kqlHunting

PieChart - Exposure Level Onboarded Devices

This query visualizes the onboarded devices and their exposure level in a PieChart. The higher the exposure level of a device, the more likely it is to be exploited.

Detection Query

DeviceInfo
| where Timestamp > ago(30d)
| where OnboardingStatus == "Onboarded"
| summarize arg_max(Timestamp, *) by DeviceId
| summarize Total = count() by ExposureLevel
| render piechart with(title="Overview Exposure Level")

Data Sources

DeviceInfo

Platforms

windowsazure-sentinelmicrosoft-defender

References

https://learn.microsoft.com/en-us/microsoft-365/security/defender-vulnerability-management/tvm-exposure-score?view=o365-worldwide

Tags

vulnerability-management

Raw Content

# PieChart - Exposure Level Onboarded Devices

## Query Information

#### Description
This query visualizes the onboarded devices and their exposure level in a PieChart. The higher the exposure level of a device, the more likely it is to be exploited.

#### References
- https://learn.microsoft.com/en-us/microsoft-365/security/defender-vulnerability-management/tvm-exposure-score?view=o365-worldwide

## Defender XDR
```KQL
DeviceInfo
| where Timestamp > ago(30d)
| where OnboardingStatus == "Onboarded"
| summarize arg_max(Timestamp, *) by DeviceId
| summarize Total = count() by ExposureLevel
| render piechart with(title="Overview Exposure Level")
```
## Sentinel
```KQL
DeviceInfo
| where TimeGenerated > ago(30d)
| where OnboardingStatus == "Onboarded"
| summarize arg_max(TimeGenerated, *) by DeviceId
| summarize Total = count() by ExposureLevel
| render piechart with(title="Overview Exposure Level")
```