Query Details

Devices with a recent vulnerability that is exploitable

Devices With Recent Exploitable Vulnerability

Query

let timeframe = 30d; //Customizable h = hours, d = days
let ExploitableVulnerabilities = DeviceTvmSoftwareVulnerabilitiesKB
     | where IsExploitAvailable == 1
     | where PublishedDate > (now() - timeframe)
     | project CveId;
DeviceTvmSoftwareVulnerabilities
| join kind=inner ExploitableVulnerabilities on CveId
| summarize TotalVulnerabilities = count(), ExploitableCVE = make_set(CveId) by DeviceName, DeviceId
| top 10 by TotalVulnerabilities

About this query

Devices with a recent vulnerability that is exploitable


Defender XDR

Explanation

This query is designed to identify devices that have recently become vulnerable to exploits. Here's a simplified breakdown of what it does:

  1. Timeframe Definition: It sets a timeframe of 30 days, which can be adjusted to hours or days as needed.

  2. Identify Exploitable Vulnerabilities: It filters for software vulnerabilities that have an available exploit and were published within the last 30 days.

  3. Join Data: It combines this list of exploitable vulnerabilities with the broader dataset of device vulnerabilities.

  4. Summarize Results: For each device, it counts the total number of vulnerabilities and compiles a list of the specific vulnerabilities (CVE IDs) that are exploitable.

  5. Top Devices: It then selects the top 10 devices with the highest number of vulnerabilities.

In essence, this query helps you quickly identify the devices most at risk due to recent vulnerabilities that can be exploited, allowing for prioritized security measures.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: January 18, 2026

Tables

DeviceTvmSoftwareVulnerabilitiesKBDeviceTvmSoftwareVulnerabilities

Keywords

DevicesVulnerabilityExploitableDefenderXDR

Operators

letwhereprojectjoinsummarizecountmake_setbytopnow->=|

Actions

GitHub