KQL Search

Query Details

HomeAI ToolsDevice Query

MDE TVM Exposure Vulnerability Severity Level

Query

# Device VulnerabilitySeverityLevel overview

## Query Information

### Description

Use the below queries to list devices and their VulnerabilitySeverityLevels

### Microsoft 365 Defender

List Devices with Exposure Level and total CVEs

```kql
DeviceInfo
| where OnboardingStatus == 'Onboarded'
| summarize arg_max(Timestamp, *) by DeviceId
//| where OSPlatform == 'Linux'
| join kind=leftouter DeviceTvmSoftwareVulnerabilities
    on $left.DeviceId == $right.DeviceId
| summarize
    Low = dcountif(CveId, VulnerabilitySeverityLevel == 'Low'),
    Medium = dcountif(CveId, VulnerabilitySeverityLevel == 'Medium'), 
    High = dcountif(CveId, VulnerabilitySeverityLevel == 'High'),
    Critical = dcountif(CveId, VulnerabilitySeverityLevel == 'Critical')
    by DeviceName, ExposureLevel
```

Explanation

This query lists devices and their VulnerabilitySeverityLevels. It filters devices that are onboarded and then joins them with DeviceTvmSoftwareVulnerabilities. It then summarizes the count of vulnerabilities for each severity level (Low, Medium, High, Critical) by DeviceName and ExposureLevel.

Details

Alex Verboon profile picture

Alex Verboon

Released: June 10, 2023

Tables

DeviceInfoDeviceTvmSoftwareVulnerabilities

Keywords

Device,VulnerabilitySeverityLevel,DeviceInfo,OnboardingStatus,Timestamp,DeviceId,DeviceTvmSoftwareVulnerabilities,CveId,VulnerabilitySeverityLevel,Low,Medium,High,Critical,DeviceName,ExposureLevel

Operators

wheresummarizearg_maxbyjoindcountif

Actions