Forum Discussion
snteran
Feb 05, 2022Copper Contributor
Defender for cloud - Recommendations > Remediate Security configurations > Machines should...
I have implemented Continuous export in order to utilize the Secure Score over time workbook. Which shows some great information. there is a section for Top recommendations and the first one on our ...
StanislavBelov
Feb 09, 2022Microsoft
Thank you for your question.
This recommendation is actually telling you that you have machines with active vulnerabilities as you can find here:
https://docs.microsoft.com/en-us/azure/defender-for-cloud/recommendations-reference
For this particular scenario we have a dedicated workbook "Vulnerability Assessment Findings" that you may find useful. If you still need a KQL query, you can edit beforementioned workbook and find appropriate query there, e.q.:
securityresources
| where type == "microsoft.security/assessments/subassessments"
| extend assessmentKey = extract(".*assessments/(.+?)/.*",1, id)
| where assessmentKey == "1195afff-c881-495e-9bc5-1486211ae03f"
| extend VulId = tostring(properties.id), Severity = tostring(properties.status.severity), Status = tostring(properties.status.code)
| where Status == 'Unhealthy'
| summarize Count = dcount(VulId) by Severity
This recommendation is actually telling you that you have machines with active vulnerabilities as you can find here:
https://docs.microsoft.com/en-us/azure/defender-for-cloud/recommendations-reference
For this particular scenario we have a dedicated workbook "Vulnerability Assessment Findings" that you may find useful. If you still need a KQL query, you can edit beforementioned workbook and find appropriate query there, e.q.:
securityresources
| where type == "microsoft.security/assessments/subassessments"
| extend assessmentKey = extract(".*assessments/(.+?)/.*",1, id)
| where assessmentKey == "1195afff-c881-495e-9bc5-1486211ae03f"
| extend VulId = tostring(properties.id), Severity = tostring(properties.status.severity), Status = tostring(properties.status.code)
| where Status == 'Unhealthy'
| summarize Count = dcount(VulId) by Severity
snteran
Feb 10, 2022Copper Contributor
Thanks, I'll make sure to review the workbook.
- SergioT1228May 03, 2022Brass Contributor
I'm still unable to find a great way to export all the items listed under the "Remediate security configurations".
Hopefully there is someone who has figured out a query to help export them all so we can break them out by OS and then prioritize. The next question is to find a way to exempt/suppress the findings moving forward.
For example, one of the findings to to "Enable" windows firewall but this is not needed, so we need to exempt or disable this finding.
Appreciate any assistance,
Serge
- snteranJun 09, 2022Copper ContributorThink I found what I was looking for:
SecurityBaseline
| where (BaselineType =~ 'WindowsOS' or BaselineType =~ 'Windows OS' or BaselineType =~ 'Linux' or BaselineType =~ 'Oms.Linux' or BaselineType =~ 'Web' or (isempty(BaselineType) and isnotempty(TimeGenerated)))
| where AnalyzeResult == "Failed"
| summarize arg_max(TimeGenerated, *) by SourceComputerId, Computer, BaselineRuleId, RuleSeverity, BaselineRuleType