Azure-Sentinel/DataConnectors/M365Defender-VulnerabilityManagement

Microsoft Defender Vulnerability Management Sentinel Data Connector

Author: Alex Anders

This custom data connector uses a Function App to pull Microsoft Defender Vulnerability Management (MDVM) data from the M365 Defender API and ingests into the selected Log Analytics workspace via the Azure Monitor DCR API. Public NIST CVE information is also ingested to enrich the MDVM data. A custom workbook is also included to visualize the data. Six custom tables are created in the workspace:

• MDVMCVEKB_CL - MDVM CVE knowledge base.
• MDVMNISTCVEKB_CL - NIST CVE knowledge base
• MDVMNISTConfigurations_CL - NIST CVE knowledge base: known vulnerable software configurations.
• MDVMRecommendations_CL - MDVM recommendations.
• MDVMSecureConfigurationsByDevice_CL - Secure configuration assessment details for each device.
• MDVMVulnerabilitiesByDevice_CL - Vulnerability assessment details for each device.

• Release Notes
• Pre-requisites
• Deployment Process
• Workbook Screenshots

Pre-requisites

1. An Azure Subscription
2. An Azure Sentinel/Log Analytics workspace
3. Permissions required to deploy resources:
   • Owner permissions on the target resource group.
   • Log Analytics Contributor or higher permissions on the destination Log Analytics workspace.
4. Permissions required for assigning the needed permissions post deployment:
   • Global Admin or Application Administrator privileges on Defender Azure AD tenant. This is to give the solution access to the Defender API.
   • Owner or User Access Administrator access to subscriptions containing Virtual Machines or Arc Server resources. This is to provide the solution reader access.

Deployment Process

1. Deploy Azure Resources

1. Click the Deploy to Azure button above.
2. Once in the Azure Portal, select the Subscription and Resource Group to deploy the resources into.
3. Populate the required Log Analytics Workspace ID and Location parameters. Modify the default parameters as needed but most users can leave these alone.
4. Click Review and Create.
5. Click Create.
6. When the deployment has completed, grab the UserAssignedManagedIdentityPrincipalId and UserAssignedManagedIdentityPrincipalName values from the deployment Outputs section. These will be used in the next step.

2. Assign Needed Permissions

After the resources have been deployed, we need to assign the appropriate M365 Defender API and Azure permissions to the newly created User Assigned Managed Identity by doing the following:

1. From a PowerShell prompt, connect to Azure via Connect-AzAccount -TenantId [The Tenant ID your Defender instance resides in.] with an account that has the Global Admin or Application Administrator role assigned. Then, run the following PowerShell commands:

#UserAssignedManagedIdentityPrincipalId value Copied from step 1.6 above. INSERT THE VALUE BETWEEN THE SINGLE QUOTES BELOW.
$managedIdentityPrincipalId = '' 
$permissions = "SecurityRecommendation.Read.All", "Vulnerability.Read.All"

#Lookup Resource and App Roles (permissions).
$resource =  Get-AzADServicePrincipal -Filter "DisplayName eq 'WindowsDefenderATP'"
$appRoles = $resource.AppRole | Where-Object Value -in $permissions

#Assign App Roles to Managed Identity.
foreach ($appRole in $appRoles) {
    $body = @{
        principalId = $ManagedIdentityPrincipalId
        resourceId = $resource.Id
        appRoleId = $appRole.id
    }
    (Invoke-AzRestMethod -Method POST -Uri ("https://graph.microsoft.com/v1.0/servicePrincipals/" + $resource.Id + "/appRoleAssignedTo") -Payload (ConvertTo-Json $body)).Content | ConvertFrom-Json
}

2. Create a custom role to limit the level of access to only read VM's and Arc Servers. Do this by:

   1. Navigate to the appropriate management group/subscription in the Azure portal.
   2. Select the Access Control (IAM) menu.
   3. Select Add => Custom role
   4. Give the custom role a unique name within the tenant.
   5. Select the JSON tab, and replace the Actions section with the below:

      "actions": [
                 "Microsoft.Compute/*/read",
                 "Microsoft.HybridCompute/*/read"
             ],
      

   6. Complete the custom role creation by selecting the Review + Create tab, and then clicking Create.

3. Assign the User Assigned Managed Identity access to all management groups/subscriptions that contain Virtual Machine or Arc Server resources. Do this by:

   1. Navigate to the appropriate management group/subscription in the Azure portal.
   2. Select Add => Add Role Assignment.
   3. Select the Custom Role that was created in the previous step and click Next.
   4. Select Managed Identity, Select Members, and search for the User Assigned Managed Identity created during the deployment. The name was capture in step 6 above.
   5. Click Next, then Review and Assign.

3. Run Function App

The Function App is configured to run daily at 12:00 AM UTC. You can either wait for the next scheduled run or you can force a run by performing the following:

1. Open the newly deployed Function App in the Azure Portal.
2. Select the GetMDVMData Function in the Overview section.
3. Select Code and Test.
4. Select Test/Run. Note: You will have to add https://portal.azure.com as an allowed CORS origin via the main Function App menu option (Under the API section). Also, if you deployed using private networking, you will either need to have connectivity to the private endpoint (and add the additional CORS origins as mentioned here), or temporarily remove network access restrictions.
5. Select Run.

After a successful run, you should see data populated in the MDVM* custom tables.

Workbook Screenshots