api/vulnerabilities/machinesVulnerabilities suddenly returns only 1000 items

Copper Contributor

We're querying api/vulnerabilities/machinesVulnerabilities and other defender apis once a day for some months  with success.

Starting today around 1:20AM UTC this query only returns 1000 items - we see in defender portal there is a lot more.

https://api-eu.securitycenter.windows.com/api/vulnerabilities/machinesVulnerabilities

In the API-Explorer in defender portal I can see the same behaviour.

Furthermore in the last few days there were availability problems with the API as well.

 

Does anybody else observe this change in behaviour?

3 Replies

@sirferl We have the same problem. For many months, we have had our scripts calling every day the Defender API and suddenly most of the vulnerabilities disappeared, only some of them remain. That makes not a lot of sense. Maybe it only display the latest vulnerabilities and after a date, the API doesn't display it. Even that, nothing on the documentation is explaining anything about this and we don't know how to display all the CVE from the API. We are checking..

Hi @ndaishuna Since posting this two years ago I switched to this query, which gives every vulnerability.

We select only a few fields with the $select operator

https://api.securitycenter.microsoft.com/api/machines/SoftwareVulnerabilitiesByMachine?$select=cveId, deviceId, softwareName, softwareVendor, softwareVersion, vulnerabilitySeverityLevel, firstSeenTimestamp

 

You have to observe the next-link presence in the returned data to get all the elements eg. python:

if '@odata.nextLink' in jsonResponse:
    url = jsonResponse['@odata.nextLink']

 

@sirferl 

Thanks, for us , since last week Microsoft applied some changes on their Defender API and it doesn't show all vulnerabilities like before. The best way to have all of the vulnerabilities is to send request to the Azure Resource Graph API.

 

That allows us much more flexibility and we can explore any assessment we need. I think that's what Microsoft has moved to.

 

 

 

POST https://management.azure.com/providers/Microsoft.ResourceGraph/resources?api-version=2021-03-01

Headers:
Content-Type: application/json
Authorization: Bearer [Your token after authentication]

Body 
{
    "subscriptions": [
        "[Your subscription ID]"
    ],
    "query": "securityresources | where type =~ \"microsoft.security/assessments/subassessments\" | where properties.additionalData.assessedResourceType =~ \"ServerVulnerabilityTvm\""
}