Query Details
Internet Facing Devices Vulnerablility Report
Query
// https://www.greynoise.io/resources/how-resurgent-vulnerabilities-jeopardize-organizational-security // Internet facing devices vulnerablility report let InternetFacing = DeviceInfo | where IsInternetFacing == true and isnotempty(PublicIP) | distinct DeviceId; DeviceTvmSoftwareVulnerabilities | where DeviceId has_any(InternetFacing) | summarize VulnerabilityCount=count() by DeviceName, VulnerabilitySeverityLevel | sort by VulnerabilityCount desc
Explanation
This KQL (Kusto Query Language) query is designed to generate a report on vulnerabilities found in internet-facing devices within an organization. Here's a simple breakdown of what the query does:
-
Identify Internet-Facing Devices:
- It first filters the
DeviceInfotable to find devices that are internet-facing (i.e., devices with a public IP address). - It creates a list of unique
DeviceIds for these internet-facing devices.
- It first filters the
-
Find Vulnerabilities:
- It then looks into the
DeviceTvmSoftwareVulnerabilitiestable to find any vulnerabilities associated with these internet-facing devices. - It counts the number of vulnerabilities for each device and groups them by the device name and the severity level of the vulnerabilities.
- It then looks into the
-
Sort the Results:
- Finally, it sorts the results in descending order based on the number of vulnerabilities, so that devices with the most vulnerabilities appear first.
In summary, this query helps identify which internet-facing devices have vulnerabilities, how many vulnerabilities each device has, and the severity of those vulnerabilities, prioritizing the devices with the highest number of vulnerabilities.
Details
Steven Lim
Released: May 12, 2025
Tables
DeviceInfoDeviceTvmSoftwareVulnerabilities
Keywords
DeviceInfoDeviceTvmSoftwareVulnerabilitiesDeviceIdPublicIPDeviceNameVulnerabilitySeverityLevelVulnerabilityCount
Operators
let|where==andisnotemptydistincthas_anysummarizecount()bysortdesc