KQL Search

Query Details

HomeAI ToolsDevice Query

Devices With High Severity CV Es With Exploits Available

Query

DeviceTvmSoftwareVulnerabilities
| join DeviceTvmSoftwareVulnerabilitiesKB on CveId //join gives us isexploitavailable column
| where VulnerabilitySeverityLevel == "High" and IsExploitAvailable == "1" //we want to know where there is a high vulnerability CVE with an exploit available
| summarize make_set(CveId) by DeviceName //create set of cves by device

Explanation

This query is designed to identify devices with high-severity software vulnerabilities that have known exploits available. Here's a simple breakdown of what it does:

  1. Data Source: It starts by looking at two tables: DeviceTvmSoftwareVulnerabilities and DeviceTvmSoftwareVulnerabilitiesKB.

  2. Joining Tables: It combines these tables based on a common column, CveId, to access additional information, specifically the IsExploitAvailable column.

  3. Filtering: It filters the results to only include vulnerabilities that are classified as "High" severity and have an exploit available (IsExploitAvailable is "1").

  4. Summarizing: Finally, it groups the results by DeviceName and creates a set of unique CveIds (vulnerability identifiers) for each device.

In summary, the query identifies devices that have high-severity vulnerabilities with known exploits and lists the specific vulnerabilities for each device.

Details

Jay Kerai profile picture

Jay Kerai

Released: May 19, 2025

Tables

DeviceTvmSoftwareVulnerabilitiesDeviceTvmSoftwareVulnerabilitiesKB

Keywords

DeviceTvmSoftwareVulnerabilitiesCveIdVulnerabilitySeverityLevelIsExploitAvailableDeviceName

Operators

joinonwhereandsummarizemake_setby

Actions