This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(268.8, 43%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBK%3C/text%3E%3C/svg%3E)
Working with the "Azure registry container images should have vulnerabilities resolved" recommendation in Defender for Cloud, my company wants to prevent this rec from effecting our security score, but without setting an exemption for the rec itself so that we can still analyze the reported data.
We utilize our own in-house developed system to monitor these vulnerabilities against our actual running images, and we are utilizing the Graph API to pull that data in from the Defender for Cloud recommendation. This has been working perfectly, until we set a Disable Rule on the recommendation itself. Now anything that falls under the Disable Rule is not being picked up by the query, and therefore not delivered to our in-house tool.
We are using an edited version of the "Query returning security findings" to bring in our results as follows:
(as a note, this can also be reproduced using the built in "Query returning security findings", not necessary to use my custom query below to reproduce)
securityresources
| where type =~ "microsoft.security/assessments/subassessments"
| extend assessmentKey=extract(@"(?i)providers/Microsoft.Security/assessments/([^/]*)", 1, id)
| where assessmentKey == "c0b7cfc6-3172-465a-b378-53c7ff2cc0d5"
| where properties.status.code == "Unhealthy"
| extend cveId = tostring(properties.additionalData.vulnerabilityDetails.cveId),
severity = tostring(properties.additionalData.vulnerabilityDetails.severity),
additionalData=tostring(properties.additionalData),
subAssessmentDescription=tostring(properties.description)
| where severity in ("High", "Critical", "Medium", "Low", "Unknown")
This will pull in all of the Active vulnerabilities, but won't touch the Disabled ones. For example if one were to set a Disable Rule for High Severity, once that applies to the recommendation, you will no longer see Medium and below when the query is run even in Graph Explorer.
I feel like there is something I am missing to trigger the query to also aggregate the Disabled findings for our evaluation outside of Azure. I have been searching for literal days and I am just not finding in any of the reference materials, nor through CoPilot, how to reference both the Active and Disabled recommendations in such a case.
Any ideas out there?
I found my own answer, precisely what I was looking to do does not seem possible.
I found that when there is a Disable Rule, the affected resources are cleared out from the vulnerability details, and I am using a query above that is using the affected resources as a primary data point.
Can't believe that got by me. Back to the drawing board.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(44.800000000000004, 78%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESG%3C/text%3E%3C/svg%3E)
I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this! Since the Microsoft Q&A community has a policy that "[The question author cannot accept their own answer. They can only accept answers by others] (https://docs.microsoft.com/en-us/answers/support/accepted-answers#why-only-one-accepted-answer)**)", I'll repost your solution in case you'd like to "[Accept] (https://docs.microsoft.com/en-us/answers/support/accepted-answers#accepted-answer-in-a-question-thread)**)" the answer.
Issue: How to retrieve both Active and Disabled Vulnerabilities from Azure Defender for Cloud using Graph Query?
Solution: When there is a disabled Rule, the affected resources are cleared out from the vulnerability details, and the query that you are using above in your question, that is using the affected resources as a primary data point.
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.