Query Details

Top 10 devices with the most Critical and High vulnerabilities

Top Devices Most Vulnerabilities

Query

DeviceTvmSoftwareVulnerabilities
| where VulnerabilitySeverityLevel has_any ('critical', 'High')
| summarize count(), VulnerableCVE = make_set(CveId) by DeviceName
| top 10 by count_

About this query

Top 10 devices with the most Critical and High vulnerabilities


Defender XDR

Explanation

This query is designed to identify the top 10 devices that have the most critical and high-severity vulnerabilities. Here's a simple breakdown of what it does:

  1. Data Source: It starts by looking at the DeviceTvmSoftwareVulnerabilities table, which contains information about software vulnerabilities on devices.

  2. Filter: It filters the data to only include vulnerabilities that are either 'critical' or 'high' in severity.

  3. Summarize: For each device, it counts the total number of these vulnerabilities and also creates a list of unique vulnerability IDs (CVE IDs) associated with each device.

  4. Top 10: Finally, it sorts the devices by the number of vulnerabilities in descending order and selects the top 10 devices with the most vulnerabilities.

In summary, this query helps you quickly identify which devices in your network are most at risk due to critical and high-severity vulnerabilities.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: December 1, 2024

Tables

DeviceTvmSoftwareVulnerabilities

Keywords

DeviceTvmSoftwareVulnerabilitiesVulnerabilitySeverityLevelCveIdName

Operators

has_anysummarizemake_setbytopwhere

Actions

GitHub