Forum Discussion

marktait19's avatar
marktait19
Copper Contributor
Feb 08, 2023

Security Recommendation - is it available in any table in KQL query editor

Hi.   When in Security Recommendations, I can enter a CVE reference, and there is a column in the display for "Security Recommendation" (please see attached screenshot).   So for example, for: CV...
microsoft defender for endpoint
Microsoft Defender for Office 365
threat hunting
  • BaruchAbitbol's avatar
    BaruchAbitbol
    Mar 01, 2023
    fixed it.

    try this:

    DeviceTvmSecureConfigurationAssessment
    | project DeviceName, ConfigurationId
    | join kind=inner ( DeviceTvmSecureConfigurationAssessmentKB
    | project ConfigurationName, ConfigurationDescription, RiskDescription, ConfigurationCategory, ConfigurationImpact, ConfigurationSubcategory, RemediationOptions, ConfigurationId
    )
    on ConfigurationId
    | project ConfigurationId, DeviceName, ConfigurationName, ConfigurationDescription, RiskDescription, ConfigurationCategory, ConfigurationImpact, ConfigurationSubcategory, RemediationOptions
    | distinct DeviceName, ConfigurationId, ConfigurationName, ConfigurationDescription, RiskDescription, ConfigurationCategory, ConfigurationImpact, ConfigurationSubcategory, RemediationOptions
    | sort by DeviceName asc
Jaideep445's avatar
Jaideep445
Copper Contributor

I did reply earlier to this one but it looks like my reply got lost somewhere. At least I can't see it. So, posting again. Apologies if you see this as a duplicate.

I hope this helps. It helps me but everyone is different. I have created two Tabs/Queries in Power BI. One is for "App and Security Recommendations" and the other one is for Finding Apps on a Device.

First query is OData query and it reads as:
let
Source = OData.Feed("https://api.securitycenter.microsoft.com/api/recommendations", null, [Implementation="2.0"]),
#"Renamed Columns" = Table.RenameColumns(Source,{{"Vulnerabilities", "Vulnerabilities.1"}, {"Software", "Software.1"}, {"recommendationName", "Recommendation Name"}, {"productName", "Product Name"}, {"vendor", "Vendor"}, {"recommendedVersion", "Recommended Version"}, {"recommendationCategory", "Category"}, {"subCategory", "Sub Category"}, {"severityScore", "Severity Score"}, {"publicExploit", "Public Exploit"}, {"remediationType", "Remediation Type"}, {"exposedMachinesCount", "Exposed Machines"}})
in
#"Renamed Columns"

Columns I select are in the screenshot here.

 

Second query for finding apps on devices is in blank editor in Power BI. It is more of a KQL query. It reads as:

 

let
AdvancedHuntingQuery = "DeviceTvmSoftwareInventory | where DeviceName !="""" | distinct SoftwareName, DeviceName, SoftwareVersion",

 

HuntingUrl = "https://api.securitycenter.microsoft.com/api/advancedhunting",

Response = Json.Document(Web.Contents(HuntingUrl, [Query=[key=AdvancedHuntingQuery]])),

TypeMap = #table(
{ "Type", "PowerBiType" },
{
{ "Double", Double.Type },
{ "Int64", Int64.Type },
{ "Int32", Int32.Type },
{ "Int16", Int16.Type },
{ "UInt64", Number.Type },
{ "UInt32", Number.Type },
{ "UInt16", Number.Type },
{ "Byte", Byte.Type },
{ "Single", Single.Type },
{ "Decimal", Decimal.Type },
{ "TimeSpan", Duration.Type },
{ "DateTime", DateTimeZone.Type },
{ "String", Text.Type },
{ "Boolean", Logical.Type },
{ "SByte", Logical.Type },
{ "Guid", Text.Type }
}),

Schema = Table.FromRecords(Response[Schema]),
TypedSchema = Table.Join(Table.SelectColumns(Schema, {"Name", "Type"}), {"Type"}, TypeMap , {"Type"}),
Results = Response[Results],
Rows = Table.FromRecords(Results, Schema[Name]),
Table = Table.TransformColumnTypes(Rows, Table.ToList(TypedSchema, (c) => {c{0}, c{2}}))

in Table

 

Columns used from this query are Device Name, Software Name and Software Version.

So, devices with old Software version qualify for emails to be sent out or can be action items for IT guys to update those devices.

 

I really hope this helps.

slouies's avatar
slouies
Copper Contributor
Nov 03, 2023
This is definitely helpful !
Thank you so much !

Resources