Vulnerability Scanning in Microsoft Defender For Server
Microsoft Defender For Server is one of the features of Microsoft Defender For Cloud, it aims to protect your servers on cloud, one of the features it provides is to discover vulnerabilities in software installed in your servers. In this article, we will cover the compatibility, types of vulnerability scanners, installation and how to view these vulnerabilities.
Microsoft Defender For Server applies to mainstream operating systems of servers that are created by us explicitly. In other words, Servers that are created by other Azure services, e.g. servers from Azure Kubernetes Service, servers from Azure Databricks.
Types of vulnerability scanners
For Microsoft Defender For Servers, Microsoft offers 2 types of vulnerability scanners, one is from Qualys, another one is developed by Microsoft.
After the evaluation, I think that the one developed by Microsoft is better and discuss about this scanner in the rest of this article.
There are 2 areas that Microsoft scanner outperforms Qualys’s scanner.
Second, Microsoft’s scanner discovers non-patchable vulnerabilities while Qualys’s scanner doesn’t.
To use the Microsoft’s scanner, you need to install Microsoft Defender For Endpoint (MDE) which is a endpoint detection and response solution (EDR) that comes with Microsoft Defender For Server.
First, navigate to "Machines should have a vulnerability assessment solution" recommendation. It checks whether vulnerability scanning is enabled for your machines or not.
Second, pick a machine which doesn’t install MDE to proceed the installation & click "fix" button at the bottom.
Third, choose the preferred scanner. The first 2 scanners come with Microsoft Defender For Server with no extra cost. The comparison between these 2 scanners is in next section.
View the vulnerabilities
View the vulnerabilities In Microsoft Defender For Cloud Portal
After the installation, the scanners will detect the vulnerabilities in your servers. You can view these vulnerabilities in the Microsoft Defender For Cloud Portal.
Although it is pretty GUI to view all vulnerabilities, it hides lots of information that are also detected by the scanners, e.g. whether the vulnerability is public exploitable, whether the vulnerability is used in public exploitable kit.
View the vulnerabilities In Azure Resource Graph Explorer
Here, you can see when the vulnerability is detected. Also, you can see detail of each vulnerability which are important for you to prioritize the patching.
- Is the vulnerability zero-day or not?
- Is the vulnerability public exploitable?
- Is the vulnerability being used in public exploitable kit?
Here’s a query I created to expand all vulnerabilities & get all relevant information.
securityresources | where type =~ "microsoft.security/assessments/subassessments" | extend assessmentKey=extract(@"(?i)providers/Microsoft.Security/assessments/([^/]*)", 1, id), subAssessmentId=tostring(properties.id), parentResourceId= extract("(.+)/providers/Microsoft.Security", 1, id), additionalData=tostring(properties.additionalData), status=tostring(properties.status.code) | where assessmentKey == "1195afff-c881-495e-9bc5-1486211ae03f" | where status == "Unhealthy" | extend resourceId = tostring(properties.resourceDetails.id) | extend subAssessmentName=tostring(properties.displayName), severity=tostring(properties.status.severity), timeGenerated=tostring(properties.timeGenerated) | project subscriptionId, resourceGroup, resourceId,Recommendation=subAssessmentName, properties | extend cve=properties.additionalData.cve, source=properties.additionalData.source | project-away properties | mv-expand cve | extend CVE=cve["title"], severity=cve.severity, hasPublicExploit=cve.hasPublicExploit, isExploitInKit=cve.isExploitInKit, cvssScore=cve.cvssScore, isZeroDay=cve.isZeroDay, description=cve.description | where source=="Microsoft threat and vulnerability management" | extend vm=split(resourceId, "/")[-1] | project subscriptionId, resourceGroup, vm, CVE, description, severity, cvssScore, hasPublicExploit, isExploitInKit, isZeroDay
For the sake of convenience, you can also save this query such that you can open the query next time & use it to query the vulnerability again.
By using Microsoft Defender For Server, we can find all vulnerabilities on all of our servers. With Azure Resource Graph Explorer, we can get more information from the vulnerabilities result.