cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Defender for cloud - Recommendations > Remediate Security configurations > Machines should...

snteran
Copper Contributor

‎Feb 04 2022 04:01 PM

‎Feb 04 2022 04:01 PM

Defender for cloud - Recommendations > Remediate Security configurations > Machines should...

I have implemented Continuous export in order to utilize the Secure Score over time workbook. Which shows some great information.  there is a section for Top recommendations and the first one on our list is "Machines should be configured securely"  I would like to export the Unhealthy count along with the server name and their remediation efforts.   What is the best way to get this done?  I have tried to use a kql query but I'm not advanced enough to get the needed information.  

Please advise,

Serge

Labels:
2,729 Views
0 Likes
5 Replies
Reply
5 Replies
Eric Starker

‎Feb 07 2022 09:58 AM

‎Feb 07 2022 09:58 AM

Re: Defender for cloud - Recommendations > Remediate Security configurations > Machines should

@snteran 

Hello! You've posted your question in the Tech Community Discussion space, which is intended for discussion around the Tech Community website itself, not product questions. I'm moving your question to the Microsoft Defender for Cloud space - please post Microsoft Defender for Cloud questions here in the future. 

1 Like
Reply
Stanislav Belov

‎Feb 09 2022 01:50 PM

‎Feb 09 2022 01:50 PM

Re: Defender for cloud - Recommendations > Remediate Security configurations > Machines should

Thank you for your question.
This recommendation is actually telling you that you have machines with active vulnerabilities as you can find here:
https://docs.microsoft.com/en-us/azure/defender-for-cloud/recommendations-reference
For this particular scenario we have a dedicated workbook "Vulnerability Assessment Findings" that you may find useful. If you still need a KQL query, you can edit beforementioned workbook and find appropriate query there, e.q.:

securityresources
| where type == "microsoft.security/assessments/subassessments"
| extend assessmentKey = extract(".*assessments/(.+?)/.*",1, id)
| where assessmentKey == "1195afff-c881-495e-9bc5-1486211ae03f"
| extend VulId = tostring(properties.id), Severity = tostring(properties.status.severity), Status = tostring(properties.status.code)
| where Status == 'Unhealthy'
| summarize Count = dcount(VulId) by Severity
1 Like
Reply
snteran

‎Feb 10 2022 08:12 AM

‎Feb 10 2022 08:12 AM

Re: Defender for cloud - Recommendations > Remediate Security configurations > Machines should

Thanks, I'll make sure to review the workbook.
0 Likes
Reply
SergioT1228

‎May 03 2022 12:21 PM

‎May 03 2022 12:21 PM

Re: Defender for cloud - Recommendations > Remediate Security configurations > Machines should

I'm still unable to find a great way to export all the items listed under the "Remediate security configurations".

 

image.png

 

 

 

 

 

 

Hopefully there is someone who has figured out a query to help export them all so we can break them out by OS and then prioritize.  The next question is to find a way to exempt/suppress the findings moving forward.

For example, one of the findings to to "Enable" windows firewall but this is not needed, so we need to exempt or disable this finding.

Appreciate any assistance,

Serge

0 Likes
Reply
snteran

‎Jun 09 2022 10:59 AM

‎Jun 09 2022 10:59 AM

Re: Defender for cloud - Recommendations > Remediate Security configurations > Machines should

Think I found what I was looking for:

SecurityBaseline
| where (BaselineType =~ 'WindowsOS' or BaselineType =~ 'Windows OS' or BaselineType =~ 'Linux' or BaselineType =~ 'Oms.Linux' or BaselineType =~ 'Web' or (isempty(BaselineType) and isnotempty(TimeGenerated)))
| where AnalyzeResult == "Failed"
| summarize arg_max(TimeGenerated, *) by SourceComputerId, Computer, BaselineRuleId, RuleSeverity, BaselineRuleType
0 Likes
Reply