has anyone tried to create a dashboard based on an defender XDR advanced hunting query?
I have this query that i wan’t to create some kind of view of on a dashboard. I know i need to do some tweeking on the query in Squaredup:
DeviceTvmSoftwareVulnerabilities
| where VulnerabilitySeverityLevel == “Critical”
| summarize
DeviceCount = dcount(DeviceName),
Devices = make_set(DeviceName)
by CveId
| join kind=leftouter (
DeviceTvmSoftwareVulnerabilitiesKB
| project CveId, CvssScore = todouble(CvssScore),
CvssVector = VulnerabilityDescription, // or specific field for vector if available
ExploitAvailable = IsExploitAvailable,
PublishedDate
) on CveId
| order by CvssScore desc, DeviceCount desc
But i can’t seem to get any result at all, not even by just running
DeviceTvmSoftwareVulnerabilities
I have tried to run the kql both in loganalytics and resource graph, but i still don’t get any result, but in advanced hunting in the security portal i do.
I am pretty sure the data i am quering is sentinel data stored in loganalytics.
Ok, i got a litle bit wiser
Apparently some tables is only avaliabel in advanced hunting.
So i guess what i acctually is looking for, is some kind of connector to the Defender XDR platform, with the posibility to run advanced hunting queries
@JanLDam have you tried using the recent ‘Data Explorer KQL Query’ data stream in the Azure plugin? It runs a KQL query against an ADX cluster’s database, which I believe is used by XDR. This may be a long shot but worth trying. Either way, let me know how it goes.
I needed to give the app registration, some extended rights to graph explorer, in permissions.
And after fideling arround with the Data Source setup, and the query method i got what i needed.
If any else runs into the same, just let me know, and i will share a more detailed version of my setup, how I got it to work and what i am using it for.
