Query Details
Vuln Highest Exposed Devices
Query
//Summarize your devices by which Microsoft CVEs they are vulnerable too. The data is summarized into severity and ordered by the most exposed devices.
//Data connector required for this query - Advanced Hunting license
//This query only works in Advanced Hunting as the DeviceTvm* tables aren't sent to Sentinel yet
DeviceTvmSoftwareVulnerabilities
| summarize ['Critical Severity Vulnerabilities']=make_set_if(CveId, SoftwareVendor == "microsoft" and VulnerabilitySeverityLevel == "Critical"),
['High Severity Vulnerabilities']=make_set_if(CveId, SoftwareVendor == "microsoft" and VulnerabilitySeverityLevel == "High"),
['Medium Severity Vulnerabilities']=make_set_if(CveId, SoftwareVendor == "microsoft" and VulnerabilitySeverityLevel == "Medium"),
['Low Severity Vulnerabilities']=make_set_if(CveId, SoftwareVendor == "microsoft" and VulnerabilitySeverityLevel == "Low")
by DeviceName
| sort by array_length(['Critical Severity Vulnerabilities']) desc Explanation
This query summarizes the devices based on the Microsoft CVEs they are vulnerable to. It categorizes the vulnerabilities into different severity levels (Critical, High, Medium, Low) and orders the devices by the number of critical vulnerabilities they have. Please note that this query requires the use of the Advanced Hunting license and can only be executed in Advanced Hunting as the DeviceTvm* tables are not sent to Sentinel yet.
Details
Matt Zorich
Released: June 17, 2022
Tables
DeviceTvmSoftwareVulnerabilities
Keywords
DeviceTvmSoftwareVulnerabilities,CveId,SoftwareVendor,VulnerabilitySeverityLevel,CriticalSeverityVulnerabilities,HighSeverityVulnerabilities,MediumSeverityVulnerabilities,LowSeverityVulnerabilities,DeviceName
Operators
summarizemake_set_ifbysort byarray_lengthdesc