Query Details
Exploitable CVE All Devices
Query
DeviceTvmSoftwareVulnerabilities | summarize VulnerableDevices = make_set(DeviceName) by CveId | join DeviceTvmSoftwareVulnerabilitiesKB on CveId | where CvssScore > 7 | where IsExploitAvailable == 1 | extend TotalDevices = array_length(VulnerableDevices) | project TotalDevices, CveId, VulnerabilitySeverityLevel, CvssScore, VulnerabilityDescription, VulnerableDevices
Explanation
This query is designed to identify and summarize information about software vulnerabilities on devices within a network. Here's a breakdown of what it does:
-
Identify Vulnerable Devices: It starts by listing all devices that are vulnerable to each specific CVE (Common Vulnerabilities and Exposures) ID. This is done by creating a set of device names for each CVE.
-
Join with Additional Information: It then joins this list with another dataset that contains more detailed information about each CVE, such as its severity level and description.
-
Filter for Critical Vulnerabilities: The query filters the results to only include vulnerabilities that have a CVSS (Common Vulnerability Scoring System) score greater than 7, indicating they are high-severity, and where an exploit is available, meaning there is a known method to take advantage of the vulnerability.
-
Calculate Total Affected Devices: For each vulnerability, it calculates the total number of devices affected.
-
Select Relevant Information: Finally, it projects (selects) the relevant columns to display: the total number of vulnerable devices, the CVE ID, the severity level of the vulnerability, the CVSS score, a description of the vulnerability, and the list of vulnerable devices.
In simple terms, this query helps identify and provide details on high-severity vulnerabilities that have known exploits and affect multiple devices in a network.
Details
Jay Kerai
Released: November 11, 2024
Tables
Keywords
Operators