Red Hat Linux - Missing Security Updates
MDE Linux Red Hat Missing Security Updates
Query
DeviceTvmSoftwareVulnerabilities
| where SoftwareVendor == @"red_hat"
| where OSVersion == @"enterprise_linux_7.6"
| where isnotempty(RecommendedSecurityUpdate)
| distinct DeviceId, RecommendedSecurityUpdate, RecommendedSecurityUpdateId, SoftwareName
| join kind=leftouter (
DeviceInfo
| where isnotempty(OSPlatform)
| where OnboardingStatus == 'Onboarded'
| where isnotempty(OSVersionInfo)
| summarize arg_max(Timestamp, *) by DeviceId)
on $left.DeviceId == $right.DeviceId
| summarize MissingDevices = make_set(DeviceName) by SoftwareName, RecommendedSecurityUpdate, RecommendedSecurityUpdateId, OSVersionInfo
| extend TotalMissingKBDevice = array_length(MissingDevices)
| project ['Bulletin'] = RecommendedSecurityUpdate, ['ID'] = RecommendedSecurityUpdateId, ['Total Exposed devices'] = TotalMissingKBDevice, ['Exposed devices'] = MissingDevices, OSVersionInfoAbout this query
Red Hat Linux - Missing Security Updates
Query Information
Description
The below query provides an overview of missing security updates for Linux Red Hat Enterprise devices
References
Microsoft 365 Defender
Overview Missing KBs Red Hat Linux
Details missing KBs Red Hat Linux
DeviceTvmSoftwareVulnerabilities
| where SoftwareVendor == @"red_hat"
| where OSVersion == @"enterprise_linux_7.6"
| where isnotempty(RecommendedSecurityUpdate)
| distinct DeviceId, RecommendedSecurityUpdate, RecommendedSecurityUpdateId, SoftwareName
| join kind=leftouter (
DeviceInfo
| where isnotempty(OSPlatform)
| where OnboardingStatus == 'Onboarded'
| where isnotempty(OSVersionInfo)
| summarize arg_max(Timestamp, *) by DeviceId)
on $left.DeviceId == $right.DeviceId
| summarize MissingKBs = make_set(RecommendedSecurityUpdate) by DeviceName
| extend TotalMissingKB = array_length(MissingKBs)
Explanation
This KQL query is designed to identify and summarize missing security updates for devices running Red Hat Enterprise Linux version 7.6. Here's a simple breakdown of what each part of the query does:
-
Filter for Red Hat Linux Vulnerabilities: The query starts by filtering the
DeviceTvmSoftwareVulnerabilitiestable to find entries where the software vendor is "red_hat" and the operating system version is "enterprise_linux_7.6". It also ensures that there is a recommended security update available. -
Identify Unique Vulnerabilities: It selects distinct combinations of device IDs, recommended security updates, update IDs, and software names.
-
Join with Device Information: The query performs a left outer join with the
DeviceInfotable to gather additional information about each device, such as its platform and onboarding status. It ensures that only onboarded devices with available OS version information are considered. -
Summarize Missing Updates: It summarizes the data to list devices missing specific security updates. For each software name and update, it creates a set of device names that are missing the update and counts the total number of such devices.
-
Project Results: The final output includes the bulletin (recommended security update), update ID, total number of exposed devices, list of exposed devices, and OS version information.
-
Details of Missing Updates: The second part of the query provides details on missing updates for each device by summarizing the missing updates into a set and counting the total number of missing updates per device.
In essence, this query helps administrators quickly identify which Red Hat Enterprise Linux 7.6 devices are missing critical security updates, allowing them to prioritize patching efforts to enhance security.
Details

Alex Verboon
Released: April 16, 2026
Tables
Keywords
Operators