Patch status wrong

%3CLINGO-SUB%20id%3D%22lingo-sub-1525937%22%20slang%3D%22en-US%22%3EPatch%20status%20wrong%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1525937%22%20slang%3D%22en-US%22%3E%3CP%3EAzure%20security%20center%20shows%20vm%20needing%20a%20patch%2C%20but%20Azure%20Update%20Management%20and%20local%20VM%20show%20it%20as%20installed.%3CBR%20%2F%3EWhat%20is%20the%20update%20frequency%20on%20the%20data%20in%20security%20center%20%3F%20It's%20been%20installed%20for%20~24h%20and%20still%20it%20shows%20as%20needed%20in%20recommendations.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ethe%20query%20in%20security%20center%20for%20showing%20which%20computer%20is%20affected%20is%3A%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-applescript%22%3E%3CCODE%3EUpdate%0A%7C%20where%20UpdateState%20%3D~%20%22Needed%22%20and%20iff(isnotnull(toint(Optional))%2C%20Optional%20%3D%3D%20false%2C%20Optional%20%3D%3D%20%22false%22)%20%3D%3D%20true%20and%20iff(isnotnull(toint(Approved))%2C%20Approved%20!%3D%20false%2C%20Approved%20!%3D%20%22false%22)%20%3D%3D%20true%20and%20UpdateID%20%3D%3D%20%220641752f-29fb-48d7-a3cf-f93dde26b82b%22%0A%2F%2F%7C%20Removed%20subscription%20ID%0A%7C%20summarize%20AggregatedValue%20%3D%20dcount(SourceComputerId)%20by%20SourceComputerId%2C%20Computer%0A%7C%20limit%201000000000%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3Ethe%20one%20in%20Update%20manager%20showing%20its%20installed%20is%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-applescript%22%3E%3CCODE%3EUpdate%0A%7C%20where%20UpdateID%20%3D%3D%20%220641752f-29fb-48d7-a3cf-f93dde26b82b%22%20%2F%2Fadded%20updateid%20for%20this%20update%0A%7C%20where%20TimeGenerated%26gt%3Bago(14h)%20and%20OSType!%3D%22Linux%22%20and%20(Optional%3D%3Dfalse%20or%20Classification%20has%20%22Critical%22%20or%20Classification%20has%20%22Security%22)%20and%20SourceComputerId%20in%20((Heartbeat%0A%7C%20where%20TimeGenerated%26gt%3Bago(12h)%20and%20OSType%3D~%22Windows%22%20and%20notempty(Computer)%0A%7C%20summarize%20arg_max(TimeGenerated%2C%20Solutions)%20by%20SourceComputerId%0A%7C%20where%20Solutions%20has%20%22updates%22%0A%7C%20distinct%20SourceComputerId))%0A%7C%20summarize%20hint.strategy%3Dpartitioned%20arg_max(TimeGenerated%2C%20*)%20by%20Computer%2C%20SourceComputerId%2C%20UpdateID%0A%7C%20where%20Approved!%3Dfalse%20and%20Computer%3D%3D%22server.domain.com%22%20%2F%2F%20removed%20affected%20servername%20%0A%7C%20render%20table%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Contributor

Azure security center shows vm needing a patch, but Azure Update Management and local VM show it as installed.
What is the update frequency on the data in security center ? It's been installed for ~24h and still it shows as needed in recommendations.

 

the query in security center for showing which computer is affected is:

Update
| where UpdateState =~ "Needed" and iff(isnotnull(toint(Optional)), Optional == false, Optional == "false") == true and iff(isnotnull(toint(Approved)), Approved != false, Approved != "false") == true and UpdateID == "0641752f-29fb-48d7-a3cf-f93dde26b82b"
//| Removed subscription ID
| summarize AggregatedValue = dcount(SourceComputerId) by SourceComputerId, Computer
| limit 1000000000

the one in Update manager showing its installed is

Update
| where UpdateID == "0641752f-29fb-48d7-a3cf-f93dde26b82b" //added updateid for this update
| where TimeGenerated>ago(14h) and OSType!="Linux" and (Optional==false or Classification has "Critical" or Classification has "Security") and SourceComputerId in ((Heartbeat
| where TimeGenerated>ago(12h) and OSType=~"Windows" and notempty(Computer)
| summarize arg_max(TimeGenerated, Solutions) by SourceComputerId
| where Solutions has "updates"
| distinct SourceComputerId))
| summarize hint.strategy=partitioned arg_max(TimeGenerated, *) by Computer, SourceComputerId, UpdateID
| where Approved!=false and Computer=="server.domain.com" // removed affected servername 
| render table

 

0 Replies