Blog Post

Microsoft Defender for Cloud Blog
2 MIN READ

Exporting Vulnerability Assessment Results in Microsoft Defender for Cloud

YuriDiogenes's avatar
YuriDiogenes
Icon for Microsoft rankMicrosoft
Mar 05, 2020

With the new Microsoft Defender for Cloud built-in vulnerability assessment solution, you can manage the deployment of the agent and the visualization of the results from a single dashboard. You can learn more about this integration and how it works by reading this article, and watch a quick demo available here.

The vulnerability assessment results that appear in the Microsoft Defender for Cloud dashboard, will look like this:

 

 

While this visualization is very helpful and dynamic, one question that comes up very often is: how can I export this assessment to a CSV file? The answer is: you can do that using Azure Resource Graph (ARG)! Follow the steps below to perform this task:

 

1. In the Azure Portal, go to Resource Graph Explorer as shown below:

 

 

2. Type the query below:

Note: this query below was changed on 8/28/2020 to reflect the changes made in the recommendation name. Thanks DavidTex for calling this out in the comment section.

 

securityresources
 | where type == "microsoft.security/assessments"
 | where * contains "vulnerabilities in your virtual machines"
 | summarize by assessmentKey=name //the ID of the assessment
 | join kind=inner (
    securityresources
     | where type == "microsoft.security/assessments/subassessments"
     | extend assessmentKey = extract(".*assessments/(.+?)/.*",1,  id)
 ) on assessmentKey
project assessmentKey, subassessmentKey=name, id, parse_json(properties), resourceGroup, subscriptionId, tenantId
extend description = properties.description,
         displayName = properties.displayName,
         resourceId = properties.resourceDetails.id,
         resourceSource = properties.resourceDetails.source,
         category = properties.category,
         severity = properties.status.severity,
         code = properties.status.code,
         timeGenerated = properties.timeGenerated,
         remediation = properties.remediation,
         impact = properties.impact,
         vulnId = properties.id,
         additionalData = properties.additionalData

3. Click Run Query button and you will see the result, similar to figure below:

 

 

4. Click Download as CSV button.

 

Now that you downloaded the CSV, you can open it and consume the data generated by the assessment.

 

Updated Oct 24, 2021
Version 7.0
  • khts123's avatar
    khts123
    Copper Contributor
    Oct 04, 2022

    How do we find the URL to qualys portal where we can also view all the assets scanned?

    I am not able to find that in the documentation where it explains how to install qualys agent via azure portal.

  • SarathKScloudsecguy's avatar
    SarathKScloudsecguy
    Copper Contributor
    Mar 11, 2022

    Thanks YuriDiogenes for sharing this information. Updated script with a minor change 

    securityresources
 | where type == "microsoft.security/assessments"
 | where * contains "Machines should have vulnerability findings resolved"
 | summarize by assessmentKey=name //the ID of the assessment
 | join kind=inner (
    securityresources
     | where type == "microsoft.security/assessments/subassessments"
     | extend assessmentKey = extract(".*assessments/(.+?)/.*",1,  id)
 ) on assessmentKey
| project assessmentKey, subassessmentKey=name, id, parse_json(properties), resourceGroup, subscriptionId, tenantId
| extend description = properties.description,
         displayName = properties.displayName,
         resourceId = properties.resourceDetails.id,
         resourceSource = properties.resourceDetails.source,
         category = properties.category,
         severity = properties.status.severity,
         code = properties.status.code,
         timeGenerated = properties.timeGenerated,
         remediation = properties.remediation,
         impact = properties.impact,
         vulnId = properties.id,
         additionalData = properties.additionalData

     

  • PreranaPrajapat's avatar
    PreranaPrajapat
    Icon for Microsoft rankMicrosoft
    Feb 28, 2022

    rkelly141   I have implemented the solution to pull the results of this query via function app into a SQL server and then pulled the same into Power BI. In that way I can assign vulnerabilities to image onwers by further adding the correlation in my SQL Server by creatin views. 

  • sebastianheil's avatar
    sebastianheil
    Brass Contributor
    Jan 31, 2022

    Based on our observation, the integrated Qualys Scanner is also detecting vulnerabilities of nonRunning Kernels on Linux. With the standalone license of Qualys such vulnerabilities can be easily filtered:

    Exclude or display vulnerabilities for non-running Linux kernels (qualys.com)

     

    Does anyone know if this detail (a specific vulnerability was found on the running or nonRunning kernel) is also exposed via resource graph? Or any other API of Defender for Cloud?

  • rkelly141's avatar
    rkelly141
    Copper Contributor
    Nov 02, 2021

    Good evening all

     

    i have been thinking about this a lot as the scan and results are only current and no history.

    i was thinking 2 solutions the first is a runbook running PowerShell to query the azure resource explorer and save this to a CSV once a week to a storage account (more or less frequent depending on your compliance levels)

    the other way is very similar but the output is streamed to log analytics this way you can create alerts, dashboards and some history  

  • MehdiOskooie's avatar
    MehdiOskooie
    Copper Contributor
    Nov 01, 2021

    Good day,

    Thanks for the great post. Got a quick question/request

    how can we find where the vulnerability was detected? there are times where although a fix has been applied, Qualys still report the asset as vulnerable. In these scenarios you have to see where the vulnerability was detected "registry, user profile, file path to a vulnerable installer,...." this information is missing both in the portal and in the KQL query here.

    Thanks a lot

  • rkelly141's avatar
    rkelly141
    Copper Contributor
    Oct 28, 2021

    Good evening all

     

    Just playing with this at the moment in preparation for my AZ-500 exam, but thinking of real world scenario for work, after remediating initial findings is there a way to create an alert for when a new vulnerability is found?

     

    or

     

    A weekly report that is emailed?

  • PreranaPrajapat's avatar
    PreranaPrajapat
    Icon for Microsoft rankMicrosoft
    Oct 08, 2021

    I tried  to use logic app but the JSON parser could not work as data has multiple array and size limit. Then I used azure function to pull the KQL and add into SQL server. 

    I am running automation via using the logic app and calling  my Function APP but the same  is failing with exception Have you tried automating this via any means?Yuri Diogenes

  • DavidTex's avatar
    DavidTex
    Copper Contributor
    Aug 06, 2021

    hnakada  just use a Logic App to schedule by time trigger and connect it for example with O365 to send email (or if you have any SMTP)