How is the software inventory created in MDATP?

%3CLINGO-SUB%20id%3D%22lingo-sub-1447930%22%20slang%3D%22en-US%22%3EHow%20is%20the%20software%20inventory%20created%20in%20MDATP%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1447930%22%20slang%3D%22en-US%22%3E%3CP%3ECan%20anyone%20tell%20me%20exactly%20how%20the%20software%20inventory%20is%20created%20in%20MDATP%3F%20We%20have%20about%20600%20packaged%20applications%2C%20but%20only%20200%20are%20shown%20in%20the%20software%20inventory.%26nbsp%3BWhen%20I%20look%20at%20the%20software%20inventory%20directly%20on%20a%20client%2C%20everything%20is%20correct.%20But%20I%20noticed%20that%20the%20global%20software%20inventory%20only%20shows%20applications%20that%20have%20a%20%22Product%20Code%20(CPE)%22.%26nbsp%3BHow%20is%20this%20product%20code%20generated%20or%20where%20does%20it%20come%20from%3F%20And%20why%20do%20only%20about%20one%20third%20of%20my%20applications%20have%20this%20code%3F%20Even%20many%20Microsoft%20products%20do%20not%20have%20this%20code.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22SoftwareInventoryMDATP.PNG%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F197227iBFCCB5960F04E762%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20title%3D%22SoftwareInventoryMDATP.PNG%22%20alt%3D%22SoftwareInventoryMDATP.PNG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%E2%80%83%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1448054%22%20slang%3D%22en-US%22%3ERe%3A%20How%20is%20the%20software%20inventory%20created%20in%20MDATP%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1448054%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F438858%22%20target%3D%22_blank%22%3E%40philippwree%3C%2FA%3EI%20am%20not%20100%25%20sure%20about%20the%20functionality%2C%20so%20I%20also%20hope%20for%20a%20deep%20dive%20answer.%3CBR%20%2F%3EBut%20as%20far%20as%20I%20understood%20from%20documentation%20and%20the%20last%20webinars%20is%2C%20that%20the%20software%20inventory%20depends%20on%20the%20EDR%20system.%3CBR%20%2F%3EDefender%20ATP%20is%20a%20discovery%20and%20not%20a%20scanning%20system%2C%20which%20means%2C%20that%20software%20can%20only%20be%20detected%20if%20the%20software%20produces%20an%20event%20in%20your%20logs.%3CBR%20%2F%3E%3CBR%20%2F%3EThe%20Docs%20also%20tell%20this%20a%20little%20bit%2C%20but%20not%20clear%20enough%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fde-de%2Fwindows%2Fsecurity%2Fthreat-protection%2Fmicrosoft-defender-atp%2Ftvm-software-inventory%23funktionsweisehow-it-works%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fde-de%2Fwindows%2Fsecurity%2Fthreat-protection%2Fmicrosoft-defender-atp%2Ftvm-software-inventory%23funktionsweisehow-it-works%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20if%20you%20are%20missing%20a%20software%20maybe%20it%20was%20not%20used%20yet.%20But%20if%20you%20use%20the%20software%20on%20a%20daily%20basis%2C%20than%20Microsoft%20should%20clarify%20this.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1450199%22%20slang%3D%22en-US%22%3ERe%3A%20How%20is%20the%20software%20inventory%20created%20in%20MDATP%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1450199%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F382145%22%20target%3D%22_blank%22%3E%40NiklasM%3C%2FA%3E%26nbsp%3BThanks%2C%20I'll%20check%20it%20out.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1470328%22%20slang%3D%22en-US%22%3ERe%3A%20How%20is%20the%20software%20inventory%20created%20in%20MDATP%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1470328%22%20slang%3D%22en-US%22%3E%3CP%3EUnfortunately%20this%20was%20not%20the%20solution.%20I%20have%20used%20some%20of%20the%20missing%20applications%20extensively%2C%20but%20they%20were%20still%20not%20listed%20in%20the%20software%20inventory.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAdditionally%20I%20noticed%20that%20the%20product%20code%20(CPE)%20in%20the%20individual%20software%20inventory%20of%20a%20device%20is%20set%20to%20%22not%20available%22%2C%20but%20when%20I%20export%20the%20software%20inventory%20the%20product%20code%20is%20available.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDashboard%3A%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Greenshot.PNG%22%20style%3D%22width%3A%20973px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F199208iFD144C7DC1EE1CEC%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22Greenshot.PNG%22%20alt%3D%22Dashboard%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3EDashboard%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EExport%3A%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22GreenshotEx.PNG%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F199207iEF86FD681E86B23A%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22GreenshotEx.PNG%22%20alt%3D%22Export%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3EExport%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1476586%22%20slang%3D%22en-US%22%3ERe%3A%20How%20is%20the%20software%20inventory%20created%20in%20MDATP%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1476586%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F262426%22%20target%3D%22_blank%22%3E%40Gilad_Mittelman%3C%2FA%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F70643%22%20target%3D%22_blank%22%3E%40Tomer%20Teller%3C%2FA%3E%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F149712%22%20target%3D%22_blank%22%3E%40Efrat%20Kliger%3C%2FA%3E%26nbsp%3BMaybe%20you%20can%20assist%20here%3F%20Or%20you%20have%20an%20Microsoft%20college%20with%20the%20appropriate%20information.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1479323%22%20slang%3D%22en-US%22%3ERe%3A%20How%20is%20the%20software%20inventory%20created%20in%20MDATP%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1479323%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F438858%22%20target%3D%22_blank%22%3E%40philippwree%3C%2FA%3E%26nbsp%3B-%20Thank%20you%20for%20the%20feedback.%20Your%20analysis%20is%20accurate.%3C%2FP%3E%0A%3CP%3EWe%20currently%20do%20not%20reflect%20Non-CPE%20products%20in%20the%20main%20software%20inventory%20page%2C%20this%20is%20planned%20to%20be%20fixed%20in%20the%20upcoming%20months.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1521502%22%20slang%3D%22en-US%22%3ERe%3A%20How%20is%20the%20software%20inventory%20created%20in%20MDATP%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1521502%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F70643%22%20target%3D%22_blank%22%3E%40Tomer%20Teller%3C%2FA%3Esorry%20for%20chasing%20you%2C%20but%20can%20you%20please%20explain%20if%20few%20more%20sentences%20the%20ent-to-end%20process%20of%20%3CA%20href%3D%22https%3A%2F%2Fsecuritycenter.microsoft.com%2Fsoftware-inventory%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsecuritycenter.microsoft.com%2Fsoftware-inventory%3C%2FA%3E%20and%20%3CA%20href%3D%22https%3A%2F%2Fsecuritycenter.microsoft.com%2Fvulnerabilities%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsecuritycenter.microsoft.com%2Fvulnerabilities%3C%2FA%3E%20get%20collected%3F%20Frequency%2C%20timeouts%2C%20does%20it%20uses%20Windows%20Update%20or%20registry%2C%20etc.%3C%2FP%3E%3CP%3EIs%20there%20a%20blog%20or%20webinar%20from%20the%20Microsoft%20explaining%20this%20subject%20so%20you%20do%20not%20repeat%20the%20information%3F%20We%20have%20customer%20questions%20while%20official%20Microsoft%20documentation%20does%20not%20have%20any%20details%20at%20all.%20Best%20regards%20Serg.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Can anyone tell me exactly how the software inventory is created in MDATP? We have about 600 packaged applications, but only 200 are shown in the software inventory. When I look at the software inventory directly on a client, everything is correct. But I noticed that the global software inventory only shows applications that have a "Product Code (CPE)". How is this product code generated or where does it come from? And why do only about one third of my applications have this code? Even many Microsoft products do not have this code.

 

SoftwareInventoryMDATP.PNG

10 Replies

@philippwreeI am not 100% sure about the functionality, so I also hope for a deep dive answer.
But as far as I understood from documentation and the last webinars is, that the software inventory depends on the EDR system.
Defender ATP is a discovery and not a scanning system, which means, that software can only be detected if the software produces an event in your logs.

The Docs also tell this a little bit, but not clear enough: https://docs.microsoft.com/de-de/windows/security/threat-protection/microsoft-defender-atp/tvm-softw...

 

So if you are missing a software maybe it was not used yet. But if you use the software on a daily basis, than Microsoft should clarify this.

@NiklasM Thanks, I'll check it out.

Unfortunately this was not the solution. I have used some of the missing applications extensively, but they were still not listed in the software inventory.

 

Additionally I noticed that the product code (CPE) in the individual software inventory of a device is set to "not available", but when I export the software inventory the product code is available.

 

Dashboard:

DashboardDashboard

 

Export:

ExportExport

@Gilad_Mittelman @Tomer Teller @Efrat Kliger Maybe you can assist here? Or you have an Microsoft college with the appropriate information.

@philippwree - Thank you for the feedback. Your analysis is accurate.

We currently do not reflect Non-CPE products in the main software inventory page, this is planned to be fixed in the upcoming months. 

 

 

@Tomer Tellersorry for chasing you, but can you please explain if few more sentences the ent-to-end process of https://securitycenter.microsoft.com/software-inventory and https://securitycenter.microsoft.com/vulnerabilities get collected? Frequency, timeouts, does it uses Windows Update or registry, etc.

Is there a blog or webinar from the Microsoft explaining this subject so you do not repeat the information? We have customer questions while official Microsoft documentation does not have any details at all. Best regards Serg.

Is there any update to OP's question? Maybe in the official documentation or forum?
I have the same questions for our environment. I have applications I've updated, removed etc and am wondering how quickly and how these changes corelate with discovered vulnerabilities.

If software is updated or removed then I expect the discovered vulnerabilities to update within a time frame.

If software is added, updated, removed then I expect the software inventory and security recommendations list to reflect the changes within a time frame

@byertjames 

 

Please find below the answers to the questions asked :

 

  1. How often when does the software inventory list in MS 365 Defender get updated?

 

TVM Software Inventory data freshness is currently 3-4h (upper limit, can also be less).

 

Please refer the below screenshots for the information :

 

byertjames_0-1626195832926.jpeg

 

 

 

 

byertjames_1-1626195832930.jpeg

 

 

  1. Can we use a command line or powershell to trigger a software inventory scan?

 

There is no command line or powershell or anything else to trigger an inventory scan/update.

 

In addition to that if you have any further queries regarding the issue, please let me know.

 

Appreciate your time and patience.

 

Awaiting your reply.

 

With Best Regards,

Truptesh Fulpagare | Microsoft Security

v-tfulpagare@microsoft.com | +1-425-704-3638 Ext: 2261221 | Mon-Fri: 07:30 PM – 05:00 AM IST

Backup Engineer: Hrudyesh Bagde | v-hrbagd@microsoft.com  | Mon-Fri: 07:30 PM – 05:00 AM IST

Manager: Anirudh Palit v-2anpal@microsoft.comMon-Fri: 05:00 AM – 02:30 PM EST

Team Callback Request email (monitored 24/7): secPro-EP@microsoft.com

Now 14 months have passed. Is there any new status for reflect Non-CPE products in the main software inventory page?

@philippwree - While this capability was indeed deferred in previous releases the good news that it will land in this Q4.

www.000webhost.com