Evaluate vulnerability scans from Microsoft Defender for Server

  • 7 minutes

When your vulnerability assessment tool reports vulnerabilities to Defender for Cloud, Defender for Cloud presents the findings and related information as recommendations. In addition, the findings include related information such as remediation steps, relevant CVEs, CVSS scores, and more. You can view the identified vulnerabilities for one or more subscriptions, or for a specific VM.

View findings from the scans of your virtual machines

To view vulnerability assessment findings (from all of your configured scanners) and remediate identified vulnerabilities:

  1. From Defender for Cloud's menu, open the Recommendations page.

  2. Select the recommendation Machines should have vulnerability findings resolved.

    • Defender for Cloud shows you all the findings for all VMs in the currently selected subscriptions. The findings are ordered by severity.

  3. To filter the findings by a specific VM, open the "Affected resources" section and click the VM that interests you. Or you can select a VM from the resource health view, and view all relevant recommendations for that resource.

    • Defender for Cloud shows the findings for that VM, ordered by severity.

  4. To learn more about a specific vulnerability, select it.

    • The details pane that appears contains extensive information about the vulnerability, including:

      • Links to all relevant CVEs (where available)
      • Remediation steps
      • Any additional reference pages

  5. To remediate a finding, follow the remediation steps from this details pane.

Disable specific findings

If you have an organizational need to ignore a finding, rather than remediate it, you can optionally disable it. Disabled findings don't impact your secure score or generate unwanted noise.

When a finding matches the criteria you've defined in your disable rules, it won't appear in the list of findings. Typical scenarios include:

  • Disable findings with severity below medium
  • Disable findings that are non-patchable
  • Disable findings with CVSS score below 6.5
  • Disable findings with specific text in the security check or category (for example, “RedHat”, “CentOS Security Update for sudo”)

Important

To create a rule, you need permissions to edit a policy in Azure Policy.

To create a rule

  1. From the recommendations detail page for Machines should have vulnerability findings resolved, select Disable rule.

  2. Select the relevant scope.

  3. Define your criteria. You can use any of the following criteria:

    • Finding ID
    • Category
    • Security check
    • CVSS scores (v2, v3)
    • Severity
    • Patchable status

  4. Select Apply rule.

    Important

    Changes might take up to 24 hours to take effect.

  5. To view, override, or delete a rule:

    • Select Disable rule.
    • From the scope list, subscriptions with active rules show as Rule applied.
    • To view or delete the rule, select the ellipsis menu ("...").

Export the results

To export vulnerability assessment results, you'll need to use Azure Resource Graph (ARG). This tool provides instant access to resource information across your cloud environments with robust filtering, grouping, and sorting capabilities. It's a quick and efficient way to query information across Azure subscriptions programmatically or from within the Azure portal.