Edit

Review the software inventory

The Defender for Servers plan in Microsoft Defender for Cloud provides vulnerability scanning using Microsoft Defender Vulnerability Management. Microsoft Defender for Endpoint and Defender Vulnerability Management are integrated natively into Defender for Cloud.

The software inventory feature, provided by Defender Vulnerability Management, shows a list of known software in your organization, with security information about discovered applications.

  • Defender for Cloud shows the integrated software inventory on the Inventory page, summarizing software running on resources connected to Defender for Cloud.
  • To query and retrieve inventory data at scale, use Azure Resource Graph (ARG). For deep custom insights, use Kusto Query Language (KQL).

This article explains how to review the software inventory.

Prerequisites

To see the software inventory, enable one of these paid plans.

Note

If software that isn't supported appears in the inventory, only limited data is available.

Review the software inventory

  1. In Defender for Cloud, select Inventory.

  2. If prerequisites are in place, the Installed applications filter shows you a list of software deployed in the environment.

  3. In Value, filter for a specific app.

    Resources connected to Defender for Cloud and running those apps are displayed. Blank options show machines where Defender for Servers/Defender for Endpoint isn't available.

Query the software inventory

In addition to the predefined filters, you can explore the software inventory data from Azure Resource Graph Explorer.

  1. Select Azure Resource Graph Explorer.

    Screenshot showing Azure Resource Graph Explorer opened in the Azure portal.

  2. Select the following subscription scope: securityresources/softwareinventories

  3. Use one of the following query examples, customize one, or write your own.

  4. Select Run query.

Query examples

To generate a basic list of installed software:

securityresources
| where type == "microsoft.security/softwareinventories"
| project id, Vendor=properties.vendor, Software=properties.softwareName, Version=properties.version

To filter by version numbers:

securityresources
| where type == "microsoft.security/softwareinventories"
| project id, Vendor=properties.vendor, Software=properties.softwareName, Version=tostring(properties.version)
| where Software=="windows_server_2019" and parse_version(Version)<=parse_version("10.0.17763.1999")

To find machines with a combination of software products:

securityresources
| where type == "microsoft.security/softwareinventories"
| extend vmId = properties.azureVmId
| where properties.softwareName == "apache_http_server" or properties.softwareName == "mysql"
| summarize count() by tostring(vmId)
| where count_ > 1

To combine a software product with another security recommendation:

(For example, machines that have MySQL installed and exposed management ports)

securityresources
| where type == "microsoft.security/softwareinventories"
| extend vmId = tolower(properties.azureVmId)
| where properties.softwareName == "mysql"
| join (
    securityresources
| where type == "microsoft.security/assessments"
| where properties.displayName == "Management ports should be closed on your virtual machines" and properties.status.code == "Unhealthy"
| extend vmId = tolower(properties.resourceDetails.Id)
) on vmId

Export the inventory

  1. To save filtered inventory in CSV form, select Download CSV report.
  2. To save a query in Resource Graph Explorer, select Open a query. When you're ready to save a query, select Save as and in Save query, specify a query name and description, and whether the query is private or shared.

Next step