Blog Post

Microsoft Defender for Cloud Blog
2 MIN READ

Exporting Vulnerability Assessment Results in Microsoft Defender for Cloud

YuriDiogenes's avatar
YuriDiogenes
Icon for Microsoft rankMicrosoft
Mar 05, 2020

With the new Microsoft Defender for Cloud built-in vulnerability assessment solution, you can manage the deployment of the agent and the visualization of the results from a single dashboard. You can learn more about this integration and how it works by reading this article, and watch a quick demo available here.

The vulnerability assessment results that appear in the Microsoft Defender for Cloud dashboard, will look like this:

 

 

While this visualization is very helpful and dynamic, one question that comes up very often is: how can I export this assessment to a CSV file? The answer is: you can do that using Azure Resource Graph (ARG)! Follow the steps below to perform this task:

 

1. In the Azure Portal, go to Resource Graph Explorer as shown below:

 

 

2. Type the query below:

Note: this query below was changed on 8/28/2020 to reflect the changes made in the recommendation name. Thanks DavidTex for calling this out in the comment section.

 

securityresources
 | where type == "microsoft.security/assessments"
 | where * contains "vulnerabilities in your virtual machines"
 | summarize by assessmentKey=name //the ID of the assessment
 | join kind=inner (
    securityresources
     | where type == "microsoft.security/assessments/subassessments"
     | extend assessmentKey = extract(".*assessments/(.+?)/.*",1,  id)
 ) on assessmentKey
project assessmentKey, subassessmentKey=name, id, parse_json(properties), resourceGroup, subscriptionId, tenantId
extend description = properties.description,
         displayName = properties.displayName,
         resourceId = properties.resourceDetails.id,
         resourceSource = properties.resourceDetails.source,
         category = properties.category,
         severity = properties.status.severity,
         code = properties.status.code,
         timeGenerated = properties.timeGenerated,
         remediation = properties.remediation,
         impact = properties.impact,
         vulnId = properties.id,
         additionalData = properties.additionalData

3. Click Run Query button and you will see the result, similar to figure below:

 

 

4. Click Download as CSV button.

 

Now that you downloaded the CSV, you can open it and consume the data generated by the assessment.

 

Updated Oct 24, 2021
Version 7.0

40 Comments

Sort By
Show More
  • YuriDiogenes's avatar
    YuriDiogenes
    Icon for Microsoft rankMicrosoft
    Jul 22, 2020

    Sergg for the example I gave, you just need to copy the statements from my previous reply, and paste in the extend section of the original query (can be under additionalData = properties.additionalData). Regarding the link you send, it should work too. 

  • Sergg's avatar
    Sergg
    Iron Contributor
    Jul 22, 2020

    YuriDiogenesmy Kusto skills are not enough to create query wit Join statements. Do you think it is possible to expand the query with machine IP (internal and external) I can see an example query to pull all machines with external IP addresses here - https://docs.microsoft.com/en-us/azure/governance/resource-graph/samples/advanced?tabs=azure-cli#join-vmpip

  • YuriDiogenes's avatar
    YuriDiogenes
    Icon for Microsoft rankMicrosoft
    Jul 09, 2020

    cdeeter you can add these to the extended section of the query to see the cvss:

     

       cvssList = properties.additionalData.cvss,

       cveArray = properties.additionalData.cve,

     

     

  • cdeeter's avatar
    cdeeter
    Copper Contributor
    Jul 09, 2020

    Does anyone have an updated query which includes the CVE numbers and the CVSS score?  If so, would you mind sharing?  

  • Paul Johnson's avatar
    Paul Johnson
    Copper Contributor
    May 01, 2020

    Thanks much Yuri! 
    I enjoyed your presentation yesterday... 🙂

  • Paul Johnson's avatar
    Paul Johnson
    Copper Contributor
    May 01, 2020

    When I run the query, I only see the first 1000 results out of >3500.
    Do you have suggestions for the most effective way to partition the query so I can download all of the results?

  • YuriDiogenes's avatar
    YuriDiogenes
    Icon for Microsoft rankMicrosoft
    Apr 28, 2020

    Hello KamalDhingra , no there is nothing to modify. Maybe when you copy and paste there are some extra spaces? I tested in many environments and it works as is.

  • KamalDhingra's avatar
    KamalDhingra
    Copper Contributor
    Apr 28, 2020

    I am trying to run this script in Azure Resource Graph but not getting any results. Is this to be modified anywhere before using?