Software inventory - threat and vulnerability management

Applies to:

Want to experience Microsoft Defender ATP? Sign up for a free trial.

The software inventory in threat and vulnerability management is a list of all the software in your organization, including details such as the name of the vendor, number of weaknesses, threats, and number of exposed devices.

How it works

In the field of discovery, we are leveraging the same set of signals that is responsible for detection and vulnerability assessment in Microsoft Defender ATP endpoint detection and response capabilities.

Since it is real-time, in a matter of minutes, you will see vulnerability information as they get discovered. The engine automatically grabs information from multiple security feeds. In fact, you'll will see if a particular software is connected to a live threat campaign. It also provides a link to a Threat Analytics report soon as it's available.

You can access the Software inventory page by selecting Software inventory from the threat and vulnerability management navigation menu in the Microsoft Defender Security Center.

View software on specific devices in the individual devices pages from the devices list.

Software inventory overview

The Software inventory page opens with a list of software installed in your network, vendor name, weaknesses found, threats associated with them, exposed devices, impact to exposure score, and tags. You can also filter the software inventory list view based on weaknesses found in the software, threats associated with them, and whether the software or software versions have reached end-of-support. Example of the landing page for software inventory.

Select the software that you want to investigate and a flyout panel opens up with a more compact view of the information on the page. You can either dive deeper into the investigation and select Open software page, or flag any technical inconsistencies by selecting Report inaccuracy.

Flyout example page of "Visual Studio 2017" from the software inventory page.

Software pages

You can view software pages a few different ways:

  • Software inventory page > Select a software name > Select Open software page in the flyout
  • Security recommendations page > Select a recommendation > Select Open software page in the flyout
  • Event timeline page > Select an event > Select the hyperlinked software name (like Visual Studio 2017) in the section called "Related component" in the flyout

A full page will appear with all the details of a specific software and the following information:

  • Side panel with vendor information, prevalence of the software in the organization (including number of devices it is installed on, and exposed devices that are not patched), whether and exploit is available, and impact to your exposure score

  • Data visualizations showing the number of, and severity of, vulnerabilities and misconfigurations. Also, graphs of the number of exposed devices

  • Tabs with lists of the corresponding security recommendations for the weaknesses and vulnerabilities identified, the named CVEs of discovered vulnerabilities, the names of the devices that the software is installed on, and the specific versions of the software with the number of devices that have each version installed and number of vulnerabilities.

    Software example page for Visual Studio 2017 with the software details, weaknesses, exposed devices, and more.

Software evidence

We now show evidence of where we detected a specific software on a device from the registry, disk or both. You can find it on any devices found in the devices list in a section called "Software Evidence."

From the Microsoft Defender Security Center navigation panel, go to Devices list > select the name of a device to open the device page (like Computer1) > select the Software inventory tab > select the software name to open the flyout and view software evidence.

Software evidence example of Windows 10 from the devices list, showing software evidence registry path.

Report inaccuracy

You can report a false positive when you see any vague, inaccurate version, incomplete, or already remediated software inventory information.

  1. Open the software flyout on the Software inventory page.
  2. Select Report inaccuracy.
  3. From the flyout pane, select the inaccuracy category from the drop-down menu, fill in your email address, and details regarding the inaccuracy.
  4. Select Submit. Your feedback is immediately sent to the threat and vulnerability management experts.