Vulnerability Management & Threat Intelligence

Part 1: Microsoft Defender Vulnerability Management

What is it?

Continuous vulnerability assessment

Unlike traditional vulnerability scanners that run periodic scans (weekly or monthly), Defender Vulnerability Management assesses devices continuously:

• Uses data already collected by Defender for Endpoint sensors — no additional agents needed
• Discovers new vulnerabilities as soon as they’re published
• Updates risk scores in real time as the threat landscape changes

Risk-based prioritisation

This is the key differentiator you need to understand for the exam.

Traditional approach: Sort vulnerabilities by CVSS score (a severity rating from 0 to 10). Fix all the 10s first, then the 9s, then the 8s.

The problem: A vulnerability with a CVSS score of 7.5 that has a working exploit actively used by ransomware gangs is far more dangerous than a score-10 vulnerability that nobody knows how to exploit yet.

Defender’s approach: Risk-based prioritisation considers:

• CVSS score — yes, severity still matters
• Active exploitability — is there a working exploit in the wild?
• Threat context — are threat actors actively using this vulnerability?
• Business impact — is the vulnerable device a critical server or a test laptop?
• Exposure level — is the device internet-facing or isolated?

This gives security teams a prioritised remediation list that reflects actual risk, not just theoretical severity.

Software inventory

Defender Vulnerability Management maintains a complete inventory of every piece of software installed across your organisation:

• What software is installed and what version
• Which installations are outdated or end-of-life
• Which software has known vulnerabilities
• Which devices are running that software

This inventory is invaluable when a new critical vulnerability is announced — Alex can instantly see how many SecureBank devices are affected.

Security baselines and configuration assessment

Beyond software vulnerabilities, Defender Vulnerability Management also checks for misconfigurations:

• Is the firewall enabled on all devices?
• Are unused services running?
• Are security features like credential guard and BitLocker enabled?
• Does the configuration match recommended security baselines (like CIS benchmarks)?

Remediation tracking

Finding vulnerabilities is only useful if you fix them. Defender Vulnerability Management provides:

• Remediation requests — security teams can create tickets to track fixes
• Integration with Intune — push configuration changes and software updates
• Progress tracking — see how remediation is progressing over time
• Exception handling — if a vulnerability can’t be fixed immediately (a legacy application requires the old version), it can be documented with a risk acceptance

💡 Scenario: Alex handles a zero-day at SecureBank

A critical zero-day vulnerability in a popular PDF reader is announced. Ransomware gangs are already exploiting it.

Alex opens Defender Vulnerability Management and immediately sees:

• 342 devices at SecureBank have the vulnerable version installed
• The vulnerability is flagged as top priority — active exploit + high business impact
• 83 of the 342 devices are in the mortgage department (handling sensitive financial data)

Alex’s response:

1. Creates a remediation request targeting all 342 devices
2. Prioritises the 83 mortgage department devices — pushes an emergency update through Intune
3. For 12 devices that can’t update immediately (running a legacy integration), creates a risk exception with compensating controls (restricted network access)
4. Reports to Director Reyes: “342 affected, 330 patched within 4 hours, 12 exceptions documented with mitigations”

Without Defender Vulnerability Management: Alex would need to manually check every device, cross-reference software inventory spreadsheets, and track fixes in a separate system. Hours of work compressed into minutes.

---

Part 2: Microsoft Defender Threat Intelligence (Defender TI)

What is it?

What does Defender TI provide?

Threat articles: Written analysis of current threat campaigns, newly discovered vulnerabilities, and emerging attack techniques. Security teams read these to stay informed — think of them as intelligence briefings.

Intel profiles: Detailed profiles of known threat actors and threat groups. Each profile includes:

• Who they are (nation-state, cybercrime group, hacktivist)
• What industries and regions they target
• What tools and techniques they use (mapped to the MITRE ATT&CK framework)
• Recent activity and campaigns

Indicators of compromise (IoCs): The digital fingerprints of threats:

• IP addresses used by attackers for command-and-control
• Domain names used for phishing or malware delivery
• File hashes of known malware samples
• URLs associated with malicious activity

Security teams use these IoCs to check if any of these indicators appear in their own environment — a practice called threat hunting.

How TI enriches Defender XDR

Defender TI doesn’t just sit in a separate portal. It actively enriches the Defender XDR experience:

• When an alert fires in Defender XDR, threat intelligence context is automatically attached — “This IP address is associated with the threat group Storm-0978”
• Analysts can pivot from an alert directly into TI to understand the broader campaign
• IoCs from Defender TI can be used to proactively search for threats before they trigger alerts
• Vulnerability data in TI helps prioritise which vulnerabilities to fix first based on active threat actor targeting

💡 Scenario: Alex uses Defender TI after an alert

Defender for Endpoint alerts Alex about a suspicious outbound connection from a SecureBank device to an unusual IP address.

Alex pivots to Defender TI and discovers:

• The IP is flagged as a command-and-control server for a threat group called “Aqua Blizzard”
• Aqua Blizzard has been targeting financial institutions in the Pacific region for the past 3 months
• Their typical attack chain: spear-phishing email, credential harvesting, lateral movement, data exfiltration
• TI provides a list of 47 additional IoCs associated with this group — IP addresses, domains, and file hashes

Alex’s response:

1. Searches Defender XDR for all 47 IoCs across SecureBank’s environment
2. Finds 2 more devices communicating with related domains
3. Isolates all 3 devices and begins a full investigation
4. Blocks all 47 IoCs at the firewall level
5. Briefs Director Reyes with the full TI profile of Aqua Blizzard

Defender TI turned a single alert into a comprehensive threat response — Alex didn’t just fix one device, he found and stopped the entire campaign.

---

Comparison: Inside vs outside

Vulnerability Management (inside) vs Threat Intelligence (outside)

Feature	Defender Vulnerability Management	Defender Threat Intelligence
Focus	What's wrong INSIDE your environment	What threats exist OUTSIDE your environment
Key question	What vulnerabilities do we have?	Who's attacking and how?
Data sources	Endpoint sensors, software inventory, configuration scans	Microsoft's global threat intelligence, dark web, open-source feeds
Output	Prioritised list of vulnerabilities and misconfigurations to fix	Threat articles, actor profiles, indicators of compromise (IoCs)
Action	Patch, update, reconfigure, accept risk	Hunt, block IoCs, proactively defend, inform strategy
Analogy	Building inspector — checks YOUR building for weaknesses	Intelligence agency — tells you who's planning to break in and how

Exam shortcut: If the question asks about finding and fixing weaknesses in your environment = Vulnerability Management. If the question asks about understanding threat actors, campaigns, or IoCs = Threat Intelligence.

🎬 Video walkthrough

Flashcards

Question

What makes Defender Vulnerability Management different from traditional vulnerability scanners?

Click or press Enter to reveal answer

Answer

1) Continuous assessment, not periodic scans. 2) Risk-based prioritisation — considers exploitability, threat context, and business impact, not just CVSS scores. 3) Built-in remediation tracking. 4) Integrated with Defender for Endpoint sensors — no extra agents needed.

Click to flip back

Question

What is risk-based prioritisation in Defender Vulnerability Management?

Click or press Enter to reveal answer

Answer

Instead of sorting vulnerabilities only by CVSS score, Defender considers: active exploitability (is there a working exploit?), threat context (are attackers using it?), business impact (how critical is the device?), and exposure level (is it internet-facing?). This helps fix the most dangerous vulnerabilities first.

Click to flip back

Question

What are the three main types of content in Defender Threat Intelligence?

Click or press Enter to reveal answer

Answer

1) Threat articles — analysis of current campaigns and vulnerabilities. 2) Intel profiles — detailed profiles of threat actors (who they are, what they target, how they operate). 3) Indicators of compromise (IoCs) — IP addresses, domains, file hashes, and URLs linked to threats.

Click to flip back

Question

How does Defender TI enrich alerts in Defender XDR?

Click or press Enter to reveal answer

Answer

When an alert fires, TI automatically adds context — linking IPs, domains, or file hashes to known threat actors and campaigns. Analysts can pivot from an alert into full TI profiles and use IoCs to hunt for related activity across the environment.

Click to flip back

Show hint

Question

Vulnerability Management vs Threat Intelligence — what's the key difference?

Click or press Enter to reveal answer

Answer

Vulnerability Management = what's wrong INSIDE (find and fix your weaknesses). Threat Intelligence = what's happening OUTSIDE (understand who's attacking, how, and what to look for). VM is the building inspector. TI is the intelligence agency.

Click to flip back

Knowledge Check

Knowledge Check

A new critical vulnerability is announced in a widely-used web server software. Alex needs to quickly find out how many SecureBank devices are running the vulnerable version and prioritise which to patch first. Which tool should Alex use?

ADefender Threat Intelligence — it tracks all known vulnerabilitiesBDefender Vulnerability Management — it provides software inventory and risk-based prioritisation of vulnerable devicesCDefender for Endpoint EDR — it records all installed software in the device timelineDMicrosoft Purview Compliance Manager — it tracks compliance posture including software versions

Check Answer

Knowledge Check

Defender for Endpoint alerts Alex about a suspicious file on a SecureBank device. Alex wants to know if the file hash is associated with any known threat groups and understand their typical attack patterns. Where should Alex look?

ADefender Vulnerability Management — it catalogues all known malicious filesBDefender for Endpoint threat analytics — it shows trending threats on devicesCDefender Threat Intelligence — it provides IoC lookups, threat actor profiles, and campaign analysisDMicrosoft Sentinel — it correlates logs from all security sources

Check Answer

Knowledge Check

Two vulnerabilities are discovered on SecureBank devices. Vulnerability A has a CVSS score of 9.8 but no known exploits. Vulnerability B has a CVSS score of 7.5 but is actively exploited by ransomware gangs targeting financial institutions. Using risk-based prioritisation, which should Alex fix first?

AVulnerability A — a 9.8 CVSS score is nearly the maximum and must be fixed firstBBoth equally — any vulnerability above 7.0 should be treated as criticalCVulnerability B — active exploitation and industry targeting make it a higher real-world risk despite the lower CVSS scoreDNeither immediately — both should wait for the next scheduled patch cycle

Check Answer

---

Well done! You’ve now covered the full Defender XDR family — from email protection (Office 365) and device security (Endpoint) to cloud app monitoring (Cloud Apps), identity threat detection (Identity), vulnerability management, and threat intelligence. All of these feed signals into the unified Defender XDR portal, giving security teams like Alex’s a complete picture of their organisation’s security posture.