Top 10 devices with the most exploitable vulnerabilities
Top Devices Most Exploitable Vulnerabilities
Query
let ExploitableVulnerabilities = DeviceTvmSoftwareVulnerabilitiesKB
| where IsExploitAvailable == 1
| project CveId;
DeviceTvmSoftwareVulnerabilities
| where CveId in (ExploitableVulnerabilities)
| summarize TotalExploitableVulns = dcount(CveId), ExploitableCVE = make_set(CveId) by DeviceId
| top 10 by TotalExploitableVulnsAbout this query
Top 10 devices with the most exploitable vulnerabilities
Query Information
Description
This query lists the 10 devices in your tenant with the most exploitable vulnerabilities.
Defender XDR
Explanation
This query is designed to identify the top 10 devices within your network that have the highest number of exploitable vulnerabilities. Here's a simple breakdown of what the query does:
-
Identify Exploitable Vulnerabilities:
- It first creates a list of vulnerabilities (CVE IDs) for which an exploit is available. This is done by filtering the
DeviceTvmSoftwareVulnerabilitiesKBtable to include only those entries where an exploit is available (IsExploitAvailable == 1).
- It first creates a list of vulnerabilities (CVE IDs) for which an exploit is available. This is done by filtering the
-
Count Vulnerabilities per Device:
- The query then checks the
DeviceTvmSoftwareVulnerabilitiestable to find which devices have these exploitable vulnerabilities. - For each device, it counts the total number of unique exploitable vulnerabilities (
TotalExploitableVulns) and also compiles a list of these vulnerabilities (ExploitableCVE).
- The query then checks the
-
Select Top 10 Devices:
- Finally, it sorts the devices based on the number of exploitable vulnerabilities they have and selects the top 10 devices with the most vulnerabilities.
In summary, this query helps you quickly identify which devices in your network are most at risk due to exploitable vulnerabilities, allowing you to prioritize them for security updates or further investigation.
Details

Bert-Jan Pals
Released: December 1, 2024
Tables
DeviceTvmSoftwareVulnerabilitiesKBDeviceTvmSoftwareVulnerabilities
Keywords
DevicesVulnerabilities
Operators
let|where==projectinsummarizedcountmake_setbytop