Forum Discussion
MalliBoppe
Jun 22, 2023Copper Contributor
Weekely Vulnerability report for servers
We use defender for endpoint on our server fleet. With vulnerability management, I want to receive a weekly report of missing patches emailed to our security team. The report should contain
Server name,OS, VulnerabilitySeverityLevel ,VulnerabilityName and VulnerabilityScore.
I am using the below hunting query but would need to be manually run every time we need to generate the report.
let SoftwareVulns = DeviceTvmSoftwareVulnerabilities
| join DeviceTvmSoftwareVulnerabilitiesKB on CveId
| where VulnerabilitySeverityLevel in ('Critical','High')
| project-rename VulnerabilityName=VulnerabilityDescription, VulnerabilityScore=CvssScore, VulnId=CveId;
let AllVulns = SoftwareVulns;
DeviceInfo
| where OSPlatform contains "Server"
| join kind=innerunique AllVulns on DeviceId
| project DeviceName, OSPlatform, VulnerabilityName,format_datetime(PublishedDate,"dd/MM/yyyy"),VulnerabilitySeverityLevel,VulnerabilityScore, AffectedSoftware, VulnId
,Timestamp,ReportId
| order by VulnerabilitySeverityLevel asc
Any help or pointers to automate this would be much appreciated.
- You can use logic apps to do this.
Cannot remember if the DeviceTvmSoftwareVulnerabilitiesKB is available in the regular MDE advanced hunting connector, but if it is not you can access the microsoft 365 defender rest API to run queries there.
Results can be made into a csv file etc, and then mailed via outlook, sendgrid or some other mail solution available in the logic apps.
- mohamedalishahulBrass Contributoryou can try custom detection rule https://learn.microsoft.com/en-us/microsoft-365/security/defender/custom-detection-rules?view=o365-worldwide
- MalliBoppeCopper ContributorDon't think I can use a custom rule as it doesn't allow the data to be emailed.
- JonhedSteel ContributorYou can use logic apps to do this.
Cannot remember if the DeviceTvmSoftwareVulnerabilitiesKB is available in the regular MDE advanced hunting connector, but if it is not you can access the microsoft 365 defender rest API to run queries there.
Results can be made into a csv file etc, and then mailed via outlook, sendgrid or some other mail solution available in the logic apps.- MalliBoppeCopper ContributorThanks Jonhed will try with Logic apps and let you know.