question

TommyPool-7800 avatar image
0 Votes"
TommyPool-7800 asked Crystal-MSFT edited

How to Vulnerabilty reports to notify users

Hello,

I was hoping to find a little help with something.

In our 365 Defender portal - under Endpoints - Vulnerability Management - Recommendations, we get recommendations to update certain software and applications that are vulnerable to CVE's. If you go to one of software update recommendations, it'll list the devices that are in need of the update. Those devices will also detail which user commonly logs on to that device. (Typically in our business, it'll be who ever that device is assigned to.)

When certain stuff is out of date, we (admins) get prompted to manage that. I look at the list of exposed devices and see who is the user that logs into it, I then message that user via teams to notify them that said software is in need of an update.

This can sometimes leave a huge admin task when you work in a business of 100+ users. Is there a way we can get 365 to notify the users, much like it notifies the admin, when they're in need of updating something...This will vastly improve our quality of life and give so much time back.

Whilst we do make use of package managers, sometimes it's not advised to go ahead and just update whatever as we have developers working on tasks and software updates can be detrimental towards their work, (therefore we have a policy of a two week window to update.) With this in mind - we ask the users to maintain the software they have installed on to their device.


azure-security-center
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@TommyPool-7800
I just wanted to check in and see if you had any other questions or if you were able to resolve this issue?

0 Votes 0 ·

Hello all,

Apologies for my long winded description and for my long awaited response. I've been away for the bank holiday weekend and I have not yet picked this back up.

Thank you all for your advice. I will continue to seek if this configuration is possible!

Many thanks,
Tommy.

0 Votes 0 ·
Crystal-MSFT avatar image
1 Vote"
Crystal-MSFT answered

@TommyPool-7800, From your description, it seems you want to know if it can notify users in Microsoft Defender for Endpoint report. As we are not familiar with it. So we are not sure. But you cam contact Microsoft Defender for Endpoint support to help on it.
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/contact-support?view=o365-worldwide

Thanks for the understanding.


If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AndrewBlumhardt-1137 avatar image
1 Vote"
AndrewBlumhardt-1137 answered

Technically this may be possible. Logic Apps have a connector for MDE that includes running an advanced hunting query. There is also a connector for log analytics if you are streaming AH logs to Sentinel. Assuming you could create the necessary KQL query, the rest could be fairly simple.

Here is a sample query as an example/starting point. Keep in mind that this includes all recent logged on users.

DeviceTvmSoftwareVulnerabilities
| join DeviceInfo on DeviceId
| where Timestamp >= ago(7d)
| where LoggedOnUsers != "[]"
| summarize arg_max(Timestamp, *) by DeviceId
| project Timestamp, DeviceId, DeviceName, SoftwareVendor, SoftwareName, SoftwareVersion, CveId, VulnerabilitySeverityLevel, RecommendedSecurityUpdate, LoggedOnUsers

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.