical" | summarize CriticalCount = count() by DeviceName | top 20 by CriticalCount desc
Query 3 – Vulnerability Trend Over Time (7-Day Rolling):
DeviceTvmSoftwareVulnerabilitiesKB | where PublishedDate >= ago(90d) | summarize Count = count() by bin(PublishedDate, 7d), VulnerabilitySeverityLevel | render timechart
Query 4 – Cross-Referencing with Security Alerts:
DeviceTvmSoftwareVulnerabilitiesKB | where IsExploitAvailable == true | join kind=inner ( SecurityAlert | where AlertSeverity == "High" | extend DeviceName = tostring(Entities.DeviceName) ) on DeviceName | project CveId, DeviceName, AlertName, PublishedDate
Pro Tip: Use the `arg()` operator to combine Azure Resource Graph queries with Sentinel tables, though note that Defender XDR tables are not supported with this operator.
5. Critical Limitations and Workarounds
Understanding what doesn’t work is as important as what does:
Limitation 1: Tables Are Not Automatically Ingested
– `DeviceTvmSoftwareVulnerabilitiesKB` and `DeviceTvmSecureConfigurationAssessment` are not Sentinel log tables by default. They are exposed for schema visibility only, meaning queries validate but return no data unless you’ve configured streaming ingestion.
Limitation 2: Workbooks Query the Sentinel Workspace, Not Live XDR
– Even in the unified Defender portal, workbooks run on top of the Sentinel Log Analytics workspace (or data lake). They cannot query the live Defender XDR hunting schema directly.
Limitation 3: Custom Detection Rules Cannot Use TVM Tables Directly
– Using TVM table data directly in Microsoft Sentinel analytics and detections isn’t currently supported unless you build a custom ingestion path.
Workarounds:
- Build a Custom Connector: Use Azure Logic Apps or Azure Functions to pull TVM data via the Defender API and push it into a custom log table.
- Use the Data Lake: Ingest XDR tables into the Sentinel data lake (auxiliary tier) for longer retention and queryability.
- Query in Defender XDR Directly: For ad-hoc hunting, run queries in the Defender XDR Advanced Hunting editor, where all TVM data is available natively.
6. Operationalizing the Dashboard: Alerting and Remediation
A visualization is only useful if it drives action. Here’s how to operationalize your vulnerability workbook:
Step 1: Set Up Analytics Rules Based on Workbook Queries
– In Sentinel, go to Analytics > Create > Scheduled query rule.
– Use a query like:
DeviceTvmSoftwareVulnerabilitiesKB | where IsExploitAvailable == true | where VulnerabilitySeverityLevel == "Critical" | where PublishedDate >= ago(7d) | summarize CriticalDevices = dcount(DeviceName) by CveId | where CriticalDevices > 5
– Set the rule to run daily and generate incidents when thresholds are exceeded.
Step 2: Integrate with Microsoft Defender for Endpoint Remediation
– Use the workbook to identify devices with the highest vulnerability counts.
– In Defender for Endpoint, create remediation tasks targeting those devices.
– Track remediation progress by adding a workbook tile that queries `DeviceTvmSoftwareVulnerabilitiesKB` for devices with decreasing vulnerability counts over time.
Step 3: Export and Share Reports
- Workbooks support export to PDF and share functionality.
- Schedule automated email reports via Sentinel’s playbooks (Azure Logic Apps) that trigger on a schedule and send workbook snapshots to stakeholders.
7. Best Practices for Maintaining Your Vulnerability Workbook
- Set Appropriate Time Ranges: Avoid querying more than 30 days of data unless you’ve extended retention in the data lake.
- Use Parameters: Add workbook parameters for severity level, date range, and device groups to make the dashboard interactive.
- Monitor Ingestion Costs: Streaming Defender XDR tables into Sentinel incurs ingestion costs. Only stream the tables you actively need.
- Validate Queries in Defender XDR First: Before adding a query to a workbook, test it in the Defender XDR Advanced Hunting editor to ensure it returns data and performs well.
- Document Your Queries: Add comments within KQL to explain the purpose of each step—this aids collaboration and future troubleshooting.
What Undercode Say:
- Key Takeaway 1: The ability to query Defender XDR vulnerability tables from Sentinel workbooks is a massive leap forward for unified SecOps, but it’s not magic—you must explicitly configure streaming ingestion to make the data available. The tables are schema-visible but not data-visible by default.
-
Key Takeaway 2: This integration enables security teams to build a single, authoritative vulnerability dashboard that combines XDR’s real-time threat intelligence with Sentinel’s powerful visualization and alerting capabilities. The real value lies in layering vulnerability data with alert data to prioritize remediation based on active threats.
Analysis: Microsoft is clearly moving toward a unified security operations platform where the boundaries between SIEM and XDR dissolve. However, the current implementation has a critical gotcha: workbooks still query the Sentinel workspace, not the live XDR schema. This means organizations must pay for data ingestion to get the full benefit—a cost consideration that shouldn’t be overlooked. The schema visibility feature is helpful for query authoring but can be misleading if analysts assume data is automatically available. For organizations already ingesting Defender XDR tables, this capability is a welcome enhancement that reduces context-switching and accelerates vulnerability response. The next logical step would be native support for live XDR queries from workbooks without ingestion—but for now, streaming is the only path.
Prediction:
- +1 Organizations that embrace this integration will reduce their mean time to remediation (MTTR) for critical vulnerabilities by 30–40% within six months, as vulnerability data becomes contextualized with active threat intelligence.
-
+1 The unified workbook approach will become the new baseline for security dashboards, pushing legacy SIEM vendors to adopt similar XDR-SIEM visualization integrations to remain competitive.
-
-1 Smaller security teams without dedicated Azure administrators may struggle with the ingestion configuration and cost management, potentially leading to underutilization of this powerful capability.
-
+1 Microsoft will likely introduce native live-query support for Defender XDR tables in workbooks within the next 12–18 months, eliminating the ingestion requirement and making this feature accessible to all Sentinel users.
-
-1 Organizations that fail to properly configure streaming ingestion will experience frustration when their workbook queries return empty results, potentially eroding trust in the unified platform.
-
+1 The ability to visualize vulnerability age and exploit availability directly in workbooks will drive more proactive patching strategies, shifting security teams from reactive to predictive vulnerability management.
▶️ Related Video (76% Match):
https://www.youtube.com/watch?v=06ukKCHMkeY
🎯Let’s Practice For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
IT/Security Reporter URL:
Reported By: Markolauren Sentinel – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
