Query Details

Device VulnerabilitySeverityLevel overview

MDE TVM Exposure Vulnerability Severity Level

Query

DeviceInfo
| where OnboardingStatus == 'Onboarded'
| summarize arg_max(Timestamp, *) by DeviceId
//| where OSPlatform == 'Linux'
| join kind=leftouter DeviceTvmSoftwareVulnerabilities
    on $left.DeviceId == $right.DeviceId
| summarize
    Low = dcountif(CveId, VulnerabilitySeverityLevel == 'Low'),
    Medium = dcountif(CveId, VulnerabilitySeverityLevel == 'Medium'), 
    High = dcountif(CveId, VulnerabilitySeverityLevel == 'High'),
    Critical = dcountif(CveId, VulnerabilitySeverityLevel == 'Critical')
    by DeviceName, ExposureLevel

About this query

Device VulnerabilitySeverityLevel overview

Query Information

Description

Use the below queries to list devices and their VulnerabilitySeverityLevels

Microsoft 365 Defender

List Devices with Exposure Level and total CVEs

Explanation

This query lists devices and their VulnerabilitySeverityLevels. It filters devices that are onboarded and then joins them with DeviceTvmSoftwareVulnerabilities. It then summarizes the count of vulnerabilities for each severity level (Low, Medium, High, Critical) by DeviceName and ExposureLevel.

Details

Alex Verboon profile picture

Alex Verboon

Released: June 10, 2023

Tables

DeviceInfoDeviceTvmSoftwareVulnerabilities

Keywords

DeviceVulnerabilitySeverityLevelDeviceInfoOnboardingStatusTimestampDeviceIdDeviceTvmSoftwareVulnerabilitiesCveIdLowMediumHighCriticalDeviceNameExposureLevel

Operators

wheresummarizearg_maxbyjoindcountif

Actions

GitHub