Internet Facing Devices Vulnerablility Report
Query
// https://www.greynoise.io/resources/how-resurgent-vulnerabilities-jeopardize-organizational-security
// Internet facing devices vulnerablility report
let InternetFacing =
DeviceInfo
| where IsInternetFacing == true and isnotempty(PublicIP)
| distinct DeviceId;
DeviceTvmSoftwareVulnerabilities
| where DeviceId has_any(InternetFacing)
| summarize VulnerabilityCount=count() by DeviceName, VulnerabilitySeverityLevel
| sort by VulnerabilityCount descExplanation
This KQL (Kusto Query Language) query is designed to generate a report on vulnerabilities found in internet-facing devices within an organization. Here's a simple breakdown of what the query does:
-
Identify Internet-Facing Devices:
- It first filters the
DeviceInfotable to find devices that are internet-facing (i.e., devices with a public IP address). - It creates a list of unique
DeviceIds for these internet-facing devices.
- It first filters the
-
Find Vulnerabilities:
- It then looks into the
DeviceTvmSoftwareVulnerabilitiestable to find any vulnerabilities associated with these internet-facing devices. - It counts the number of vulnerabilities for each device and groups them by the device name and the severity level of the vulnerabilities.
- It then looks into the
-
Sort the Results:
- Finally, it sorts the results in descending order based on the number of vulnerabilities, so that devices with the most vulnerabilities appear first.
In summary, this query helps identify which internet-facing devices have vulnerabilities, how many vulnerabilities each device has, and the severity of those vulnerabilities, prioritizing the devices with the highest number of vulnerabilities.
Details

Steven Lim
Released: May 12, 2025
Tables
DeviceInfoDeviceTvmSoftwareVulnerabilities
Keywords
DeviceInfoDeviceTvmSoftwareVulnerabilitiesDeviceIdPublicIPDeviceNameVulnerabilitySeverityLevelVulnerabilityCount
Operators
let|where==andisnotemptydistincthas_anysummarizecount()bysortdesc