KQL Search

Query Details

HomeAI ToolsDevice Query

Identify Mdeasm Hosts With High Or Critical Vulnerabilities And A Cvss Score Over 8

Query

# Identify hosts with High or Critical vulnerabilities and a CVSS score over 8

## Description

The following query will uncover hosts that are available from Microsoft Defender External Attack Surface Management with High or Critical vulnerabilities and a CVSS score over 8 in the Advanced Hunting tables from Exposure Management.

### References
- https://www.michalos.net/2025/07/31/breaking-down-the-microsoft-defender-external-attack-surface-management-opportunities-for-queries-in-advanced-hunting-log-analytics-workspace/

### Microsoft Defender XDR
```
ExposureGraphNodes
| where NodeLabel == @"dns-host"
| extend GraphNodeProperties = parse_json(NodeProperties)
| where GraphNodeProperties["rawData"]["highRiskVulnerabilityInsights"]["hasHighOrCritical"] == "true"
| where toreal(GraphNodeProperties["rawData"]["highRiskVulnerabilityInsights"]["maxCvssScore"]) > 8
| extend CVSSScore = parse_json(NodeProperties)["rawData"]["highRiskVulnerabilityInsights"]["vulnerableToRemoteCodeExecution"]["maxCvssScore"]
| project NodeId, Host=NodeName, CVSSScore
```

### Versioning
| Version       | Date          | Comments                               |
| ------------- |---------------| ---------------------------------------|
| 1.0           | 31/07/2025    | Initial publish                        |

Explanation

This query is designed to identify computer hosts that have significant security vulnerabilities. Specifically, it looks for hosts that are labeled as "dns-host" in the Microsoft Defender External Attack Surface Management system. The query focuses on hosts with vulnerabilities classified as either "High" or "Critical," and it further filters these to include only those with a Common Vulnerability Scoring System (CVSS) score greater than 8, indicating a severe level of risk.

Here's a breakdown of what the query does:

  1. Data Source: It starts by accessing the ExposureGraphNodes table, which contains information about various nodes (or hosts) and their security exposure.

  2. Filter by Node Type: It filters the data to include only nodes labeled as "dns-host," which likely refers to hosts that are identified by their DNS names.

  3. Extract and Parse Properties: It extracts and parses the properties of each node to access detailed vulnerability information.

  4. Filter by Vulnerability Severity: It checks if the host has any vulnerabilities marked as "High" or "Critical."

  5. Filter by CVSS Score: It further filters these hosts to include only those with a CVSS score greater than 8, indicating a high level of vulnerability.

  6. Output: Finally, it projects (or selects) the relevant information to display: the node ID, the host name, and the CVSS score.

The purpose of this query is to help security teams quickly identify and prioritize hosts that require immediate attention due to their high-risk vulnerabilities.

Details

Michalis Michalos profile picture

Michalis Michalos

Released: July 31, 2025

Tables

ExposureGraphNodes

Keywords

ExposureManagement

Operators

whereextendparse_jsontorealproject

Actions