LEX Agent

Joins CVEs to critical devices and VMs. Returns a combined asset-plus-CVE view ranked by exploitability, asset criticality, exposure score, and device role.

Filters for actively exploited, verified-exploit, exploit-kit, and zero-day CVEs with the affected asset list — highest-urgency findings.

Fleet-wide device, VM, and hybrid-machine posture: exposure scores, criticality classification, device role, sensor health, and onboarding status.

Big-picture finding volume and severity breakdown across security, management, auditing, and Entra recommendation categories.

Per-asset compound risk: counts findings by type and severity for each asset to identify where multiple CVEs and recommendations overlap.

Maps users with Entra security recommendations to their permission and authentication blast radius — what at-risk identities can actually access.

Every privilege relationship across identities: which service principals, users, managed identities, and groups hold what permissions, roles, and credentials.

Per-asset CVE severity breakdown with exploitability flags and high-severity hotspots — fleet-wide vulnerability posture in one view.

Microsoft Secure Score by category (Identity / Device / Apps / Data) with per-control implementation status; supports historical trending across 7, 30, and 90 days.

CVEs affecting specific devices with software context: name, version, fix availability — fills the gap where ExposureGraph recommendations lack asset mapping.

CVEs with confirmed exploits, affected device counts, software families, CVSS, EPSS, and patch availability — urgent patching priorities at a glance.

Per-device security configuration: CIS benchmarks, security baselines, hardening status with pass/fail rates and compliance percentage.

Installed software per device with end-of-support status and dates for asset profiling and EOL risk detection.

Fleet exposure to a batch of CVEs from a Patch Tuesday or threat campaign: severity, CVSS, exploit availability, EPSS, and software context per device.

Devices still missing a specific security update with CVE counts, worst severity, and exploitable count — tracks deployment progress and identifies stragglers.

Devices running Microsoft Office products with known vulnerabilities — critical for preview-pane RCE classes (e.g., CVE-2026-26110 family).

SQL Server vulnerability posture across the fleet for privilege-escalation and authentication-bypass risk assessment.

For a specific CVE, every asset it affects via ExposureGraph affecting edges — enriches TVM data with asset criticality, exposure score, device role, and sensor health.

Devices connecting to Domain Controllers, ADFS, ADCS, and PKI servers on admin ports (RDP, SSH, WinRM, SMB) bypassing jump-box controls.

Workstation-to-workstation connections on admin ports — high volume indicates active lateral movement or segmentation failure.

Service accounts performing interactive, RDP, or cached logons (when they should only use batch/service/network) — credential theft or hygiene failure indicator.

Dormant privileged accounts ordered least-active-first — prime targets for credential stuffing because unauthorized logons go unnoticed.

Active brute force, password-spray, and credential-stuffing patterns: accounts and devices with 10+ failed logons, distinct account counts (spray) and target counts (targeted).

Devices with frequent local-admin interactive logons that defeat endpoint privilege management and hand attackers easy SYSTEM-escalation paths.

Active Defender XDR incidents with severity, status, affected entities, and alerts — cross-referenced with posture findings.

Detailed incident narrative with device and user names extracted for correlation with posture data.

Device risk and threat status from Defender endpoint protection.

Identity-focused threat context from Microsoft Defender for Identity.

Users flagged by Entra ID Protection with risk level and current state.

Sign-in events: risky sign-ins, MFA status, impossible-travel patterns.

User profile, role, and group membership pulled from Entra ID.

Microsoft Defender Threat Intelligence: CVE details, threat-actor context, and exploit intelligence by keyword.

Device compliance, OS version, and last check-in pulled from Microsoft Intune.

Existing Intune remediation tasks with status, priority, and assignee — prevents duplicate task creation.

Write-capable: create a new Intune remediation task with LEX priority mapping, asset details, and due date. Requires user confirmation before execution.