Domain Controllers With The Most Vulnerabilities
Query
let AllDomainControllers =
DeviceNetworkEvents
| where LocalPort == 88
| where LocalIPType == "FourToSixMapping"
| summarize make_set(DeviceId);
DeviceTvmSoftwareVulnerabilities
| where DeviceId has_any (AllDomainControllers)
| summarize TotalVulnerabilities = count(), VulnerabeCVE = make_set(CveId) by DeviceName
| sort by TotalVulnerabilities
// Join with random event to get the required fields if you want to detect on this behaviour, the DeviceTvmSoftwareVulnerabilities does not contain the needed events. Ignore the process tree and only look at the raw events.
// join kind=inner (DeviceEvents
//| where Timestamp > ago(30d)
//| summarize arg_max(Timestamp, *) by DeviceId
//| project DeviceId, Timestamp, ReportId) on DeviceIdAbout this query
Domain Controllers with the most vulnerabilities
Defender XDR
Explanation
This query is designed to identify domain controllers with the most software vulnerabilities using Microsoft Defender XDR data. Here's a simplified breakdown of what the query does:
-
Identify Domain Controllers:
- The query first identifies domain controllers by looking for network events where the local port is 88 (commonly used for Kerberos authentication) and the IP type indicates a "FourToSixMapping."
- It collects the unique device IDs of these domain controllers into a set called
AllDomainControllers.
-
Find Vulnerabilities:
- It then checks the
DeviceTvmSoftwareVulnerabilitiestable for any vulnerabilities associated with the domain controllers identified in the first step. - For each domain controller, it counts the total number of vulnerabilities and compiles a list of unique CVE (Common Vulnerabilities and Exposures) IDs.
- It then checks the
-
Sort Results:
- The results are sorted by the total number of vulnerabilities, allowing you to see which domain controllers have the most vulnerabilities.
-
Additional Context (Commented Out):
- There's a commented-out section suggesting a potential enhancement: joining this data with recent device events to get additional context, such as timestamps and report IDs. This part is not executed in the current query but is suggested for further analysis if needed.
Overall, this query helps security analysts quickly identify which domain controllers in their network are most at risk due to software vulnerabilities.
Details

Bert-Jan Pals
Released: December 1, 2024
Tables
DeviceNetworkEventsDeviceTvmSoftwareVulnerabilities
Keywords
DeviceNetworkEventsLocalPortIPTypeTvmSoftwareVulnerabilitiesNameCveIdTimestampReport
Operators
let==summarizemake_sethas_anycountbysort