Merge pull request #4459 from MicrosoftDocs/main

[AutoPublish] main to live - 07/09 10:32 PDT | 07/09 23:02 IST

Author: m365-skilling-repo-management[bot]

defender-endpoint/api/get-assessment-software-vulnerabilities.md

@@ -15,7 +15,7 @@ ms.topic: reference
 ms.subservice: reference
 ms.custom: api
 search.appverid: met150
-ms.date: 02/11/2025
+ms.date: 07/09/2025
 ---
 
 # Export software vulnerabilities assessment per device
@@ -31,9 +31,7 @@ ms.date: 02/11/2025
 
 > Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://go.microsoft.com/fwlink/p/?linkid=2225630)
 
-Returns all known software vulnerabilities and their details for all devices, on a per-device basis.
-
-Different API calls get different types of data. Because the amount of data can be large, there are three ways it can be retrieved:
+The ability to export software vulnerabilities per device returns all known software vulnerabilities and their details for all devices, on a per-device basis. Different API calls get different types of data. Because the amount of data can be large, there are three ways it can be retrieved:
 
 1. [Export software vulnerabilities assessment: **JSON response**](#1-export-software-vulnerabilities-assessment-json-response)  The API pulls all data in your organization as Json responses. This method is best for _small organizations with less than 100-K devices_. The response is paginated, so you can use the \@odata.nextLink field from the response to fetch the next results.
 
@@ -116,7 +114,6 @@ GET /api/machines/SoftwareVulnerabilitiesByMachine
 |SoftwareVendor|String|Name of the software vendor.|Google|
 |SoftwareVersion|String|Version number of the software product.|81.0.4044.138|
 |VulnerabilitySeverityLevel|String|Severity level assigned to the security vulnerability based on the CVSS score.|Medium|
-|||||
 
 ### 1.6 Examples
 
@@ -299,19 +296,13 @@ GET /api/machines/SoftwareVulnerabilitiesExport
 > - The files are GZIP compressed & in multiline JSON format.
 > - The download URLs are valid for 1 hour unless the `sasValidHours` parameter is used.
 > - For maximum download speed of your data, you can make sure you're downloading from the same Azure region that your data resides.
->
 > - Each record is 1KB of data. You should take this into account when choosing the correct pageSize parameter for you.
 > - Some extra columns might be returned in the response. These columns are temporary and might be removed so use only the documented columns.
 
-<br>
-
-****
-
 Property (ID)|Data type|Description|Example of a returned value
 :---|:---|:---|:---
 Export files|array[string]|A list of download URLs for files holding the current snapshot of the organization.|["https://tvmexportstrstgeus.blob.core.windows.net/tvm-export...1", "https://tvmexportstrstgeus.blob.core.windows.net/tvm-export...2"]
 GeneratedTime|String|The time that the export was generated.|2021-05-20T08:00:00Z
-|
 
 ### 2.6 Examples
 
@@ -342,7 +333,21 @@ GET https://api-us.securitycenter.contoso.com/api/machines/SoftwareVulnerabiliti
 Returns a table with an entry for every unique combination of DeviceId, SoftwareVendor, SoftwareName, SoftwareVersion, CveId. The API pulls data in your organization as Json responses. The response is paginated, so you can use the @odata.nextLink field from the response to fetch the next results. Unlike the full software vulnerabilities assessment (JSON response), which is used to obtain an entire snapshot of the software vulnerabilities assessment of your organization by device, the delta export JSON response API call is used to fetch only the changes that happened between a selected date and the current date (the "delta" API call). Instead of getting a full export with a large amount of data every time, you only get specific information on new, fixed, and updated vulnerabilities. Delta export JSON response API call can also be used to calculate different KPIs such as "how many vulnerabilities were fixed?" or "how many new vulnerabilities were added to my organization?"
 
 > [!NOTE]
-> It's highly recommended you use the full export software vulnerabilities assessment by device API call at least once a week and this extra export software vulnerabilities changes by device (delta) API call all the other days of the week. Unlike the other Assessments JSON response APIs, the "delta export" isn't a full export. The delta export includes only the changes that happened between a selected date and the current date (the "delta" API call).
+> We refresh the __Full _Software Vulnerabilities Assessment(Flat/Full VA) by Device___ export every __six hours__ and store each snapshot in blob storage; the API always serves the latest snapshot, to emphasize  calling the Get Endpoint won't to trigger a generation, call get endpoint will just read latest Flat OR Delta After sinceTime.
+> A successful completion of Full VA export will trigger __delta export__ that captures the changes from latest Flat VA processed by Delta to new Flat VA.
+> > __RBAC-scoped duplicates__
+> > Because exports are scoped by __RBACGroup__, a device that moves from one RBAC group to another will appear __twice__ in a Delta export when you query with the global view (`RBACGroup=*`): once under its previous group with status "Fixed" and once under its current group with status "New". Use the `rbacGroupId` and device identifiers together (or de-duplicate on your side) if you need a single authoritative record per device.
+> 
+> Recommended pull pattern
+> 
+1. __Baseline__ – Download the full VA(Flat VA) export on your preferred cadence (weekly is often sufficient).
+
+1. __Stay current__ – delta export between full snapshots(Delta can be queried up to 14 days into the past).
+
+1. __Handle RBAC moves__ – When processing a Delta, de-duplicate entries where the same `Id(deviceId_software_` version _ cve`)`appears under multiple `rbacGroupId` values.
+
+1. When "Status" = Fix" the calcualtion of  "EventTimestamp"- "FirstSeenTimestamp" should give you an estimation on when the CVE was fixed up to a granularity of 6 hours(because of Delta worker run interval).
+
 
 #### 3.1.1 Limitations
 
@@ -380,24 +385,21 @@ Each returned record contains all the data from the full export software vulnera
 > - Some other columns might be returned in the response. These columns are temporary and might be removed so use only the documented columns.
 > - The properties defined in the following table are listed alphabetically, by property ID. When running this API, the resulting output isn't necessarily returned in the same order listed in this table.
 
-<br>
-
-****
-
 |Property (ID)|Data type|Description|Example of returned value|
 |:---|:---|:---|:---|
 |CveId |String|Unique identifier assigned to the security vulnerability under the Common Vulnerabilities and Exposures (CVE) system.|CVE-2020-15992|
 |CvssScore|Double|The CVSS score of the CVE.|6.2|
 |DeviceId|String|Unique identifier for the device in the service.|9eaf3a8b5962e0e6b1af9ec756664a9b823df2d1|
 |DeviceName|String|Fully qualified domain name (FQDN) of the device.|johnlaptop.europe.contoso.com|
 |DiskPaths|Array[string]|Disk evidence that the product is installed on the device.|["C:\Program Files (x86)\Microsoft\Silverlight\Application\silverlight.exe"]|
-|EventTimestamp|String|The time this delta event was found.|2021-01-11T11:06:08.291Z|
+|EventTimestamp|String|The time this delta event was found.|2020-11-03 10:13:34.8476880|
 |ExploitabilityLevel|String|The exploitability level of this vulnerability (NoExploit, ExploitIsPublic, ExploitIsVerified, ExploitIsInKit)|ExploitIsInKit|
+|IsOnboarded |Boolean|Indicates whether a device is onboarded or not.| Possible values are true or false.|
 |FirstSeenTimestamp|String|First time the CVE of this product was seen on the device.|2020-11-03 10:13:34.8476880|
 |ID|String|Unique identifier for the record.|123ABG55_573AG&mnp!|
 |LastSeenTimestamp|String|Last time the software was reported on the device.|2020-11-03 10:13:34.8476880|
 |OSPlatform|String|Platform of the operating system running on the device; specific operating systems with variations within the same family, such as Windows 10 and Windows 11. See Microsoft Defender Vulnerability Management supported operating systems and platforms for details.|Windows10 and Windows 11|
-|RbacGroupName|String|The role-based access control (RBAC) group. If this device isn't assigned to any RBAC group, the value is "Unassigned." If the organization doesn't contain any RBAC groups, the value is "None."|Servers|
+|RbacGroupName|String|The role-based access control (RBAC) group. If this device isn't assigned to any RBAC group, the value is "Unassigned." |Servers|
 |RecommendationReference|string|A reference to the recommendation ID related to this software.|va--microsoft--silverlight|
 |RecommendedSecurityUpdate |String|Name or description of the security update provided by the software vendor to address the vulnerability.|April 2020 Security Updates|
 |RecommendedSecurityUpdateId |String|Identifier of the applicable security updates or identifier for the corresponding guidance or knowledge base (KB) articles|4550961|
@@ -407,7 +409,6 @@ Each returned record contains all the data from the full export software vulnera
 |SoftwareVersion|String|Version number of the software product.|81.0.4044.138|
 |Status|String|**New** (for a new vulnerability introduced on a device)  (1) **Fixed** (if this vulnerability doesn't exist anymore on the device, which means it was remediated). (2) **Updated** (if a vulnerability on a device changed. The possible changes are: CVSS score, exploitability level, severity level, DiskPaths, RegistryPaths, RecommendedSecurityUpdate). |Fixed|
 |VulnerabilitySeverityLevel|String|Severity level that is assigned to the security vulnerability and is based on the CVSS score.|Medium|
-|||||
 
 #### Clarifications
 
@@ -460,7 +461,7 @@ GET https://api.securitycenter.microsoft.com/api/machines/SoftwareVulnerabilityC
             "exploitabilityLevel": "NoExploit",
             "recommendationReference": "va-_-google-_-chrome",
             "status": "Fixed",
-            "eventTimestamp": "2021-01-11T11:06:08.291Z"
+            "eventTimestamp": "2020-11-03 10:13:34.8476880"
         },
         {
             "id": "00e59c61234533860738ecf488eec8abf296e41e_onedrive_20.64.329.3__",
@@ -487,7 +488,7 @@ GET https://api.securitycenter.microsoft.com/api/machines/SoftwareVulnerabilityC
             "exploitabilityLevel": "NoExploit",
             "recommendationReference": "va-_-microsoft-_-onedrive",
             "status": "Fixed",
-            "eventTimestamp": "2021-01-11T11:06:08.291Z"
+            "eventTimestamp": "2020-11-03 10:13:34.8476880"
         },
         {
             "id": "01aa8c73095bb12345918663f3f94ce322107d24_firefox_83.0.0.0_CVE-2020-26971_",
@@ -516,7 +517,7 @@ GET https://api.securitycenter.microsoft.com/api/machines/SoftwareVulnerabilityC
             "exploitabilityLevel": "NoExploit",
             "recommendationReference": "va-_-mozilla-_-firefox",
             "status": "Fixed",
-            "eventTimestamp": "2021-01-11T11:06:08.291Z"
+            "eventTimestamp": "2020-11-03 10:13:34.8476880"
         },
         {
             "id": "026f0fcb12345fbd2decd1a339702131422d362e_project_16.0.13701.20000__",
@@ -543,7 +544,7 @@ GET https://api.securitycenter.microsoft.com/api/machines/SoftwareVulnerabilityC
             "exploitabilityLevel": "NoExploit",
             "recommendationReference": "va-_-microsoft-_-project",
             "status": "Fixed",
-            "eventTimestamp": "2021-01-11T11:06:08.291Z"
+            "eventTimestamp": "2020-11-03 10:13:34.8476880"
         },
         {
             "id": "038df381234510b357ac19d0113ef622e4e212b3_chrome_81.0.4044.138_CVE-2020-16011_",
@@ -572,7 +573,7 @@ GET https://api.securitycenter.microsoft.com/api/machines/SoftwareVulnerabilityC
             "exploitabilityLevel": "NoExploit",
             "recommendationReference": "va-_-google-_-chrome",
             "status": "Fixed",
-            "eventTimestamp": "2021-01-11T11:06:08.291Z"
+            "eventTimestamp": "2020-11-03 10:13:34.8476880"
         }
     ],
     "@odata.nextLink": "https://wpatdadi-eus-stg.cloudapp.net/api/machines/SoftwareVulnerabilitiesTimeline?sincetime=2021-01-11&pagesize=5&$skiptoken=eyJFeHBvcnREZWZpbml0aW9uIjp7IlRpbWVQYXRoIjoiMjAyMS0wMS0xMS8xMTAxLyJ9LCJFeHBvcnRGaWxlSW5kZXgiOjAsIkxpbmVTdG9wcGVkQXQiOjV9"
@@ -584,9 +585,7 @@ GET https://api.securitycenter.microsoft.com/api/machines/SoftwareVulnerabilityC
 - [Export assessment methods and properties per device](get-assessment-methods-properties.md)
 - [Export secure configuration assessment per device](get-assessment-secure-config.md)
 - [Export software inventory assessment per device](get-assessment-software-inventory.md)
-
-Other related
-
 - [Microsoft Defender Vulnerability Management](/defender-vulnerability-management/defender-vulnerability-management)
 - [Vulnerabilities in your organization](/defender-vulnerability-management/tvm-weaknesses)
+
 [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../../includes/defender-mde-techcommunity.md)]

defender-office-365/zero-hour-auto-purge.md

@@ -114,7 +114,7 @@ For more information about configuring spam filtering verdicts, see [Configure a
 To determine if ZAP moved your message, you have the following options:
 
 - **Number of messages**: Use the [Mailflow view in the Mailflow status report](reports-email-security.md#mailflow-view-for-the-mailflow-status-report) to see the number of ZAP-affected messages for the specified date range.
-- **Message details**: Use [Threat Explorer (or real-time detections)](threat-explorer-real-time-detections-about.md) to filter **All email** events by the value **ZAP** for the **Additional action** column.
+- **Message details**: Use [Threat Explorer](threat-explorer-real-time-detections-about.md) to filter events on the **All email** tab by the value **ZAP** for the **Additional action** column.
 
 > [!NOTE]
 > ZAP is not logged in the Exchange mailbox audit logs as a system action.