KQL Search

This KQL (Kusto Query Language) query is designed to identify devices running a vulnerable version of Google Chrome that is susceptible to a specific security flaw (CVE-2025-4664). Here's a simplified explanation of what the query does:

1. Data Source: It looks at DeviceProcessEvents, which contains information about processes running on devices.

2. Time Filter: It filters the data to include only events from the last 30 days.

3. Product Filter: It focuses specifically on processes related to "Google Chrome".

4. Version Filter: It excludes the Chrome version "136.0.7103.114", which is presumably the patched version that is not vulnerable to the flaw.

5. Latest Event per Device: For each device, it selects the most recent event (using arg_max) to ensure it captures the latest version of Chrome running on that device.

6. Count Vulnerable Versions: It counts how many devices are running each vulnerable version of Chrome.

7. Sort Results: Finally, it sorts the results in descending order based on the number of devices running each vulnerable version, highlighting which versions are most prevalent among the devices.

In summary, this query identifies and counts devices running outdated and vulnerable versions of Google Chrome, excluding the latest patched version, and sorts them to show which versions are most commonly found.