Query Details
Linux MDE Missing Vulnerabilities Detection
Query
//This query identifies Linux devices with missing MDE vulnerability data //Looks for devices with fewer than expected software inventory entries DeviceInfo | where OSPlatform contains "linux" | where OnboardingStatus == "Onboarded" | summarize arg_max(Timestamp,*) by DeviceId | distinct DeviceId, OSDistribution, OnboardingStatus | join kind=leftouter DeviceTvmSoftwareInventory on DeviceId | summarize count() by DeviceId, OSPlatform, OSDistribution, OnboardingStatus | where count_ < 3
Explanation
This query is designed to find Linux devices that are missing vulnerability data from Microsoft Defender for Endpoint (MDE). Here's a simplified breakdown of what the query does:
-
Filter for Linux Devices: It starts by selecting devices that are running a Linux operating system and are onboarded to MDE.
-
Get Latest Device Information: It retrieves the most recent information for each device based on the timestamp.
-
Identify Unique Devices: It ensures that each device is listed only once by its unique identifier, along with its operating system distribution and onboarding status.
-
Join with Software Inventory: It attempts to match each device with its software inventory data, which includes information about the software installed on the device.
-
Count Software Entries: It counts the number of software inventory entries for each device.
-
Identify Devices with Missing Data: Finally, it filters out devices that have fewer than three software inventory entries, indicating that these devices might be missing some vulnerability data.
In summary, the query is looking for Linux devices that have been onboarded to MDE but have less than the expected amount of software inventory data, which could suggest missing vulnerability information.
Details
Edmond Nader
Released: November 10, 2024
Tables
Keywords
Operators