Query Details
Devices With Recent Exploitable Vulnerability
Query
# Devices with a recent vulnerability that is exploitable
----
### Defender For Endpoint
```
let timeframe = 30d; //Customizable h = hours, d = days
let ExploitableVulnerabilities = materialize
(DeviceTvmSoftwareVulnerabilitiesKB
| where IsExploitAvailable == 1
| where PublishedDate > (now() - timeframe)
| project CveId);
DeviceTvmSoftwareVulnerabilities
| join ExploitableVulnerabilities on CveId
| summarize count(), ExploitableCVE = make_set(CveId) by DeviceName
| top 10 by count_
```
Explanation
This query is looking for devices that have a recent vulnerability that can be exploited. It uses the Defender for Endpoint data source. It first defines a timeframe variable (in this case, 30 days) and then filters the DeviceTvmSoftwareVulnerabilitiesKB table to only include vulnerabilities where IsExploitAvailable is equal to 1 and the PublishedDate is within the specified timeframe. It then projects the CveId column.
Next, it joins the DeviceTvmSoftwareVulnerabilities table with the ExploitableVulnerabilities table on the CveId column. It then summarizes the results by counting the number of occurrences and creating a set of unique CveIds for each DeviceName. Finally, it returns the top 10 results based on the count.
Details
Bert-Jan Pals
Released: February 14, 2023
Tables
Keywords
Operators