Query Details

Top 10 devices with the most exploitable vulnerabilities

Top Devices Most Exploitable Vulnerabilities

Query

let ExploitableVulnerabilities = DeviceTvmSoftwareVulnerabilitiesKB
     | where IsExploitAvailable == 1
     | project CveId;
DeviceTvmSoftwareVulnerabilities
| where CveId in (ExploitableVulnerabilities)
| summarize TotalExploitableVulns = dcount(CveId), ExploitableCVE = make_set(CveId) by DeviceId
| top 10 by TotalExploitableVulns

About this query

Top 10 devices with the most exploitable vulnerabilities

Query Information

Description

This query lists the 10 devices in your tenant with the most exploitable vulnerabilities.

Defender XDR

Explanation

This query is designed to identify the top 10 devices within your network that have the highest number of exploitable vulnerabilities. Here's a simple breakdown of what the query does:

  1. Identify Exploitable Vulnerabilities:

    • It first creates a list of vulnerabilities (CVE IDs) for which an exploit is available. This is done by filtering the DeviceTvmSoftwareVulnerabilitiesKB table to include only those entries where an exploit is available (IsExploitAvailable == 1).
  2. Count Vulnerabilities per Device:

    • The query then checks the DeviceTvmSoftwareVulnerabilities table to find which devices have these exploitable vulnerabilities.
    • For each device, it counts the total number of unique exploitable vulnerabilities (TotalExploitableVulns) and also compiles a list of these vulnerabilities (ExploitableCVE).
  3. Select Top 10 Devices:

    • Finally, it sorts the devices based on the number of exploitable vulnerabilities they have and selects the top 10 devices with the most vulnerabilities.

In summary, this query helps you quickly identify which devices in your network are most at risk due to exploitable vulnerabilities, allowing you to prioritize them for security updates or further investigation.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: December 1, 2024

Tables

DeviceTvmSoftwareVulnerabilitiesKBDeviceTvmSoftwareVulnerabilities

Keywords

DevicesVulnerabilities

Operators

let|where==projectinsummarizedcountmake_setbytop

Actions

GitHub