Edit

Share via


Review the software inventory

The Defender for Servers plan in Microsoft Defender for Cloud provides vulnerability scanning using Microsoft Defender Vulnerability Management. Microsoft Defender for Endpoint and Defender Vulnerability Management are integrated natively into Defender for Cloud.

The software inventory feature, provided by Defender Vulnerability Management, shows a list of known software in your organization, with security information about discovered applications.

  • Defender for Cloud shows the integrated software inventory on the Inventory page, summarizing software running on resources connected to Defender for Cloud.
  • You can query the Defender for Cloud inventory using Azure Resource Graph (ARG) to query and retrieve data at scale. For deep custom insights, you can use also use KQL to query the inventory.

This article explains how to review the software inventory.

Prerequisites

To see the software inventory, one of these paid plans must be enabled.

If software that isn't supported appears in the inventory, only limited data will be available.

Review the software inventory

  1. In Defender for Cloud, select Inventory.

  2. If prerequisites are in place, the Installed applications filter shows you a list of software deployed in the environment.

  3. In Value, filter for a specific app.

    Resources connected to Defender for Cloud and running those apps are displayed. Blank options show machines where Defender for Servers/Defender for Endpoint isn't available.

Query the software inventory

In addition to the predefined filters, you can explore the software inventory data from Azure Resource Graph Explorer.

  1. Select Azure Resource Graph Explorer.

    Screenshot showing launch of Azure Resource Graph Explorer** recommendation page.

  2. Select the following subscription scope: securityresources/softwareinventories

  3. Use one of the following query examples, or customize/write your own.

  4. Select Run query.

Query examples

To generate a basic list of installed software:

securityresources
| where type == "microsoft.security/softwareinventories"
| project id, Vendor=properties.vendor, Software=properties.softwareName, Version=properties.version

To filter by version numbers:

securityresources
| where type == "microsoft.security/softwareinventories"
| project id, Vendor=properties.vendor, Software=properties.softwareName, Version=tostring(properties.    version)
| where Software=="windows_server_2019" and parse_version(Version)<=parse_version("10.0.17763.1999")

To find machines with a combination of software products:

securityresources
| where type == "microsoft.security/softwareinventories"
| extend vmId = properties.azureVmId
| where properties.softwareName == "apache_http_server" or properties.softwareName == "mysql"
| summarize count() by tostring(vmId)
| where count_ > 1

To combine a software product with another security recommendation:

(In this example – machines having MySQL installed and exposed management ports)

securityresources
| where type == "microsoft.security/softwareinventories"
| extend vmId = tolower(properties.azureVmId)
| where properties.softwareName == "mysql"
| join (
    securityresources
| where type == "microsoft.security/assessments"
| where properties.displayName == "Management ports should be closed on your virtual machines" and properties.status.code == "Unhealthy"
| extend vmId = tolower(properties.resourceDetails.Id)
) on vmId

Export the inventory

  1. To save filtered inventory in CSV form, select Download CSV report.
  2. To save a query in Resource Graph Explorer, select Open a query. When you're ready to save a query, select Save as and in Save query, specific a query name and description, and whether the query is private or shared.