Query Details
Domain Controllers With The Most Vulnerabilities
Query
# Domain Controllers with the most vulnerabilities
----
### Defender For Endpoint
```
let AllDomainControllers =
DeviceNetworkEvents
| where LocalPort == 88
| where LocalIPType == "FourToSixMapping"
| summarize make_set(DeviceId);
DeviceTvmSoftwareVulnerabilities
| where DeviceId has_any (AllDomainControllers)
| summarize TotalVulnerabilities = count(), VulnerabeCVE = make_set(CveId) by DeviceName
| sort by TotalVulnerabilities
```
Explanation
This query is looking for domain controllers that have the most vulnerabilities using Defender For Endpoint. It first identifies all domain controllers by filtering for network events with a local port of 88 and a local IP type of "FourToSixMapping". Then, it retrieves the software vulnerabilities for these domain controllers and summarizes the total number of vulnerabilities and the unique CVEs (Common Vulnerabilities and Exposures) for each device. Finally, the results are sorted by the total number of vulnerabilities.
Details
Bert-Jan Pals
Released: February 14, 2023
Tables
DeviceNetworkEventsDeviceTvmSoftwareVulnerabilities
Keywords
DomainControllers,Vulnerabilities,DefenderForEndpoint
Operators
letwheresummarizehas_anycountmake_setbysort