Feb 08 2023 07:54 AM
Hi.
When in Security Recommendations, I can enter a CVE reference, and there is a column in the display for "Security Recommendation" (please see attached screenshot).
So for example, for: CVE-2020-1938
The Security Recommendations advises: Update Apache Tomcat
Is there any table available within the KQL editor, that will display that recommendation for a given CVE?
I've checked in DeviceTvmSoftwareVulnerabilitiesKB and DeviceTvmSoftwareVulnerabilities - however the Security Recommendations field is not available in either of those.
Any help would be much appreciated,
Thanks, Mark
Feb 20 2023 02:36 AM
Feb 22 2023 03:24 AM
Mar 01 2023 06:12 AM
Hey,
There is no easy way to use KQL to retrieve the table of the "Security recommendations" through "Advanced Hunting".
You need to "Join" two tables based on the "ConfigurationID"
Just let me know if have any further questions:
DeviceTvmSecureConfigurationAssessment
| project DeviceName, ConfigurationId
| join (DeviceTvmSecureConfigurationAssessmentKB
| project ConfigurationId, ConfigurationName, ConfigurationDescription, RiskDescription, ConfigurationCategory, ConfigurationImpact, ConfigurationSubcategory, RemediationOptions
)
on ConfigurationId
| project ConfigurationId, DeviceName, ConfigurationName, ConfigurationDescription, RiskDescription, ConfigurationCategory, ConfigurationImpact, ConfigurationSubcategory, RemediationOptions
| distinct DeviceName, ConfigurationId, ConfigurationName, ConfigurationDescription, RiskDescription, ConfigurationCategory, ConfigurationImpact, ConfigurationSubcategory, RemediationOptions
| sort by DeviceName asc
Mar 01 2023 06:21 AM
Mar 01 2023 06:34 AM
Mar 01 2023 06:35 AM
Mar 01 2023 07:03 AM
Mar 01 2023 08:32 AM
SolutionMar 01 2023 09:11 AM
May 21 2023 07:23 PM - edited May 21 2023 07:28 PM
Works well. Is there a way we can exclude the devices with onboarding status "can be onboarded" ? Number of devices in the network do read some extra devices and they all get added in the recommendations list. So, trying to exclude those devices. I did bit of modification to the query but not sure if this is correct or not.
May 22 2023 01:00 AM
May 24 2023 07:50 PM
Oct 30 2023 04:54 AM
Oct 30 2023 03:50 PM
Yeah, I just checked and there about 27 less configuration ID's in DeviceTvmSecureConfigurationAssessmentKB. Not sure if there is any other common field that can be used. May be let's try to understand what you are trying to accomplish and will see if there is any other alternative.
Oct 30 2023 07:09 PM
Oct 31 2023 12:21 AM
Oct 31 2023 06:30 PM - edited Oct 31 2023 06:32 PM
Hope this helps. To me it does but everyone is different.
What I have done for my environment is created two Tabs in Power BI and connected them to the Defender API directly, using API.
First one is for "App and Security Recommendations". Following OData query can be used for this. I used the following query in Blank editor. This different from OData.
let
Source = OData.Feed("https://api.securitycenter.microsoft.com/api/recommendations", null, [Implementation="2.0"]),
#"Renamed Columns" = Table.RenameColumns(Source,{{"Vulnerabilities", "Vulnerabilities.1"}, {"Software", "Software.1"}, {"recommendationName", "Recommendation Name"}, {"productName", "Product Name"}, {"vendor", "Vendor"}, {"recommendedVersion", "Recommended Version"}, {"recommendationCategory", "Category"}, {"subCategory", "Sub Category"}, {"severityScore", "Severity Score"}, {"publicExploit", "Public Exploit"}, {"remediationType", "Remediation Type"}, {"exposedMachinesCount", "Exposed Machines"}})
in
#"Renamed Columns"
It has several columns, but not all of them are useful for everyone. So, I use very few of them in the actual Report. I use columns: Category, Sub Category, Recommendation Name, Product Name, Public Exploit, Exposed Machines (Number), Recommended Version and Remediation Type.
Then I have second Tab where I have again connected to the API for finding what applications are installed on devices. But now I am using more of KQL query to get the data. From there I can find if the application is on the latest version or not. If not, that qualifies for email to be sent to the device owner or an action for IT guys to update the application. That gives me Three columns: DeviceName, SoftWareName and SoftwareVersion. Devices with old Software Version qualify for emails to be sent out.
let
AdvancedHuntingQuery = "DeviceTvmSoftwareInventory | where DeviceName !="""" | distinct SoftwareName, DeviceName, SoftwareVersion",
HuntingUrl = "https://api.securitycenter.microsoft.com/api/advancedhunting",
Response = Json.Document(Web.Contents(HuntingUrl, [Query=[key=AdvancedHuntingQuery]])),
TypeMap = #table(
{ "Type", "PowerBiType" },
{
{ "Double", Double.Type },
{ "Int64", Int64.Type },
{ "Int32", Int32.Type },
{ "Int16", Int16.Type },
{ "UInt64", Number.Type },
{ "UInt32", Number.Type },
{ "UInt16", Number.Type },
{ "Byte", Byte.Type },
{ "Single", Single.Type },
{ "Decimal", Decimal.Type },
{ "TimeSpan", Duration.Type },
{ "DateTime", DateTimeZone.Type },
{ "String", Text.Type },
{ "Boolean", Logical.Type },
{ "SByte", Logical.Type },
{ "Guid", Text.Type }
}),
Schema = Table.FromRecords(Response[Schema]),
TypedSchema = Table.Join(Table.SelectColumns(Schema, {"Name", "Type"}), {"Type"}, TypeMap , {"Type"}),
Results = Response[Results],
Rows = Table.FromRecords(Results, Schema[Name]),
Table = Table.TransformColumnTypes(Rows, Table.ToList(TypedSchema, (c) => {c{0}, c{2}}))
in Table
Oct 31 2023 06:51 PM - edited Oct 31 2023 06:53 PM
I did reply earlier to this one but it looks like my reply got lost somewhere. At least I can't see it. So, posting again. Apologies if you see this as a duplicate.
I hope this helps. It helps me but everyone is different. I have created two Tabs/Queries in Power BI. One is for "App and Security Recommendations" and the other one is for Finding Apps on a Device.
First query is OData query and it reads as:
let
Source = OData.Feed("https://api.securitycenter.microsoft.com/api/recommendations", null, [Implementation="2.0"]),
#"Renamed Columns" = Table.RenameColumns(Source,{{"Vulnerabilities", "Vulnerabilities.1"}, {"Software", "Software.1"}, {"recommendationName", "Recommendation Name"}, {"productName", "Product Name"}, {"vendor", "Vendor"}, {"recommendedVersion", "Recommended Version"}, {"recommendationCategory", "Category"}, {"subCategory", "Sub Category"}, {"severityScore", "Severity Score"}, {"publicExploit", "Public Exploit"}, {"remediationType", "Remediation Type"}, {"exposedMachinesCount", "Exposed Machines"}})
in
#"Renamed Columns"
Columns I select are in the screenshot here.
Second query for finding apps on devices is in blank editor in Power BI. It is more of a KQL query. It reads as:
let
AdvancedHuntingQuery = "DeviceTvmSoftwareInventory | where DeviceName !="""" | distinct SoftwareName, DeviceName, SoftwareVersion",
HuntingUrl = "https://api.securitycenter.microsoft.com/api/advancedhunting",
Response = Json.Document(Web.Contents(HuntingUrl, [Query=[key=AdvancedHuntingQuery]])),
TypeMap = #table(
{ "Type", "PowerBiType" },
{
{ "Double", Double.Type },
{ "Int64", Int64.Type },
{ "Int32", Int32.Type },
{ "Int16", Int16.Type },
{ "UInt64", Number.Type },
{ "UInt32", Number.Type },
{ "UInt16", Number.Type },
{ "Byte", Byte.Type },
{ "Single", Single.Type },
{ "Decimal", Decimal.Type },
{ "TimeSpan", Duration.Type },
{ "DateTime", DateTimeZone.Type },
{ "String", Text.Type },
{ "Boolean", Logical.Type },
{ "SByte", Logical.Type },
{ "Guid", Text.Type }
}),
Schema = Table.FromRecords(Response[Schema]),
TypedSchema = Table.Join(Table.SelectColumns(Schema, {"Name", "Type"}), {"Type"}, TypeMap , {"Type"}),
Results = Response[Results],
Rows = Table.FromRecords(Results, Schema[Name]),
Table = Table.TransformColumnTypes(Rows, Table.ToList(TypedSchema, (c) => {c{0}, c{2}}))
in Table
Columns used from this query are Device Name, Software Name and Software Version.
So, devices with old Software version qualify for emails to be sent out or can be action items for IT guys to update those devices.
I really hope this helps.
Nov 03 2023 01:20 AM
Mar 01 2023 08:32 AM
Solution