Microsoft Entra Suite Tech Accelerator
Aug 14 2024, 07:00 AM - 09:30 AM (PDT)
Microsoft Tech Community
SOLVED

Weekely Vulnerability report for servers

Copper Contributor

We use defender for endpoint on our server fleet. With vulnerability management, I want to receive a weekly report of missing patches emailed to our security team. The report should contain

Server name,OS, VulnerabilitySeverityLevel ,VulnerabilityName and VulnerabilityScore.

 

I am using the below hunting query but would need to be manually run every time we need to generate the report.

 

let SoftwareVulns = DeviceTvmSoftwareVulnerabilities
| join DeviceTvmSoftwareVulnerabilitiesKB on CveId
| where VulnerabilitySeverityLevel in ('Critical','High')
| project-rename VulnerabilityName=VulnerabilityDescription, VulnerabilityScore=CvssScore, VulnId=CveId;
let AllVulns = SoftwareVulns;
DeviceInfo
| where OSPlatform contains "Server"
| join kind=innerunique AllVulns on DeviceId
| project DeviceName, OSPlatform, VulnerabilityName,format_datetime(PublishedDate,"dd/MM/yyyy"),VulnerabilitySeverityLevel,VulnerabilityScore, AffectedSoftware, VulnId
,Timestamp,ReportId
| order by VulnerabilitySeverityLevel asc

 

Any help or pointers to automate this would be much appreciated.

4 Replies
best response confirmed by MalliBoppe (Copper Contributor)
Solution
You can use logic apps to do this.
Cannot remember if the DeviceTvmSoftwareVulnerabilitiesKB is available in the regular MDE advanced hunting connector, but if it is not you can access the microsoft 365 defender rest API to run queries there.

Results can be made into a csv file etc, and then mailed via outlook, sendgrid or some other mail solution available in the logic apps.
Don't think I can use a custom rule as it doesn't allow the data to be emailed.
Thanks Jonhed will try with Logic apps and let you know.
1 best response

Accepted Solutions
best response confirmed by MalliBoppe (Copper Contributor)
Solution
You can use logic apps to do this.
Cannot remember if the DeviceTvmSoftwareVulnerabilitiesKB is available in the regular MDE advanced hunting connector, but if it is not you can access the microsoft 365 defender rest API to run queries there.

Results can be made into a csv file etc, and then mailed via outlook, sendgrid or some other mail solution available in the logic apps.

View solution in original post