MDE Linux Red Hat Missing Security Updates

# Red Hat Linux - Missing Security Updates ## Query Information ### Description The below query provides an overview of missing security updates for Linux Red Hat Enterprise devices #### References ### Microsoft 365 Defender Overview Missing KBs Red Hat Linux ```kql DeviceTvmSoftwareVulnerabilities | where SoftwareVendor == @"red_hat" | where OSVersion == @"enterprise_linux_7.6" | where isnotempty(RecommendedSecurityUpdate) | distinct DeviceId, RecommendedSecurityUpdate, RecommendedSecurityUpdateId, SoftwareName | join kind=leftouter ( DeviceInfo | where isnotempty(OSPlatform) | where OnboardingStatus == 'Onboarded' | where isnotempty(OSVersionInfo) | summarize arg_max(Timestamp, *) by DeviceId) on $left.DeviceId == $right.DeviceId | summarize MissingDevices = make_set(DeviceName) by SoftwareName, RecommendedSecurityUpdate, RecommendedSecurityUpdateId, OSVersionInfo | extend TotalMissingKBDevice = array_length(MissingDevices) | project ['Bulletin'] = RecommendedSecurityUpdate, ['ID'] = RecommendedSecurityUpdateId, ['Total Exposed devices'] = TotalMissingKBDevice, ['Exposed devices'] = MissingDevices, OSVersionInfo --- Details missing KBs Red Hat Linux ---kql DeviceTvmSoftwareVulnerabilities | where SoftwareVendor == @"red_hat" | where OSVersion == @"enterprise_linux_7.6" | where isnotempty(RecommendedSecurityUpdate) | distinct DeviceId, RecommendedSecurityUpdate, RecommendedSecurityUpdateId, SoftwareName | join kind=leftouter ( DeviceInfo | where isnotempty(OSPlatform) | where OnboardingStatus == 'Onboarded' | where isnotempty(OSVersionInfo) | summarize arg_max(Timestamp, *) by DeviceId) on $left.DeviceId == $right.DeviceId | summarize MissingKBs = make_set(RecommendedSecurityUpdate) by DeviceName | extend TotalMissingKB = array_length(MissingKBs) ```

Explanation

The query provides information about missing security updates for Red Hat Enterprise Linux devices. It identifies the devices that have missing updates, the specific updates that are missing, and the total number of devices that are exposed to these missing updates. The query also includes details about the operating system version of the devices.

Details

Alex Verboon

Released: June 10, 2023

Tables

DeviceTvmSoftwareVulnerabilitiesDeviceInfo

Keywords

DeviceTvmSoftwareVulnerabilities,SoftwareVendor,OSVersion,RecommendedSecurityUpdate,SoftwareName,DeviceId,RecommendedSecurityUpdateId,DeviceInfo,OSPlatform,OnboardingStatus,OSVersionInfo,Timestamp,DeviceName,MissingDevices,TotalMissingKBDevice,Bulletin,ID,TotalExposeddevices,Exposeddevices

Operators

|whereisnotemptydistinctjoinkind=leftoutersummarizearg_maxbyonextendarray_lengthproject

KQL Search