How to Vulnerabilty reports to notify users

Tommy Pool 1 Reputation point


I was hoping to find a little help with something.

In our 365 Defender portal - under Endpoints - Vulnerability Management - Recommendations, we get recommendations to update certain software and applications that are vulnerable to CVE's. If you go to one of software update recommendations, it'll list the devices that are in need of the update. Those devices will also detail which user commonly logs on to that device. (Typically in our business, it'll be who ever that device is assigned to.)

When certain stuff is out of date, we (admins) get prompted to manage that. I look at the list of exposed devices and see who is the user that logs into it, I then message that user via teams to notify them that said software is in need of an update.

This can sometimes leave a huge admin task when you work in a business of 100+ users. Is there a way we can get 365 to notify the users, much like it notifies the admin, when they're in need of updating something...This will vastly improve our quality of life and give so much time back.

Whilst we do make use of package managers, sometimes it's not advised to go ahead and just update whatever as we have developers working on tasks and software updates can be detrimental towards their work, (therefore we have a policy of a two week window to update.) With this in mind - we ask the users to maintain the software they have installed on to their device.

Microsoft Defender for Cloud
Microsoft Defender for Cloud
An Azure service that provides threat protection for workloads running in Azure, on-premises, and in other clouds. Previously known as Azure Security Center and Azure Defender.
1,232 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Crystal-MSFT 44,851 Reputation points Microsoft Vendor

    @Tommy Pool , From your description, it seems you want to know if it can notify users in Microsoft Defender for Endpoint report. As we are not familiar with it. So we are not sure. But you cam contact Microsoft Defender for Endpoint support to help on it.

    Thanks for the understanding.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    1 person found this answer helpful.
    0 comments No comments

  2. Andrew Blumhardt 9,676 Reputation points Microsoft Employee

    Technically this may be possible. Logic Apps have a connector for MDE that includes running an advanced hunting query. There is also a connector for log analytics if you are streaming AH logs to Sentinel. Assuming you could create the necessary KQL query, the rest could be fairly simple.

    Here is a sample query as an example/starting point. Keep in mind that this includes all recent logged on users.

    | join DeviceInfo on DeviceId
    | where Timestamp >= ago(7d)
    | where LoggedOnUsers != "[]"
    | summarize arg_max(Timestamp, *) by DeviceId
    | project Timestamp, DeviceId, DeviceName, SoftwareVendor, SoftwareName, SoftwareVersion, CveId, VulnerabilitySeverityLevel, RecommendedSecurityUpdate, LoggedOnUsers

    1 person found this answer helpful.
    0 comments No comments