Query Details
Missing Recommended Security Updates Detection
Query
//This query identifies workstations missing specific KB patches for known vulnerabilities
//Shows device names and their missing KB patches that need to be applied
DeviceTvmSoftwareVulnerabilities
| join kind=inner (
DeviceTvmSoftwareVulnerabilitiesKB
| project CveId
) on CveId
| project DeviceName, CveId, RecommendedSecurityUpdateId
| summarize MissingKBs = make_set(RecommendedSecurityUpdateId) by DeviceName
| where array_length(MissingKBs) > 0 Explanation
This query is designed to find workstations that are missing certain security updates (KB patches) needed to fix known vulnerabilities. Here's a breakdown of what it does:
- It starts with a list of software vulnerabilities on devices.
- It joins this list with another dataset that links vulnerabilities to specific KB patches.
- It extracts the device names, vulnerability IDs, and the recommended KB patch IDs.
- It groups the data by device name, creating a list of missing KB patches for each device.
- Finally, it filters the results to show only those devices that have one or more missing KB patches.
In simple terms, the query identifies which workstations need specific security updates and lists the updates that are missing for each device.
Details
Subash Ghimire
Released: November 10, 2024
Tables
DeviceTvmSoftwareVulnerabilitiesDeviceTvmSoftwareVulnerabilitiesKB
Keywords
DeviceTvmSoftwareVulnerabilitiesDeviceTvmSoftwareVulnerabilitiesKBCveIdDeviceNameRecommendedSecurityUpdateIdMissingKBs
Operators
joinprojectsummarizemake_setbywherearray_length