This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(0, 72%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESR%3C/text%3E%3C/svg%3E)
Hi Everyone,
I have a question about Microsoft Defender for Cloud. In the "Machines should have vulnerability findings resolved" section, I can see vulnerabilities affecting various resources. I’ve successfully generated a report listing the affected resources, but I’m struggling to retrieve the Software Evidence (e.g., file paths like C:/Program Files/7-Zip or registry key paths). Currently, I have to check each resource individually to gather this information.
Is there a way to export the software evidence for all affected resources at once? Any guidance would be greatly appreciated!
Thanks!
Hi,
I am not sure if the file path is something available in Defender for Cloud but overall if this is data that is gathered you can retrieve it with Azure Resource Graph query:
securityresources
| where type == "microsoft.security/assessments/subassessments"
| where id startswith "/subscriptions/<REPLACE with your subscription ID>"
| where tostring(properties.id) != ""
| extend severity=(// SubassessmentsQueryBuilder.columnDefinitions.severity
iff(type == "microsoft.security/assessments/subassessments", tostring(properties.status.severity), dynamic(null)))
| extend severitySort = iff(severity == "Critical", 4, iff (severity == "High", 3, iff(severity == "Medium", 2, iff(severity == "Low", 1, 0))))
| extend assessmentKey=(// SubassessmentsQueryBuilder.columnDefinitions.assessmentKey
iff(type == "microsoft.security/assessments/subassessments", tostring(split(tostring(split(id, "/providers/Microsoft.Security/assessments/", 1)[0]), "/", 0)[0]), dynamic(null))), subAssessmentId=(// SubassessmentsQueryBuilder.columnDefinitions.id
iff(type == "microsoft.security/assessments/subassessments", id, dynamic(null)))
| extend subAssessmentName=(// SubassessmentsQueryBuilder.columnDefinitions.displayName
iff(type == "microsoft.security/assessments/subassessments", tostring(properties.displayName), dynamic(null))),
description=(// SubassessmentsQueryBuilder.columnDefinitions.description
iff(type == "microsoft.security/assessments/subassessments", tostring(properties.description), dynamic(null))),
remediation=(// SubassessmentsQueryBuilder.columnDefinitions.remediation
iff(type == "microsoft.security/assessments/subassessments", tostring(properties.remediation), dynamic(null))),
category=(// SubassessmentsQueryBuilder.columnDefinitions.category
iff(type == "microsoft.security/assessments/subassessments", tostring(properties.category), dynamic(null))),
impact=(// SubassessmentsQueryBuilder.columnDefinitions.impact
iff(type == "microsoft.security/assessments/subassessments", tostring(properties.impact), dynamic(null))),
status=(// SubassessmentsQueryBuilder.columnDefinitions.statusCode
iff(type == "microsoft.security/assessments/subassessments", tostring(properties.status.code), dynamic(null))),
cause=(// SubassessmentsQueryBuilder.columnDefinitions.statusCause
iff(type == "microsoft.security/assessments/subassessments", tostring(properties.status.cause), dynamic(null))),
statusDescription=(// SubassessmentsQueryBuilder.columnDefinitions.statusDescription
iff(type == "microsoft.security/assessments/subassessments", tostring(properties.status.description), dynamic(null))),
resourceDetails=(// SubassessmentsQueryBuilder.columnDefinitions.resourceDetails
iff(type == "microsoft.security/assessments/subassessments", tostring(properties.resourceDetails), dynamic(null))),
timeGenerated=(// SubassessmentsQueryBuilder.columnDefinitions.timeGenerated
iff(type == "microsoft.security/assessments/subassessments", todatetime(properties.timeGenerated), dynamic(null))),
vulnerabilityType = tostring(properties.additionalData.type),
patchable = properties.additionalData.patchable,
publishedTime = properties.additionalData.publishedTime,
cvssList = properties.additionalData.cvss,
cveArray = properties.additionalData.cve,
additionalData = properties.additionalData,
vendorReferences = properties.additionalData.vendorReferences,
propertyId = properties.id
| project severitySort, category, resourceDetails, subAssessmentId, subAssessmentName, description, remediation, severity, status, vulnerabilityType, patchable, publishedTime, cvssList, cveArray, vendorReferences, timeGenerated, impact, additionalData, cause, statusDescription, propertyId
| summarize severitySort=any(severitySort), category=any(category), resourceDetails=any(resourceDetails), description=any(description), subAssessmentName=any(subAssessmentName), remediation=any(remediation), severity=any(severity), status=any(status), vulnerabilityType=any(vulnerabilityType),
patchable=any(patchable), publishedTime=any(publishedTime), cvssList=any(cvssList), vendorReferences=any(vendorReferences), propertyId=any(propertyId), timeGenerated=any(timeGenerated), impact=any(impact), additionalData=any(additionalData), cause=any(cause), statusDescription=any(statusDescription) by subAssessmentId
| sort by severitySort desc
You will have to add your subscription ID in the query as gathering data for multiple subscripions if you have a lot of resources might result in error. If you do not have a lot of resources you might try with removing that line. When you execute the query you can click on one of the results at the end of the row "See details". There under software details you will find more information like the name of the software and the version. Similar query is available when you check the recommendation and click on Open query -> Query returning security findings.
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.