KQL Search

Query Details

HomeAI ToolsDevice Query

Discovered Network Devices CVE CVSS

Query

# *Discovered Network Devices CVE / CVSS*

## Query Information

#### MITRE ATT&CK Technique(s)

| Technique ID | Title    | Link    |
| ---  | --- | --- |


#### Description
This KQL query identifies known software vulnerabilities (CVEs) affecting network infrastructure devices (such as routers, switches, and firewalls) within the environment.
 
#### Author <Optional>
- **Name: Benjamin Zulliger**
- **Github: https://github.com/benscha/KQLAdvancedHunting**
- **LinkedIn: https://www.linkedin.com/in/benjamin-zulliger/**

#### References

## Defender XDR
```KQL
DeviceInfo
| where DeviceType has_any ("NetworkDevice", "Router", "Switch", "Firewall")
| join DeviceTvmSoftwareVulnerabilities on DeviceId
| where isnotempty( CveId)
| project TimeGenerated, DeviceName, OSVersion, Model, OSDistribution, OSVersionInfo, ExposureLevel, CveId, VulnerabilitySeverityLevel
| join kind=leftouter DeviceTvmSoftwareVulnerabilitiesKB on CveId 
```

Explanation

This KQL query is designed to identify and list known software vulnerabilities (CVEs) that affect network infrastructure devices such as routers, switches, and firewalls within a given environment. Here's a simple breakdown of what the query does:

  1. Filter Devices: It starts by selecting devices that are classified as network devices, specifically routers, switches, or firewalls.

  2. Join Vulnerability Data: It then joins this list of devices with another dataset that contains information about software vulnerabilities (CVEs) affecting these devices.

  3. Filter for CVEs: The query filters out any entries that do not have a CVE ID, ensuring that only devices with known vulnerabilities are considered.

  4. Select Relevant Information: It projects (selects) specific columns of interest, such as the time the data was generated, device name, operating system version, model, exposure level, CVE ID, and the severity level of the vulnerability.

  5. Additional Information: Finally, it performs a left outer join with another dataset to potentially enrich the information about each CVE with additional knowledge base details.

Overall, this query helps in identifying and assessing the risk posed by known vulnerabilities in network devices within an organization's infrastructure.

Details

Benjamin Zulliger profile picture

Benjamin Zulliger

Released: June 9, 2026

Tables

DeviceInfoDeviceTvmSoftwareVulnerabilitiesDeviceTvmSoftwareVulnerabilitiesKB

Keywords

DevicesNetworkVulnerabilitiesSoftwareInfrastructureEnvironment

Operators

has_anyjoinwhereisnotemptyprojectjoin kind=leftouter

Actions