Exporting Vulnerability Assessment Results in Microsoft Defender for Cloud

Microsoft

Mar 05, 2020

With the new Microsoft Defender for Cloud built-in vulnerability assessment solution, you can manage the deployment of the agent and the visualization of the results from a single dashboard. You can learn more about this integration and how it works by reading this article, and watch a quick demo available here.

The vulnerability assessment results that appear in the Microsoft Defender for Cloud dashboard, will look like this:

While this visualization is very helpful and dynamic, one question that comes up very often is: how can I export this assessment to a CSV file? The answer is: you can do that using Azure Resource Graph (ARG)! Follow the steps below to perform this task:

1. In the Azure Portal, go to Resource Graph Explorer as shown below:

2. Type the query below:

Note: this query below was changed on 8/28/2020 to reflect the changes made in the recommendation name. Thanks DavidTex for calling this out in the comment section.

securityresources
 | where type == "microsoft.security/assessments"
 | where * contains "vulnerabilities in your virtual machines"
 | summarize by assessmentKey=name //the ID of the assessment
 | join kind=inner (
    securityresources
     | where type == "microsoft.security/assessments/subassessments"
     | extend assessmentKey = extract(".*assessments/(.+?)/.*",1,  id)
 ) on assessmentKey
| project assessmentKey, subassessmentKey=name, id, parse_json(properties), resourceGroup, subscriptionId, tenantId
| extend description = properties.description,
         displayName = properties.displayName,
         resourceId = properties.resourceDetails.id,
         resourceSource = properties.resourceDetails.source,
         category = properties.category,
         severity = properties.status.severity,
         code = properties.status.code,
         timeGenerated = properties.timeGenerated,
         remediation = properties.remediation,
         impact = properties.impact,
         vulnId = properties.id,
         additionalData = properties.additionalData

3. Click Run Query button and you will see the result, similar to figure below:

4. Click Download as CSV button.

Now that you downloaded the CSV, you can open it and consume the data generated by the assessment.

Updated Oct 24, 2021

Version 7.0

YuriDiogenes

Microsoft

Joined March 01, 2018

View Profile

Microsoft Defender for Cloud Blog

Follow this blog board to get notified when there's new activity

shane_foley
Brass Contributor
Oct 02, 2020
All sorted...

securityresources
| where type == "microsoft.security/assessments"
| where * contains "Vulnerabilities"
| summarize by assessmentKey=name //the ID of the assessment
| join kind=inner (
    securityresources
     | where type == "microsoft.security/assessments/subassessments"
     | extend assessmentKey = extract(".*assessments/(.+?)/.*",1,  id)
) on assessmentKey
| where split(id, "/")[7] == "virtualMachines"
| project assessmentKey, vmname = split(id, "/")[8], subassessmentKey=name, id, parse_json(properties), resourceGroup, subscriptionId, tenantId
| extend description = properties.description,
         displayName = properties.displayName,
         resourceId = properties.resourceDetails.id,
         resourceSource = properties.resourceDetails.source,
         category = properties.category,
         severity = properties.status.severity,
         code = properties.status.code,
         timeGenerated = properties.timeGenerated,
         remediation = properties.remediation,
         impact = properties.impact,
         vulnId = properties.id,
         additionalData = properties.additionalData
YuriDiogenes
Microsoft
Aug 28, 2020
Thanks DavidTex - that's absolutely correct. The recommendation was updated recently and your change reflects the latest name for the recommendation. Thanks for contributing, I will make sure to add a note and give you credits to call this out.

SarathKScloudsecguy

Copper Contributor

Mar 11, 2022

Thanks YuriDiogenes for sharing this information. Updated script with a minor change

securityresources
 | where type == "microsoft.security/assessments"
 | where * contains "Machines should have vulnerability findings resolved"
 | summarize by assessmentKey=name //the ID of the assessment
 | join kind=inner (
    securityresources
     | where type == "microsoft.security/assessments/subassessments"
     | extend assessmentKey = extract(".*assessments/(.+?)/.*",1,  id)
 ) on assessmentKey
| project assessmentKey, subassessmentKey=name, id, parse_json(properties), resourceGroup, subscriptionId, tenantId
| extend description = properties.description,
         displayName = properties.displayName,
         resourceId = properties.resourceDetails.id,
         resourceSource = properties.resourceDetails.source,
         category = properties.category,
         severity = properties.status.severity,
         code = properties.status.code,
         timeGenerated = properties.timeGenerated,
         remediation = properties.remediation,
         impact = properties.impact,
         vulnId = properties.id,
         additionalData = properties.additionalData

Paul Johnson
Copper Contributor
May 01, 2020
Thanks much Yuri!
I enjoyed your presentation yesterday... 🙂
DavidTex
Copper Contributor
Aug 28, 2020
Hi YuriDiogenes.
1st of all, thank you for your contribution, it was highly appreciated.
Regarding the script, in my case, i think Microsoft updated recently the display name, so searching on the strings will return nothing.
Here is the script updated for less watchful people

securityresources
| where type == "microsoft.security/assessments"
| where * contains "Vulnerabilities in your virtual machines"
| summarize by assessmentKey=name //the ID of the assessment
| join kind=inner (
    securityresources
     | where type == "microsoft.security/assessments/subassessments"
     | extend assessmentKey = extract(".*assessments/(.+?)/.*",1,  id)
) on assessmentKey
| project assessmentKey, subassessmentKey=name, id, parse_json(properties), resourceGroup, subscriptionId, tenantId
| extend description = properties.description,
         displayName = properties.displayName,
         resourceId = properties.resourceDetails.id,
         resourceSource = properties.resourceDetails.source,
         category = properties.category,
         severity = properties.status.severity,
         code = properties.status.code,
         timeGenerated = properties.timeGenerated,
         remediation = properties.remediation,
         impact = properties.impact,
         vulnId = properties.id,
         additionalData = properties.additionalData
Swaytex
Copper Contributor
Sep 28, 2020
ChrisSommers you need to run this at the Azure Resource Graph query level and not at the Azure Log Analytics Level.
There is no schema for this at the Azure Log Analytics, I understand that they both use KQL and might be a bit confusing ‌‌

If you go to Azure Resource Graph Explorer you will see on your left side the schema, and you will find the securityresources table.
hnakada
Microsoft
Aug 06, 2021
HI all,

This report is excellent and really I love it. Is it possible to schedule and notify external via email?
KamalDhingra
Copper Contributor
Apr 28, 2020
I am trying to run this script in Azure Resource Graph but not getting any results. Is this to be modified anywhere before using?
YuriDiogenes
Microsoft
Apr 28, 2020
Hello KamalDhingra , no there is nothing to modify. Maybe when you copy and paste there are some extra spaces? I tested in many environments and it works as is.
Paul Johnson
Copper Contributor
May 01, 2020
When I run the query, I only see the first 1000 results out of >3500.
Do you have suggestions for the most effective way to partition the query so I can download all of the results?

Blog Post

Exporting Vulnerability Assessment Results in Microsoft Defender for Cloud

Share