Automating Vulnerability Data Extraction from MS Defender for Endpoint using Azure DevOps

Simplifying Vulnerability Data Extraction with Azure DevOps

In the realm of cybersecurity, managing vulnerabilities is a critical task. Microsoft Defender offers robust tools for monitoring and analyzing vulnerabilities within your organization’s infrastructure. However, there are still areas where improvements can be made, especially in reporting. For example, if you want to view the vulnerabilities discovered in your environment over a specific period, such as the last 24 hours, you’ll find that the portal falls short. To tackle this, you need to interact with the Defender API programmatically.

In this blog post, we’ll take you through the process of using Azure DevOps Pipelines to automate the extraction of vulnerability data from Defender using PowerShell. This automation simplifies the process and allows you to focus on what’s most important: securing your environment.

Step 1: Register an Azure AD Application

First things first, you need to register an application in Azure AD. Assign the following permissions to the application:

• Vulnerability.Read
• Vulnerability.Read.All

Make sure to obtain the following information from the application:

• Tenant ID
• Application ID
• Secret Value

Step 2: Prepare Your PowerShell Script

We’ll be using PowerShell to call the Defender API and fetch data for our specific use case – new vulnerabilities discovered in the previous 24 hours. You can obtain the PowerShell script here.

Step 3: Configure Your Azure DevOps Pipeline

While you can run the PowerShell script from any machine, for the sake of automation and resource efficiency, it’s better to avoid dedicating a machine for this task. Instead, we’ll leverage an Azure DevOps pipeline to run the script regularly.

1. Begin by creating an Azure Repo under your Azure DevOps Project.
2. Commit the PowerShell script to the repository.
3. Navigate to Pipelines and create a new pipeline.
   • Use the classic editor.
   • Select the Project, Repository, and Branch where the script is stored.
4. Choose ‘Empty Job’ as your pipeline template.
5. Under ‘Agent job 1’, click the ‘+’ sign to add tasks.
6. In the ‘Add tasks’ pane, search for ‘Azure KeyVault’:
   • Enter a display name.
   • Select your Azure Subscription.
   • Choose the KeyVault where the secret is stored.
   • For the secret filter, use “*” or customize as needed.
7. Again, under ‘Agent job 1’, add another task. Search for ‘Powershell Script’:
   • Enter a display name of your choice.
   • Choose ‘File Path’ as the script type.
   • In the ‘Script Path’ field, enter the script filename (e.g., “pullVulnerabilityDataDefender.ps1”).
   • Set the ‘Arguments’ field to "-defenderkey "$(defenderkey)".
8. Once more, under ‘Agent job 1’, add a task to ‘Publish Pipeline Artifact’:
   • Enter a display name.
   • In ‘Artifact Name’, input “Outputs.csv”.
   • Choose ‘Azure Pipelines’ as the ‘Artifact Publish Location’.

With these steps, you’ve successfully set up an Azure DevOps pipeline to automate the extraction of vulnerability data from Defender. This not only streamlines your workflow but also ensures that you stay up to date with the latest vulnerabilities, making your infrastructure more secure than ever.

Collecting the Artifact

Once your pipeline runs, it will generate an artifact named “Outputs.csv.” To collect the artifact, follow these steps:

1. Navigate to your Azure DevOps project.
2. Go to Pipelines and select the specific pipeline that you set up.
3. Under the ‘Summary’ section, click on the pipeline run that you’re interested in.
4. In the pipeline run details, you’ll find published artifacts under ‘Related’ section.
5. Click on ‘Outputs.csv’ to download the artifact to your local machine

Happy automating! 🚀