Forum Discussion

MalliBoppe's avatar
MalliBoppe
Copper Contributor
Jun 22, 2023

Weekely Vulnerability report for servers

We use defender for endpoint on our server fleet. With vulnerability management, I want to receive a weekly report of missing patches emailed to our security team. The report should contain

Server name,OS, VulnerabilitySeverityLevel ,VulnerabilityName and VulnerabilityScore.

 

I am using the below hunting query but would need to be manually run every time we need to generate the report.

 

let SoftwareVulns = DeviceTvmSoftwareVulnerabilities
| join DeviceTvmSoftwareVulnerabilitiesKB on CveId
| where VulnerabilitySeverityLevel in ('Critical','High')
| project-rename VulnerabilityName=VulnerabilityDescription, VulnerabilityScore=CvssScore, VulnId=CveId;
let AllVulns = SoftwareVulns;
DeviceInfo
| where OSPlatform contains "Server"
| join kind=innerunique AllVulns on DeviceId
| project DeviceName, OSPlatform, VulnerabilityName,format_datetime(PublishedDate,"dd/MM/yyyy"),VulnerabilitySeverityLevel,VulnerabilityScore, AffectedSoftware, VulnId
,Timestamp,ReportId
| order by VulnerabilitySeverityLevel asc

 

Any help or pointers to automate this would be much appreciated.

  • You can use logic apps to do this.
    Cannot remember if the DeviceTvmSoftwareVulnerabilitiesKB is available in the regular MDE advanced hunting connector, but if it is not you can access the microsoft 365 defender rest API to run queries there.

    Results can be made into a csv file etc, and then mailed via outlook, sendgrid or some other mail solution available in the logic apps.

Resources