← Back to Explore
kqlHunting
Devices with High severity CVEs with exploits available
join gives us isexploitavailable column
Detection Query
DeviceTvmSoftwareVulnerabilities
| join DeviceTvmSoftwareVulnerabilitiesKB on CveId //join gives us isexploitavailable column
| where VulnerabilitySeverityLevel == "High" and IsExploitAvailable == "1" //we want to know where there is a high vulnerability CVE with an exploit available
| summarize make_set(CveId) by DeviceName //create set of cves by deviceTags
defender
Raw Content
DeviceTvmSoftwareVulnerabilities
| join DeviceTvmSoftwareVulnerabilitiesKB on CveId //join gives us isexploitavailable column
| where VulnerabilitySeverityLevel == "High" and IsExploitAvailable == "1" //we want to know where there is a high vulnerability CVE with an exploit available
| summarize make_set(CveId) by DeviceName //create set of cves by device