Query Details

Vulnerability Statistics Sentinel Workbook

Vulnerability Statistics Logic App Sentinel Workbook

Query

{
  "version": "Notebook/1.0",
  "items": [
    {
      "type": 9,
      "content": {
        "version": "KqlParameterItem/1.0",
        "parameters": [
          {
            "id": "timerange-param",
            "version": "KqlParameterItem/1.0",
            "name": "TimeRange",
            "label": "Time Range",
            "type": 4,
            "isRequired": true,
            "value": {
              "durationMs": 15552000000
            },
            "typeSettings": {
              "selectableValues": [
                {
                  "durationMs": 7776000000
                },
                {
                  "durationMs": 15552000000
                },
                {
                  "durationMs": 31536000000
                },
                {
                  "durationMs": 63072000000
                }
              ],
              "allowCustom": false
            }
          }
        ],
        "style": "pills",
        "queryType": 0,
        "resourceType": "microsoft.operationalinsights/workspaces"
      },
      "name": "parameters"
    },
    {
      "type": 1,
      "content": {
        "json": "# TVM Vulnerability Stats — Aktuelle Übersicht\n---"
      },
      "name": "title"
    },
    {
      "type": 3,
      "content": {
        "version": "KqlItem/1.0",
        "query": "Vulnerabilitystatistics_CL\n| where TimeGenerated > ago(30d)\n| where DeviceCategory in (\"Windows Clients\", \"macOS\", \"Windows Server\", \"Linux Server\", \"Network Components\", \"Others / Unknown\")\n| project TimeGenerated, DeviceCategory, Vulnerability_Count, Unique_CVEs, Unique_CVEs_With_Exploit, Affected_Devices, Avg_CVSS_Score, Avg_Vulnerabilities_Per_Device\n| sort by DeviceCategory asc, TimeGenerated desc\n| summarize arg_max(TimeGenerated, *) by DeviceCategory\n| project DeviceCategory, Vulnerability_Count, Unique_CVEs, Unique_CVEs_With_Exploit, Affected_Devices, Avg_CVSS_Score, Avg_Vulnerabilities_Per_Device\n| sort by Vulnerability_Count desc",
        "size": 3,
        "title": "Current Values by Device Category",
        "timeContext": {
          "durationMs": 2592000000
        },
        "queryType": 0,
        "resourceType": "microsoft.operationalinsights/workspaces",
        "visualization": "tiles",
        "tileSettings": {
          "titleContent": {
            "columnMatch": "DeviceCategory",
            "formatter": 1
          },
          "leftContent": {
            "columnMatch": "Vulnerability_Count",
            "formatter": 12,
            "formatOptions": {
              "palette": "redGreen",
              "aggregation": "Sum"
            },
            "numberFormat": {
              "unit": 17,
              "options": {
                "style": "decimal",
                "maximumFractionDigits": 0
              }
            }
          },
          "secondaryContent": {
            "columnMatch": "Avg_CVSS_Score",
            "formatter": 1,
            "formatOptions": {
              "aggregation": "Avg"
            },
            "numberFormat": {
              "unit": 17,
              "options": {
                "style": "decimal",
                "maximumFractionDigits": 2
              }
            }
          },
          "showBorder": true,
          "size": "auto"
        }
      },
      "name": "tiles-overview"
    },
    {
      "type": 3,
      "content": {
        "version": "KqlItem/1.0",
        "query": "Vulnerabilitystatistics_CL\n| where TimeGenerated > ago(30d)\n| where DeviceCategory in (\"Windows Clients\", \"macOS\", \"Windows Server\", \"Linux Server\", \"Network Components\", \"Others / Unknown\")\n| project TimeGenerated, DeviceCategory, Vulnerability_Count, Unique_CVEs, Unique_CVEs_With_Exploit, Affected_Devices, Avg_CVSS_Score, Avg_Vulnerabilities_Per_Device\n| summarize arg_max(TimeGenerated, *) by DeviceCategory\n| project ['Category'] = DeviceCategory, ['Vulnerabilities'] = Vulnerability_Count, ['Unique CVEs'] = Unique_CVEs, ['CVEs with Exploit'] = Unique_CVEs_With_Exploit, ['Affected Devices'] = Affected_Devices, ['Avg CVSS Score'] = Avg_CVSS_Score, ['Avg Vulns / Device'] = Avg_Vulnerabilities_Per_Device\n| sort by Vulnerabilities desc",
        "size": 1,
        "title": "Detail Table — Current Snapshot",
        "timeContext": {
          "durationMs": 604800000
        },
        "queryType": 0,
        "resourceType": "microsoft.operationalinsights/workspaces",
        "visualization": "table",
        "gridSettings": {
          "formatters": [
            {
              "columnMatch": "Vulnerabilities",
              "formatter": 18,
              "formatOptions": {
                "thresholdsOptions": "colors",
                "thresholdsGrid": [
                  {
                    "operator": ">=",
                    "thresholdValue": "100000",
                    "representation": "red",
                    "text": "{0}"
                  },
                  {
                    "operator": ">=",
                    "thresholdValue": "10000",
                    "representation": "orange",
                    "text": "{0}"
                  },
                  {
                    "operator": "Default",
                    "thresholdValue": null,
                    "representation": "yellow",
                    "text": "{0}"
                  }
                ]
              }
            },
            {
              "columnMatch": "CVEs with Exploit",
              "formatter": 8,
              "formatOptions": {
                "palette": "orange",
                "aggregation": "Sum"
              }
            },
            {
              "columnMatch": "Affected Devices",
              "formatter": 8,
              "formatOptions": {
                "palette": "blue",
                "aggregation": "Sum"
              }
            },
            {
              "columnMatch": "Avg CVSS Score",
              "formatter": 18,
              "formatOptions": {
                "thresholdsOptions": "colors",
                "thresholdsGrid": [
                  {
                    "operator": ">=",
                    "thresholdValue": "9",
                    "representation": "red",
                    "text": "{0}"
                  },
                  {
                    "operator": ">=",
                    "thresholdValue": "5",
                    "representation": "orange",
                    "text": "{0}"
                  },
                  {
                    "operator": "Default",
                    "thresholdValue": null,
                    "representation": "yellow",
                    "text": "{0}"
                  }
                ]
              }
            }
          ]
        },
        "sortBy": []
      },
      "name": "table-detail"
    },
    {
      "type": 1,
      "content": {
        "json": "---\n## Vulnerability Trend by Device Category"
      },
      "name": "section-trend"
    },
    {
      "type": 3,
      "content": {
        "version": "KqlItem/1.0",
        "query": "Vulnerabilitystatistics_CL\n| where TimeGenerated {TimeRange}\n| extend DeviceCategory = trim(@\" \", tostring(DeviceCategory))\n| where DeviceCategory in (\"Windows Clients\", \"macOS\", \"Windows Server\", \"Linux Server\", \"Network Components\", \"Others / Unknown\")\n| summarize Vulnerability_Count=max(toint(Vulnerability_Count)) by TimeGenerated, DeviceCategory\n| render timechart with (xcolumn=TimeGenerated, ycolumns=Vulnerability_Count, series=DeviceCategory)",
        "size": 0,
        "title": "Vulnerability Count — Trend Over Time",
        "timeContextFromParameter": "TimeRange",
        "queryType": 0,
        "resourceType": "microsoft.operationalinsights/workspaces",
        "visualization": "timechart"
      },
      "name": "linechart-vulns"
    },
    {
      "type": 3,
      "content": {
        "version": "KqlItem/1.0",
        "query": "Vulnerabilitystatistics_CL\n| where TimeGenerated {TimeRange}\n| extend DeviceCategory = trim(@\" \", tostring(DeviceCategory))\n| where DeviceCategory in (\"Windows Clients\", \"macOS\", \"Windows Server\", \"Linux Server\", \"Network Components\", \"Others / Unknown\")\n| summarize Avg_CVSS_Score=avg(todouble(Avg_CVSS_Score)) by TimeGenerated, DeviceCategory\n| render timechart with (xcolumn=TimeGenerated, ycolumns=Avg_CVSS_Score, series=DeviceCategory)",
        "size": 0,
        "aggregation": 3,
        "title": "Average CVSS Score — Trend Over Time",
        "timeContextFromParameter": "TimeRange",
        "queryType": 0,
        "resourceType": "microsoft.operationalinsights/workspaces",
        "visualization": "timechart"
      },
      "name": "linechart-cvss"
    },
    {
      "type": 3,
      "content": {
        "version": "KqlItem/1.0",
        "query": "Vulnerabilitystatistics_CL\n| where TimeGenerated {TimeRange}\n| extend DeviceCategory = trim(@\" \", tostring(DeviceCategory))\n| where DeviceCategory in (\"Windows Clients\", \"macOS\", \"Windows Server\", \"Linux Server\", \"Network Components\", \"Others / Unknown\")\n| summarize Unique_CVEs_With_Exploit=max(toint(Unique_CVEs_With_Exploit)) by TimeGenerated, DeviceCategory\n| render timechart with (xcolumn=TimeGenerated, ycolumns=Unique_CVEs_With_Exploit, series=DeviceCategory)",
        "size": 0,
        "title": "CVEs with Available Exploit — Trend Over Time",
        "timeContextFromParameter": "TimeRange",
        "queryType": 0,
        "resourceType": "microsoft.operationalinsights/workspaces",
        "visualization": "timechart"
      },
      "name": "linechart-exploits"
    }
  ],
  "fallbackResourceIds": [
    "/subscriptions/378670e9-7fc1-464c-ad69-22d320c5417a/resourcegroups/p-rgr-mgmtsecurity-01/providers/microsoft.operationalinsights/workspaces/p-loa-securityhuntingenrichments-02"
  ],
  "fromTemplateId": "sentinel-UserWorkbook",
  "$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
}

About this query

Explanation

This query and its associated components are part of a system designed to provide a weekly overview of vulnerabilities across various device categories using Microsoft Defender data. Here's a simplified breakdown:

  1. Logic App:

    • Schedule: Runs every week.
    • Data Collection: Executes an advanced query using Microsoft Graph to gather vulnerability data from devices categorized as Windows servers, Windows clients, Linux, macOS, and network components.
    • Metrics: Collects data on total vulnerabilities, unique CVEs (Common Vulnerabilities and Exposures), exploitable CVEs, affected devices, and average CVSS (Common Vulnerability Scoring System) scores.
    • Data Ingestion: Sends the gathered data to Azure Monitor using the Log Ingestion API.
    • Success Check: Confirms successful data ingestion by checking for a 2xx HTTP response status. If successful, it logs the success; otherwise, it logs the error and marks the run as failed.
    • Authentication: Uses Managed Identity for secure access without embedded credentials.
  2. Sentinel Workbook:

    • Overview: Provides a consolidated view of vulnerability exposure across device categories.
    • KPI Tiles and Detail Table: Displays the latest snapshot of key metrics for each category, such as total vulnerabilities, unique CVEs, exploitable CVEs, affected devices, average CVSS score, and average vulnerabilities per device.
    • Trend Analysis: Visualizes trends over time for vulnerability volume, average severity, and exploitable CVEs, helping to identify risk areas and prioritize remediation efforts.

Overall, this system automates the collection, analysis, and visualization of vulnerability data to help organizations monitor and manage their security posture effectively.

Details

Benjamin Zulliger profile picture

Benjamin Zulliger

Released: July 13, 2026

Tables

DeviceInfoDeviceTvmSoftwareVulnerabilitiesKBDeviceTvmSoftwareVulnerabilitiesVulnerabilitystatistics_CL

Keywords

Vulnerability Statistics Sentinel WorkbookLogic AppSentinel WorkbookMicrosoft DefenderAdvanced HuntingMicrosoft GraphDevicesWindows ServersWindows ClientsLinuxmacOSNetwork ComponentsSecurity MetricsVulnerabilitiesCVEsCVSSAzure MonitorLog Ingestion APIManaged IdentityTVMKPITrendRiskRemediationDevice CategoriesVulnerability ExposureSnapshotTrend SectionComparisonPrioritization

Operators

letsummarizearg_maxextendcasehas_anystartswithprojectjoinkindondcountdcountifroundtorealnowsortdescwhereinagoascbymaxtointrendertimecharttrimtostringavgtodouble

Actions

GitHub