Query Details

Red Hat Linux - Missing Security Updates

MDE Linux Red Hat Missing Security Updates

Query

DeviceTvmSoftwareVulnerabilities
| where SoftwareVendor == @"red_hat"
| where OSVersion == @"enterprise_linux_7.6"
| where isnotempty(RecommendedSecurityUpdate)
| distinct DeviceId, RecommendedSecurityUpdate, RecommendedSecurityUpdateId, SoftwareName
| join kind=leftouter (
    DeviceInfo
    | where isnotempty(OSPlatform)
    | where OnboardingStatus == 'Onboarded'
    | where isnotempty(OSVersionInfo)
    | summarize arg_max(Timestamp, *) by DeviceId)
    on $left.DeviceId == $right.DeviceId
| summarize MissingDevices = make_set(DeviceName) by SoftwareName, RecommendedSecurityUpdate, RecommendedSecurityUpdateId, OSVersionInfo
| extend TotalMissingKBDevice = array_length(MissingDevices)
| project ['Bulletin'] = RecommendedSecurityUpdate, ['ID'] = RecommendedSecurityUpdateId, ['Total Exposed devices'] = TotalMissingKBDevice, ['Exposed devices'] = MissingDevices, OSVersionInfo

About this query

Red Hat Linux - Missing Security Updates

Query Information

Description

The below query provides an overview of missing security updates for Linux Red Hat Enterprise devices

References

Microsoft 365 Defender

Overview Missing KBs Red Hat Linux

Details missing KBs Red Hat Linux

DeviceTvmSoftwareVulnerabilities
| where SoftwareVendor == @"red_hat"
| where OSVersion == @"enterprise_linux_7.6"
| where isnotempty(RecommendedSecurityUpdate)
| distinct DeviceId, RecommendedSecurityUpdate, RecommendedSecurityUpdateId, SoftwareName
| join kind=leftouter (
    DeviceInfo
    | where isnotempty(OSPlatform)
    | where OnboardingStatus == 'Onboarded'
    | where isnotempty(OSVersionInfo)
    | summarize arg_max(Timestamp, *) by DeviceId)
    on $left.DeviceId == $right.DeviceId
| summarize MissingKBs = make_set(RecommendedSecurityUpdate) by DeviceName
| extend TotalMissingKB = array_length(MissingKBs)

Explanation

This KQL query is designed to identify and summarize missing security updates for devices running Red Hat Enterprise Linux version 7.6. Here's a simple breakdown of what each part of the query does:

  1. Filter for Red Hat Linux Vulnerabilities: The query starts by filtering the DeviceTvmSoftwareVulnerabilities table to find entries where the software vendor is "red_hat" and the operating system version is "enterprise_linux_7.6". It also ensures that there is a recommended security update available.

  2. Identify Unique Vulnerabilities: It selects distinct combinations of device IDs, recommended security updates, update IDs, and software names.

  3. Join with Device Information: The query performs a left outer join with the DeviceInfo table to gather additional information about each device, such as its platform and onboarding status. It ensures that only onboarded devices with available OS version information are considered.

  4. Summarize Missing Updates: It summarizes the data to list devices missing specific security updates. For each software name and update, it creates a set of device names that are missing the update and counts the total number of such devices.

  5. Project Results: The final output includes the bulletin (recommended security update), update ID, total number of exposed devices, list of exposed devices, and OS version information.

  6. Details of Missing Updates: The second part of the query provides details on missing updates for each device by summarizing the missing updates into a set and counting the total number of missing updates per device.

In essence, this query helps administrators quickly identify which Red Hat Enterprise Linux 7.6 devices are missing critical security updates, allowing them to prioritize patching efforts to enhance security.

Details

Alex Verboon profile picture

Alex Verboon

Released: April 16, 2026

Tables

DeviceTvmSoftwareVulnerabilitiesDeviceInfo

Keywords

DevicesLinuxSecurityUpdatesRedHatEnterpriseMissing

Operators

whereisnotemptydistinctjoinkind=leftoutersummarizearg_maxonmake_setextendarray_lengthproject

Actions

GitHub