KQL Search

Query Details

HomeAI ToolsDevice Query

CVE Check With Software Evidence

Query

let CVEsToCheck = dynamic(["CVE-2023-21779","CVE-2021-44228","CVE-2024-21404"]);
DeviceTvmSoftwareVulnerabilities
| where CveId has_any(CVEsToCheck)
| join kind=leftouter DeviceTvmSoftwareEvidenceBeta on DeviceId,SoftwareName
| summarize count() by DeviceName, CveId, VulnerabilitySeverityLevel, SoftwareName, tostring(DiskPaths)

Explanation

This query is designed to analyze software vulnerabilities on devices by checking for specific Common Vulnerabilities and Exposures (CVEs). Here's a simplified breakdown:

  1. Define CVEs to Check: It starts by listing specific CVEs that need to be checked, namely "CVE-2023-21779", "CVE-2021-44228", and "CVE-2024-21404".

  2. Filter Vulnerabilities: It looks into a dataset called DeviceTvmSoftwareVulnerabilities to find records where any of the specified CVEs are present.

  3. Join with Evidence Data: It performs a left outer join with another dataset, DeviceTvmSoftwareEvidenceBeta, to gather additional information about the software on the devices. This join is based on matching DeviceId and SoftwareName.

  4. Summarize Results: Finally, it summarizes the data by counting the number of occurrences for each combination of DeviceName, CveId, VulnerabilitySeverityLevel, SoftwareName, and DiskPaths. This provides a concise view of how many times each CVE appears on each device, along with the severity level and software details.

In essence, the query is used to identify and summarize the presence and details of specific software vulnerabilities across devices.

Details

Jay Kerai profile picture

Jay Kerai

Released: November 11, 2024

Tables

DeviceTvmSoftwareVulnerabilitiesDeviceTvmSoftwareEvidenceBeta

Keywords

DeviceTvmSoftwareVulnerabilitiesEvidenceBetaDeviceIdSoftwareNameDeviceNameCveIdVulnerabilitySeverityLevelDiskPaths

Operators

letdynamichas_anyjoinkind=leftouteronsummarizecount()bytostring.

Actions