KQL Search

This query is designed to identify internet-facing VMware servers that might be vulnerable to a specific critical security vulnerability (CVE-2025-22224). Here's a simplified breakdown of what the query does:

1. Identify Internet-Facing Devices:

   • It first looks at a dataset called DeviceInfo to find devices that are accessible from the internet (IsInternetFacing == true) and have a public IP address (isnotempty(PublicIP)).
   • It then creates a list of unique device identifiers (DeviceId) for these internet-facing devices.

2. Check for VMware Processes:

   • The query then examines another dataset called DeviceProcessEvents to find events from the last 30 days (Timestamp > ago(30d)) where the process name includes "vmtoolsd", which is associated with VMware tools.
   • It summarizes these events to get the most recent event for each device (arg_max(Timestamp, *)), effectively finding the latest occurrence of the "vmtoolsd" process for each device.

3. Filter for Internet-Facing Devices:

   • Finally, it filters the results to only include those devices that are in the list of internet-facing devices identified earlier (DeviceId has_any(InternetFacing)).

In summary, this query is used to discover internet-facing VMware servers that have recently run the "vmtoolsd" process, potentially indicating they are vulnerable to the specified critical security issue.