Forum Discussion

dmarquesgn's avatar
dmarquesgn
Iron Contributor
Aug 22, 2023

Find out number of closed vulnerabilities

Hi,

I'm using MS Defender TVM to find and manage vulnerabilities in my infrastructure. I already have some powershell scripts to extract some TVM data for reporting each month, like number of Critical, High, Medium and Low vulns, as well as some other metrics.

But what I would really like to know is the number of closed vulns. For example, I have a server with 100 vulns in which I apply the patch tuesday from MS, which fixes 40 of those vulns, so the server will have 60 vulns after a new scan.

Is there any way to extract information about the closed vulnerabilities?
Thanks

  • AntR07's avatar
    AntR07
    Brass Contributor
    I too have been looking for a solution to this. There is an 'event timeline' in Defender TVM section that tracks changes but I dont think this data is available via API or Advanced Hunting schema. And it is more device related rather than total vulns remediated.

    My thought was to try a KQL query to take all CVE's that existed on the first of the month (or what ever time period you want) and compare against the CVE's that exist now (current date/time). I can't figure out the KQL query though..
    • dmarquesgn's avatar
      dmarquesgn
      Iron Contributor

      AntR07 

      Hi,

      Yeah, I think for new the best option is to extract the all the vulns in Powershell, then dump it into a CSV, and then make a second dump and compare both to find out what vulns have "disappeared".
      I'll try to develop something like this as soon as I got sime time.

      Thanks

Resources