In this project, a script automatically retrieves all relevant and important information about vulnerabilities detected by Microsoft Defender, as well as the affected servers (with data from your own Asset Management). Only servers that are onboarded will be displayed. Once the data is collected, it undergoes processing and organization to ensure that it is presented in a clear and comprehensible manner.
The goal of this script is to create a Planner task for each affected server owner. These tasks will include all relevant details about the vulnerabilities, ensuring that the server owner has all the necessary information. This approach optimizes the workflow, ensuring that no vulnerabilities are overlooked and that every server owner is informed.
There is a second (& better) script that groups the vulnerabilities on the same server.
Additionally, another script is being developed to delete the old, closed tasks to prevent surpassing the 9k tasks per plan limit by Microsoft)!
Change Log
Version Date
Information
2.5 17/6/26
Reworks for SVN, additional features and working up to SVN 3.0 🚧 Changes for "svn.ps1":
Migrated the tables from Azure SQL Server to Azure Log Analytics Custom Tables. This is major improvement to the query due to the removal of the datatable() function and removal of batched requests to the Advanced Hunting API and a pre-cautionary change due to SQL Data Sync going end-of-life.
Improved the CVE-Grouping per Server. Now instead of 14 CVEs (with each CVE linked as attachment) there is one link to the vulnerability database (NIST). Additionally the vulnerabilities are grouped by Software, which up tp 5 of them are grouped in a Task. So per task there are 5 softwares with their version and then 30 CVEs listed. This change reduces the count of total tasks created.
We created a PowerBI-Dashboard for a better overall overview following the change above (We'll share a How-To soon).
Another improvement following the changes on grouping is that we added each software as an item in the checklist to improve trackability among teams & teammembers.
Added the possibility to add static excludes for special use cases such as lab servers. Initially the excludes were by SoftwareVendor, SoftwareName and SoftwareVendor. Now added the option to create exludes based on CVE and DiskPaths (Folders such as C:/Temp/MySoftware ) - documentation for that is coming soon
Added a check on last full scan. This to improve the wrong notifications due to old data in MDE tables.
Reworked the PowerShell module (docu is coming too):
2.0 19/7/25
Major reworks for SVN and additional features 🚧 Changes for "svn.ps1":
Vulnerabilities are now retrieved in batches of 50 (or more servers). Because while we were going into the production stage with the initial script, we quickly noticed that the "datatable" method for imports in KQL only could handle 10k excludes (or just entries). Now the excludes & vulnerabilities can be retrieved in batches of 200 servers
Now the oldest vulnerability decides in which Bucket the Planner Task lands.
Now the Task receives a tag based on which team owns / runs the server.
More information is now being logged to the Azure SQL Table: dateAdded
1.0 4/4/25
First public release of SVN 🎉 Uploaded the "svn.ps1" script with these features:
Retrieving Server Vulnerabilities from Defender based on these conditions:
Server exists in the imported asset management
The serverowner hasn't received a notification for the vulnerability
Vulnerability Grouping (for vulns. on the same server)
Serverowner "calculation" with the asset management (+ additional fallback)
Planner Task Creation:
Format Planner Task Description
Set Priority based on CVSS Score
Add Links to internal knowledge databse & NIST CVE Pages
Add processed vulnerabilities to the Azure SQL Table for the future exludes
Additionally, there was a second script which does basically the same but uses a Storage Account Blob (only note that there are no "excludes")!!:
Released the first version of the SVN PowerShell Module with the following functions:
Invoke-DefenderATPQuery : Makes an API Request to the Defender Advanced Threat Protection Portal with the given KQL query
Convert-TableToKQLString : Converts the entries from the SQL Table to KQL-importable format (datatable)
New-VulnerabilityNotification : Handles the given vulnerabilities and creates a Planner Task with the function New-MgPlannerTaskWithDescription and adds the links with the function Add-PlannerTaskLink