Query Details
Multiple Vulnerabilities By CVE
Query
DeviceTvmSoftwareVulnerabilities
//| where SoftwareName has_any ("chrome", "edge", "cortex", "windows")
//| where CveId has_any ("CVE-2021-29358", "CVE-2021-29359")
//| where VulnerabilitySeverityLevel has_any ("Low", "Medium", "High", "Critical")
| summarize DeviceNameList = make_list(DeviceName), DetailedDeviceList = make_list(bag_pack("DeviceName", DeviceName, "DeviceId", DeviceId)), take_any(SoftwareName, SoftwareVersion, VulnerabilitySeverityLevel, RecommendedSecurityUpdate) by CveId
| lookup DeviceTvmSoftwareVulnerabilitiesKB on CveId, VulnerabilitySeverityLevel
| project SoftwareName, SoftwareVersion, CveId, VulnerabilitySeverityLevel, CvssScore, IsExploitAvailable, DeviceNameList, DetailedDeviceList, PublishedDate, LastModifiedTime, VulnerabilityDescription, AffectedSoftware
//| mv-expand DeviceNameList to typeof(string)
//| limit 100
Explanation
This query retrieves information about software vulnerabilities on devices. It filters the results based on specific software names, CVE IDs, and severity levels. It then summarizes the data by grouping it based on the CVE ID and includes additional information such as device names and details. The query also performs a lookup on a knowledge base table to retrieve additional information. Finally, it projects the desired fields and limits the results to 100.
Details
Jose Sebastián Canós
Released: November 10, 2022
Tables
DeviceTvmSoftwareVulnerabilitiesDeviceTvmSoftwareVulnerabilitiesKB
Keywords
DeviceTvmSoftwareVulnerabilities,SoftwareName,edge,cortex,windows,CveId,CVE-2021-29358,CVE-2021-29359,VulnerabilitySeverityLevel,Low,Medium,High,Critical,DeviceName,DeviceId,SoftwareVersion,RecommendedSecurityUpdate,CvssScore,IsExploitAvailable,DeviceNameList,DetailedDeviceList,PublishedDate,LastModifiedTime,VulnerabilityDescription,AffectedSoftware
Operators
wherehas_anysummarizemake_listbag_packtake_anylookuponprojectmv-expandlimit