How can I retrieve both Active and Disabled Vulnerabilities from Azure Defender for Cloud using Graph Query?

Brian Korzen 0 Reputation points
2024-11-14T19:48:45.8733333+00:00

Working with the "Azure registry container images should have vulnerabilities resolved" recommendation in Defender for Cloud, my company wants to prevent this rec from effecting our security score, but without setting an exemption for the rec itself so that we can still analyze the reported data.

We utilize our own in-house developed system to monitor these vulnerabilities against our actual running images, and we are utilizing the Graph API to pull that data in from the Defender for Cloud recommendation. This has been working perfectly, until we set a Disable Rule on the recommendation itself. Now anything that falls under the Disable Rule is not being picked up by the query, and therefore not delivered to our in-house tool.

We are using an edited version of the "Query returning security findings" to bring in our results as follows:

(as a note, this can also be reproduced using the built in "Query returning security findings", not necessary to use my custom query below to reproduce)

securityresources 
        | where type =~ "microsoft.security/assessments/subassessments"
        | extend assessmentKey=extract(@"(?i)providers/Microsoft.Security/assessments/([^/]*)", 1, id)
        | where assessmentKey == "c0b7cfc6-3172-465a-b378-53c7ff2cc0d5"
        | where properties.status.code == "Unhealthy"
        | extend cveId = tostring(properties.additionalData.vulnerabilityDetails.cveId),
                severity = tostring(properties.additionalData.vulnerabilityDetails.severity),
                additionalData=tostring(properties.additionalData),
                subAssessmentDescription=tostring(properties.description)
        | where severity  in ("High", "Critical", "Medium", "Low", "Unknown")
		

This will pull in all of the Active vulnerabilities, but won't touch the Disabled ones. For example if one were to set a Disable Rule for High Severity, once that applies to the recommendation, you will no longer see Medium and below when the query is run even in Graph Explorer.

I feel like there is something I am missing to trigger the query to also aggregate the Disabled findings for our evaluation outside of Azure. I have been searching for literal days and I am just not finding in any of the reference materials, nor through CoPilot, how to reference both the Active and Disabled recommendations in such a case.

Any ideas out there?

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
12,370 questions
Microsoft Defender for Cloud
Microsoft Defender for Cloud
An Azure service that provides threat protection for workloads running in Azure, on-premises, and in other clouds. Previously known as Azure Security Center and Azure Defender.
1,422 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Brian Korzen 0 Reputation points
    2024-11-15T00:11:15.6633333+00:00

    I found my own answer, precisely what I was looking to do does not seem possible.

    I found that when there is a Disable Rule, the affected resources are cleared out from the vulnerability details, and I am using a query above that is using the affected resources as a primary data point.

    Can't believe that got by me. Back to the drawing board.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.