| title | DeviceTvmSoftwareVulnerabilities table in the advanced hunting schema | ||
|---|---|---|---|
| description | Learn about the software vulnerabilities found on devices and the list of available security updates that address each vulnerability in the DeviceTvmSoftwareVulnerabilities table of the advanced hunting schema. | ||
| search.appverid | met150 | ||
| ms.service | defender-xdr | ||
| ms.subservice | adv-hunting | ||
| f1.keywords |
|
||
| ms.author | pauloliveria | ||
| author | poliveria | ||
| ms.localizationpriority | medium | ||
| manager | dansimp | ||
| audience | ITPro | ||
| ms.collection |
|
||
| ms.custom |
|
||
| appliesto |
|
||
| ms.topic | reference | ||
| ms.date | 03/28/2025 |
[!INCLUDE Microsoft Defender XDR rebranding]
Important
Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
The DeviceTvmSoftwareVulnerabilities table in the advanced hunting schema contains the Microsoft Defender Vulnerability Management list of vulnerabilities in installed software products. This table also includes operating system information, CVE IDs, and vulnerability severity information. You can use this table, for example, to hunt for events involving devices that have severe vulnerabilities in their software. Use this reference to construct queries that return information from the table.
This advanced hunting table is populated by records from Microsoft Defender for Endpoint. If your organization hasn’t deployed the service in Microsoft Defender XDR, queries that use the table aren’t going to work or return any results. For more information about how to deploy Defender for Endpoint in Defender XDR, read Deploy supported services.
Note
The DeviceTvmSoftwareInventory and DeviceTvmSoftwareVulnerabilities tables have replaced the DeviceTvmSoftwareInventoryVulnerabilities table. Together, the first two tables include more columns you can use to help inform your vulnerability management activities or hunt for vulnerable devices.
For information on other tables in the advanced hunting schema, see the advanced hunting reference.
| Column name | Data type | Description |
|---|---|---|
DeviceId |
string |
Unique identifier for the device in the service |
DeviceName |
string |
Fully qualified domain name (FQDN) of the device |
OSPlatform |
string |
Platform of the operating system running on the device. Indicates specific operating systems, including variations within the same family, such as Windows 11, Windows 10, and Windows 7. |
OSVersion |
string |
Version of the operating system running on the device |
OSArchitecture |
string |
Architecture of the operating system running on the device |
SoftwareVendor |
string |
Name of the software publisher |
SoftwareName |
string |
Name of the software product |
SoftwareVersion |
string |
Version number of the software product |
CveId |
string |
Unique identifier assigned to the security vulnerability under the Common Vulnerabilities and Exposures (CVE) system |
VulnerabilitySeverityLevel |
string |
Severity level assigned to the security vulnerability based on the CVSS score and dynamic factors influenced by the threat landscape |
RecommendedSecurityUpdate |
string |
Name or description of the security update provided by the software publisher to address the vulnerability |
RecommendedSecurityUpdateId |
string |
Identifier of the applicable security updates or identifier for the corresponding guidance or knowledge base (KB) articles |
CveTags |
dynamic |
Array of tags relevant to the CVE; example: ZeroDay, NoSecurityUpdate |