Device VulnerabilitySeverityLevel overview
MDE TVM Exposure Vulnerability Severity Level
Query
DeviceInfo
| where OnboardingStatus == 'Onboarded'
| summarize arg_max(Timestamp, *) by DeviceId
//| where OSPlatform == 'Linux'
| join kind=leftouter DeviceTvmSoftwareVulnerabilities
on $left.DeviceId == $right.DeviceId
| summarize
Low = dcountif(CveId, VulnerabilitySeverityLevel == 'Low'),
Medium = dcountif(CveId, VulnerabilitySeverityLevel == 'Medium'),
High = dcountif(CveId, VulnerabilitySeverityLevel == 'High'),
Critical = dcountif(CveId, VulnerabilitySeverityLevel == 'Critical')
by DeviceName, ExposureLevelAbout this query
Device VulnerabilitySeverityLevel overview
Query Information
Description
Use the below queries to list devices and their VulnerabilitySeverityLevels
Microsoft 365 Defender
List Devices with Exposure Level and total CVEs
Explanation
This query lists devices and their VulnerabilitySeverityLevels. It filters devices that are onboarded and then joins them with DeviceTvmSoftwareVulnerabilities. It then summarizes the count of vulnerabilities for each severity level (Low, Medium, High, Critical) by DeviceName and ExposureLevel.
Details

Alex Verboon
Released: June 10, 2023
Tables
DeviceInfoDeviceTvmSoftwareVulnerabilities
Keywords
DeviceVulnerabilitySeverityLevelDeviceInfoOnboardingStatusTimestampDeviceIdDeviceTvmSoftwareVulnerabilitiesCveIdLowMediumHighCriticalDeviceNameExposureLevel
Operators
wheresummarizearg_maxbyjoindcountif