How can I retrieve both Active and Disabled Vulnerabilities from Azure Defender for Cloud using Graph Query?

Brian Korzen 0 Reputation points
2024-11-14T19:48:45.8733333+00:00

Working with the "Azure registry container images should have vulnerabilities resolved" recommendation in Defender for Cloud, my company wants to prevent this rec from effecting our security score, but without setting an exemption for the rec itself so that we can still analyze the reported data.

We utilize our own in-house developed system to monitor these vulnerabilities against our actual running images, and we are utilizing the Graph API to pull that data in from the Defender for Cloud recommendation. This has been working perfectly, until we set a Disable Rule on the recommendation itself. Now anything that falls under the Disable Rule is not being picked up by the query, and therefore not delivered to our in-house tool.

We are using an edited version of the "Query returning security findings" to bring in our results as follows:

(as a note, this can also be reproduced using the built in "Query returning security findings", not necessary to use my custom query below to reproduce)

securityresources 
        | where type =~ "microsoft.security/assessments/subassessments"
        | extend assessmentKey=extract(@"(?i)providers/Microsoft.Security/assessments/([^/]*)", 1, id)
        | where assessmentKey == "c0b7cfc6-3172-465a-b378-53c7ff2cc0d5"
        | where properties.status.code == "Unhealthy"
        | extend cveId = tostring(properties.additionalData.vulnerabilityDetails.cveId),
                severity = tostring(properties.additionalData.vulnerabilityDetails.severity),
                additionalData=tostring(properties.additionalData),
                subAssessmentDescription=tostring(properties.description)
        | where severity  in ("High", "Critical", "Medium", "Low", "Unknown")
		

This will pull in all of the Active vulnerabilities, but won't touch the Disabled ones. For example if one were to set a Disable Rule for High Severity, once that applies to the recommendation, you will no longer see Medium and below when the query is run even in Graph Explorer.

I feel like there is something I am missing to trigger the query to also aggregate the Disabled findings for our evaluation outside of Azure. I have been searching for literal days and I am just not finding in any of the reference materials, nor through CoPilot, how to reference both the Active and Disabled recommendations in such a case.

Any ideas out there?

Microsoft Security | Microsoft Defender | Microsoft Defender for Cloud
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Brian Korzen 0 Reputation points
    2024-11-15T00:11:15.6633333+00:00

    I found my own answer, precisely what I was looking to do does not seem possible.

    I found that when there is a Disable Rule, the affected resources are cleared out from the vulnerability details, and I am using a query above that is using the affected resources as a primary data point.

    Can't believe that got by me. Back to the drawing board.

    0 comments No comments

  2. Sandeep G-MSFT 20,921 Reputation points Microsoft Employee Moderator
    2024-12-04T04:22:32.6533333+00:00

    @Brian Korzen

    I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this! Since the Microsoft Q&A community has a policy that "[The question author cannot accept their own answer. They can only accept answers by others] (https://docs.microsoft.com/en-us/answers/support/accepted-answers#why-only-one-accepted-answer)**)", I'll repost your solution in case you'd like to "[Accept] (https://docs.microsoft.com/en-us/answers/support/accepted-answers#accepted-answer-in-a-question-thread)**)" the answer.

    Issue: How to retrieve both Active and Disabled Vulnerabilities from Azure Defender for Cloud using Graph Query?

    Solution: When there is a disabled Rule, the affected resources are cleared out from the vulnerability details, and the query that you are using above in your question, that is using the affected resources as a primary data point.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.