CVE Check With Software Evidence
Query
let CVEsToCheck = dynamic(["CVE-2023-21779","CVE-2021-44228","CVE-2024-21404"]);
DeviceTvmSoftwareVulnerabilities
| where CveId has_any(CVEsToCheck)
| join kind=leftouter DeviceTvmSoftwareEvidenceBeta on DeviceId,SoftwareName
| summarize count() by DeviceName, CveId, VulnerabilitySeverityLevel, SoftwareName, tostring(DiskPaths)Explanation
This query is designed to analyze software vulnerabilities on devices by checking for specific Common Vulnerabilities and Exposures (CVEs). Here's a simplified breakdown:
-
Define CVEs to Check: It starts by listing specific CVEs that need to be checked, namely "CVE-2023-21779", "CVE-2021-44228", and "CVE-2024-21404".
-
Filter Vulnerabilities: It looks into a dataset called
DeviceTvmSoftwareVulnerabilitiesto find records where any of the specified CVEs are present. -
Join with Evidence Data: It performs a left outer join with another dataset,
DeviceTvmSoftwareEvidenceBeta, to gather additional information about the software on the devices. This join is based on matchingDeviceIdandSoftwareName. -
Summarize Results: Finally, it summarizes the data by counting the number of occurrences for each combination of
DeviceName,CveId,VulnerabilitySeverityLevel,SoftwareName, andDiskPaths. This provides a concise view of how many times each CVE appears on each device, along with the severity level and software details.
In essence, the query is used to identify and summarize the presence and details of specific software vulnerabilities across devices.
Details

Jay Kerai
Released: November 11, 2024
Tables
Keywords
Operators