Devices with a recent vulnerability that is exploitable
Devices With Recent Exploitable Vulnerability
Query
let timeframe = 30d; //Customizable h = hours, d = days
let ExploitableVulnerabilities = DeviceTvmSoftwareVulnerabilitiesKB
| where IsExploitAvailable == 1
| where PublishedDate > (now() - timeframe)
| project CveId;
DeviceTvmSoftwareVulnerabilities
| join kind=inner ExploitableVulnerabilities on CveId
| summarize TotalVulnerabilities = count(), ExploitableCVE = make_set(CveId) by DeviceName, DeviceId
| top 10 by TotalVulnerabilitiesAbout this query
Devices with a recent vulnerability that is exploitable
Defender XDR
Explanation
This query is designed to identify devices that have recently become vulnerable to exploits. Here's a simplified breakdown of what it does:
-
Timeframe Definition: It sets a timeframe of 30 days, which can be adjusted to hours or days as needed.
-
Identify Exploitable Vulnerabilities: It filters for software vulnerabilities that have an available exploit and were published within the last 30 days.
-
Join Data: It combines this list of exploitable vulnerabilities with the broader dataset of device vulnerabilities.
-
Summarize Results: For each device, it counts the total number of vulnerabilities and compiles a list of the specific vulnerabilities (CVE IDs) that are exploitable.
-
Top Devices: It then selects the top 10 devices with the highest number of vulnerabilities.
In essence, this query helps you quickly identify the devices most at risk due to recent vulnerabilities that can be exploited, allowing for prioritized security measures.
Details

Bert-Jan Pals
Released: January 18, 2026
Tables
Keywords
Operators