Failed AV Scan On Devices With Vulnerabilities And Related Incidents

# *Devices with unsucessfull AV Scan, Vulnerabilities (CVE) and related Incidents* ## Query Information #### MITRE ATT&CK Technique(s) | Technique ID | Title | Link | | --- | --- | --- | | T1562 | Impair Defenses | https://attack.mitre.org/techniques/T1562/ | #### Description This KQL query finds devices with failed AV Scans, vulnerabilities and related incidents. I Recommend to run an automated AV Scan over Custom Detection Rules Action. #### Author <Optional> - **Name: Benjamin Zulliger** - **Github: https://github.com/benscha/KQLAdvancedHunting** - **LinkedIn: https://www.linkedin.com/in/benjamin-zulliger/** #### References ## Defender XDR ### Query Combination Devices with no AV Scans, Vulnerabilities and related Incidents ```KQL let AlertTimeframe = 30d; let UnscannedDevices = DeviceEvents | where TimeGenerated >ago(1d) | where ActionType == "AntivirusScanCompleted" | extend ParsedAdditionalFields = parse_json(AdditionalFields) | extend ScanTypeIndex = tostring(ParsedAdditionalFields.ScanTypeIndex) | project Timestamp,DeviceId, DeviceName, ScanTypeIndex | summarize count() by DeviceName, ScanTypeIndex | join kind=rightanti DeviceInfo on DeviceName | where OnboardingStatus == "Onboarded" | summarize arg_max(Timestamp, *) by DeviceName | where OSPlatform != "iOS"; let AlertCount= AlertEvidence | where TimeGenerated > ago(AlertTimeframe) | summarize NumAlerts=count() by DeviceId | join kind=inner UnscannedDevices on DeviceId; DeviceTvmSoftwareVulnerabilities | summarize NumCVE=count() by DeviceId | join AlertCount on DeviceId | join kind=inner UnscannedDevices on DeviceId ``` ### Query Combination Devices with no AV Scans and Vulnerabilities ```KQL let AlertTimeframe = 30d; let UnscannedDevices = DeviceEvents | where TimeGenerated >ago(1d) | where ActionType == "AntivirusScanCompleted" | extend ParsedAdditionalFields = parse_json(AdditionalFields) | extend ScanTypeIndex = tostring(ParsedAdditionalFields.ScanTypeIndex) | project Timestamp,DeviceId, DeviceName, ScanTypeIndex | summarize count() by DeviceName, ScanTypeIndex | join kind=rightanti DeviceInfo on DeviceName | where OnboardingStatus == "Onboarded" | summarize arg_max(Timestamp, *) by DeviceName | where OSPlatform != "iOS"; DeviceTvmSoftwareVulnerabilities | summarize NumCVE=count() by DeviceId | join kind=inner UnscannedDevices on DeviceId ```

Explanation

This KQL query is designed to identify devices within a network that have not successfully completed antivirus (AV) scans, have known vulnerabilities (CVE), and are associated with security incidents. Here's a simplified breakdown of what the query does:

Timeframe Definition: The query looks at data from the past 30 days for alerts and the past day for AV scan events.
Identify Unscanned Devices:
- It searches for devices that have completed an AV scan in the last day.
- It extracts relevant information such as the scan type and device details.
- It filters out devices that have not been scanned successfully, focusing only on those that are onboarded and not running iOS.
Count Alerts:
- It counts the number of security alerts associated with each device over the past 30 days.
Identify Vulnerabilities:
- It counts the number of known vulnerabilities (CVEs) for each device.
Combine Data:
- The query combines the list of unscanned devices with their alert counts and vulnerabilities.
- It identifies devices that have both vulnerabilities and associated security incidents.
Output:
- The result is a list of devices that have not been scanned successfully, have vulnerabilities, and are linked to security incidents. This information can be used to prioritize security actions, such as running automated AV scans using custom detection rules.

The query is useful for security teams to quickly identify and address potential security risks in their network by focusing on devices that are both vulnerable and have not been adequately scanned for threats.

KQL Search

Failed AV Scan On Devices With Vulnerabilities And Related Incidents

Query

Explanation

Details

Actions