Defender for cloud - Recommendations > Remediate Security configurations > Machines should...

Contributor

I have implemented Continuous export in order to utilize the Secure Score over time workbook. Which shows some great information.  there is a section for Top recommendations and the first one on our list is "Machines should be configured securely"  I would like to export the Unhealthy count along with the server name and their remediation efforts.   What is the best way to get this done?  I have tried to use a kql query but I'm not advanced enough to get the needed information.  

Please advise,

Serge

5 Replies

@snteran 

Hello! You've posted your question in the Tech Community Discussion space, which is intended for discussion around the Tech Community website itself, not product questions. I'm moving your question to the Microsoft Defender for Cloud space - please post Microsoft Defender for Cloud questions here in the future. 

Thank you for your question.
This recommendation is actually telling you that you have machines with active vulnerabilities as you can find here:
https://docs.microsoft.com/en-us/azure/defender-for-cloud/recommendations-reference
For this particular scenario we have a dedicated workbook "Vulnerability Assessment Findings" that you may find useful. If you still need a KQL query, you can edit beforementioned workbook and find appropriate query there, e.q.:

securityresources
| where type == "microsoft.security/assessments/subassessments"
| extend assessmentKey = extract(".*assessments/(.+?)/.*",1, id)
| where assessmentKey == "1195afff-c881-495e-9bc5-1486211ae03f"
| extend VulId = tostring(properties.id), Severity = tostring(properties.status.severity), Status = tostring(properties.status.code)
| where Status == 'Unhealthy'
| summarize Count = dcount(VulId) by Severity
Thanks, I'll make sure to review the workbook.

I'm still unable to find a great way to export all the items listed under the "Remediate security configurations".

 

image.png

 

 

 

 

 

 

Hopefully there is someone who has figured out a query to help export them all so we can break them out by OS and then prioritize.  The next question is to find a way to exempt/suppress the findings moving forward.

For example, one of the findings to to "Enable" windows firewall but this is not needed, so we need to exempt or disable this finding.

Appreciate any assistance,

Serge

Think I found what I was looking for:

SecurityBaseline
| where (BaselineType =~ 'WindowsOS' or BaselineType =~ 'Windows OS' or BaselineType =~ 'Linux' or BaselineType =~ 'Oms.Linux' or BaselineType =~ 'Web' or (isempty(BaselineType) and isnotempty(TimeGenerated)))
| where AnalyzeResult == "Failed"
| summarize arg_max(TimeGenerated, *) by SourceComputerId, Computer, BaselineRuleId, RuleSeverity, BaselineRuleType
www.000webhost.com