Forum Discussion

MalliBoppe's avatar
MalliBoppe
Copper Contributor
Jun 22, 2023
Solved

Weekely Vulnerability report for servers

We use defender for endpoint on our server fleet. With vulnerability management, I want to receive a weekly report of missing patches emailed to our security team. The report should contain

Server name,OS, VulnerabilitySeverityLevel ,VulnerabilityName and VulnerabilityScore.

 

I am using the below hunting query but would need to be manually run every time we need to generate the report.

 

let SoftwareVulns = DeviceTvmSoftwareVulnerabilities
| join DeviceTvmSoftwareVulnerabilitiesKB on CveId
| where VulnerabilitySeverityLevel in ('Critical','High')
| project-rename VulnerabilityName=VulnerabilityDescription, VulnerabilityScore=CvssScore, VulnId=CveId;
let AllVulns = SoftwareVulns;
DeviceInfo
| where OSPlatform contains "Server"
| join kind=innerunique AllVulns on DeviceId
| project DeviceName, OSPlatform, VulnerabilityName,format_datetime(PublishedDate,"dd/MM/yyyy"),VulnerabilitySeverityLevel,VulnerabilityScore, AffectedSoftware, VulnId
,Timestamp,ReportId
| order by VulnerabilitySeverityLevel asc

 

Any help or pointers to automate this would be much appreciated.

  • Jonhed's avatar
    Jonhed
    Jun 23, 2023
    You can use logic apps to do this.
    Cannot remember if the DeviceTvmSoftwareVulnerabilitiesKB is available in the regular MDE advanced hunting connector, but if it is not you can access the microsoft 365 defender rest API to run queries there.

    Results can be made into a csv file etc, and then mailed via outlook, sendgrid or some other mail solution available in the logic apps.

4 Replies

  • Jonhed's avatar
    Jonhed
    Iron Contributor
    Jun 23, 2023
    You can use logic apps to do this.
    Cannot remember if the DeviceTvmSoftwareVulnerabilitiesKB is available in the regular MDE advanced hunting connector, but if it is not you can access the microsoft 365 defender rest API to run queries there.

    Results can be made into a csv file etc, and then mailed via outlook, sendgrid or some other mail solution available in the logic apps.
    • MalliBoppe's avatar
      MalliBoppe
      Copper Contributor
      Jun 27, 2023
      Thanks Jonhed will try with Logic apps and let you know.
  • mohamedalishahul's avatar
    mohamedalishahul
    Brass Contributor
    Jun 22, 2023
    you can try custom detection rule https://learn.microsoft.com/en-us/microsoft-365/security/defender/custom-detection-rules?view=o365-worldwide
    • MalliBoppe's avatar
      MalliBoppe
      Copper Contributor
      Jun 27, 2023
      Don't think I can use a custom rule as it doesn't allow the data to be emailed.

Resources