KQL Search

Query Details

Visualization Exposure Levels

Query

# PieChart - Exposure Level Onboarded Devices

## Query Information

#### Description
This query visualizes the onboarded devices and their exposure level in a PieChart. The higher the exposure level of a device, the more likely it is to be exploited.

#### References
- https://learn.microsoft.com/en-us/microsoft-365/security/defender-vulnerability-management/tvm-exposure-score?view=o365-worldwide

## Defender For Endpoint
```KQL
DeviceInfo
| where Timestamp > ago(30d)
| where OnboardingStatus == "Onboarded"
| summarize arg_max(Timestamp, *) by DeviceId
| summarize Total = count() by ExposureLevel
| render piechart with(title="Overview Exposure Level")
```
## Sentinel
```KQL
DeviceInfo
| where TimeGenerated > ago(30d)
| where OnboardingStatus == "Onboarded"
| summarize arg_max(TimeGenerated, *) by DeviceId
| summarize Total = count() by ExposureLevel
| render piechart with(title="Overview Exposure Level")
```

Explanation

This query analyzes the exposure level of onboarded devices and presents the information in a PieChart. The query filters the devices based on their onboarding status and selects the most recent data for each device. It then calculates the total count of devices for each exposure level and visualizes the results in a PieChart. The higher the exposure level, the more vulnerable the device is to exploitation.

Details

Bert-Jan Pals

Released: December 24, 2023

Tables

DeviceInfo

Keywords

Devices,Intune,User

Operators

whereago==summarizearg_maxbycountrender

KQL Search

Visualization Exposure Levels

Query

Explanation

Details

Actions