Lookup vulnerability information based on a CveID
Cve Lookup
Query
let CVE = "CVE-2022-3602"; // Add your CVEid here
DeviceTvmSoftwareVulnerabilities
| where CveId == CVE
| summarize VulnerableDevices = make_set(DeviceName) by CveId
| join kind=innerunique DeviceTvmSoftwareVulnerabilitiesKB on CveId
| extend TotalDevices = array_length(VulnerableDevices)
| project TotalDevices, CveId, VulnerabilitySeverityLevel, CvssScore, VulnerabilityDescription, VulnerableDevicesAbout this query
Lookup vulnerability information based on a CveID
Defender XDR
Explanation
This query is designed to find information about a specific software vulnerability identified by a CVE ID (Common Vulnerabilities and Exposures ID) using Microsoft Defender XDR data. Here's a simple breakdown of what the query does:
-
Define the CVE ID: It starts by setting a specific CVE ID (in this case, "CVE-2022-3602") to search for.
-
Filter Vulnerabilities: It looks through the
DeviceTvmSoftwareVulnerabilitiestable to find entries that match the specified CVE ID. -
Identify Vulnerable Devices: It collects a list of device names that are vulnerable to this CVE and groups them by the CVE ID.
-
Join with Knowledge Base: It combines this information with additional details from the
DeviceTvmSoftwareVulnerabilitiesKBtable, which contains more comprehensive information about each vulnerability. -
Calculate Total Devices: It calculates the total number of unique devices that are vulnerable to this CVE.
-
Select Relevant Information: Finally, it selects and displays the total number of vulnerable devices, the CVE ID, the severity level of the vulnerability, its CVSS score (a standard for assessing the severity of vulnerabilities), a description of the vulnerability, and the list of vulnerable devices.
In summary, this query helps you understand how many devices are affected by a specific vulnerability, along with detailed information about the vulnerability itself.
Details

Bert-Jan Pals
Released: January 18, 2026
Tables
Keywords
Operators