EXPLORE
Sign In
← Back to Explore
kqlHunting

Devices with a recent vulnerability that is exploitable

----

Detection Query

let timeframe = 30d; //Customizable h = hours, d = days
let ExploitableVulnerabilities = DeviceTvmSoftwareVulnerabilitiesKB
     | where IsExploitAvailable == 1
     | where PublishedDate > (now() - timeframe)
     | project CveId;
DeviceTvmSoftwareVulnerabilities
| join kind=inner ExploitableVulnerabilities on CveId
| summarize TotalVulnerabilities = count(), ExploitableCVE = make_set(CveId) by DeviceName, DeviceId
| top 10 by TotalVulnerabilities

Platforms

microsoft-defender

Tags

vulnerability-management
Raw Content
# Devices with a recent vulnerability that is exploitable
----
## Defender XDR
```KQL
let timeframe = 30d; //Customizable h = hours, d = days
let ExploitableVulnerabilities = DeviceTvmSoftwareVulnerabilitiesKB
     | where IsExploitAvailable == 1
     | where PublishedDate > (now() - timeframe)
     | project CveId;
DeviceTvmSoftwareVulnerabilities
| join kind=inner ExploitableVulnerabilities on CveId
| summarize TotalVulnerabilities = count(), ExploitableCVE = make_set(CveId) by DeviceName, DeviceId
| top 10 by TotalVulnerabilities
```