Help to Defender XDR – KQL to Detection rule for Vulnerability Notification
The query essentially functions as part of a monitoring, designed to identify and summarize list of vulnerable applications within a set time frame—particularly, events recorded in the current month. When I try to convert this rule to run as detection rule, I get the error “Can’t save detection rule”. Can someone help to me understand how I can fix the issues?
// Date – 05-05-2024 – Helps to automate daily vulnerability notification alerts to be logged to servicedesk via emails (untill Defender Product gets native feature)
let Timestamp = now();
let ReportId = toint(rand() * 100000000);
DeviceTvmSoftwareVulnerabilities
| extend OSFamily = case(
OSPlatform in (“Windows10”, “Windows11”, “Windows10wVD”), “Desktop”,
OSPlatform in (“WindowsServer2012R2”, “WindowsServer2016”, “WindowsServer2019”, “WindowsServer2022”), “Server”,
“Other”)
| where OSFamily != “Other” // Only processing Desktops and Servers
| where DeviceName !=”” and DeviceName != ” ” // Exclude blank and space-only DeviceNames
| summarize
DesktopDeviceNameList = make_list(iif(OSFamily == “Desktop”, DeviceName, “”)),
ServerDeviceNameList = make_list(iif(OSFamily == “Server”, DeviceName, “”)),
DetailedDeviceList = make_list(bag_pack(“DeviceName”, DeviceName, “DeviceId”, DeviceId, “OSPlatform”, OSPlatform)),
take_any(SoftwareName, SoftwareVersion, VulnerabilitySeverityLevel, RecommendedSecurityUpdate) by CveId
| lookup DeviceTvmSoftwareVulnerabilitiesKB on CveId
| where startofmonth(PublishedDate) == startofmonth(now())
| project Timestamp, ReportId, CveId, VulnerabilitySeverityLevel, CvssScore, IsExploitAvailable, DesktopDeviceNameList, ServerDeviceNameList, DetailedDeviceList, PublishedDate, LastModifiedTime, VulnerabilityDescription, AffectedSoftware
The query essentially functions as part of a monitoring, designed to identify and summarize list of vulnerable applications within a set time frame—particularly, events recorded in the current month. When I try to convert this rule to run as detection rule, I get the error “Can’t save detection rule”. Can someone help to me understand how I can fix the issues? // Date – 05-05-2024 – Helps to automate daily vulnerability notification alerts to be logged to servicedesk via emails (untill Defender Product gets native feature)
let Timestamp = now();
let ReportId = toint(rand() * 100000000);
DeviceTvmSoftwareVulnerabilities
| extend OSFamily = case(
OSPlatform in (“Windows10”, “Windows11”, “Windows10wVD”), “Desktop”,
OSPlatform in (“WindowsServer2012R2”, “WindowsServer2016”, “WindowsServer2019”, “WindowsServer2022”), “Server”,
“Other”)
| where OSFamily != “Other” // Only processing Desktops and Servers
| where DeviceName !=”” and DeviceName != ” ” // Exclude blank and space-only DeviceNames
| summarize
DesktopDeviceNameList = make_list(iif(OSFamily == “Desktop”, DeviceName, “”)),
ServerDeviceNameList = make_list(iif(OSFamily == “Server”, DeviceName, “”)),
DetailedDeviceList = make_list(bag_pack(“DeviceName”, DeviceName, “DeviceId”, DeviceId, “OSPlatform”, OSPlatform)),
take_any(SoftwareName, SoftwareVersion, VulnerabilitySeverityLevel, RecommendedSecurityUpdate) by CveId
| lookup DeviceTvmSoftwareVulnerabilitiesKB on CveId
| where startofmonth(PublishedDate) == startofmonth(now())
| project Timestamp, ReportId, CveId, VulnerabilitySeverityLevel, CvssScore, IsExploitAvailable, DesktopDeviceNameList, ServerDeviceNameList, DetailedDeviceList, PublishedDate, LastModifiedTime, VulnerabilityDescription, AffectedSoftware Read More