[Solved] Hunt for exposed devices - threat and vulnerability management (Microsoft) - BEST Antivirus KBS : Largest Anti-Malware Knowlegde Base and Support

Use advanced hunting to find devices with vulnerabilities

Advanced hunting is a query-based threat-hunting tool that lets you explore up to 30 days of raw data. You can proactively inspect events in your network to locate threat indicators and entities. The flexible access to data enables unconstrained hunting for both known and potential threats. Learn more about advanced hunting

Schema tables

DeviceTvmSoftwareInventory – Inventory of software installed on devices, including their version information and end-of-support status.
DeviceTvmSoftwareVulnerabilities – Software vulnerabilities found on devices and the list of available security updates that address each vulnerability.
DeviceTvmSoftwareVulnerabilitiesKB – Knowledge base of publicly disclosed vulnerabilities, including whether exploit code is publicly available.
DeviceTvmSecureConfigurationAssessment – Threat and vulnerability management assessment events, indicating the status of various security configurations on devices.
DeviceTvmSecureConfigurationAssessmentKB – Knowledge base of various security configurations used by Threat & Vulnerability Management to assess devices; includes mappings to various standards and benchmarks

Check which devices are involved in high severity alerts

Go to Hunting > Advanced hunting from the left-hand navigation pane of the Microsoft 365 Defender portal.
Scroll down to the TVM advanced hunting schemas to familiarize yourself with the column names.

Enter the following queries:

Kusto

// Search for devices with High active alerts or Critical CVE public exploit
let DeviceWithHighAlerts = AlertInfo
| where Severity == "High"
| project Timestamp, AlertId, Title, ServiceSource, Severity
| join kind=inner (AlertEvidence | where EntityType == "Machine" | project AlertId, DeviceId, DeviceName) on AlertId
| summarize HighSevAlerts = dcount(AlertId) by DeviceId;
let DeviceWithCriticalCve = DeviceTvmSoftwareVulnerabilities
| join kind=inner(DeviceTvmSoftwareVulnerabilitiesKB) on CveId
| where IsExploitAvailable == 1 and CvssScore >= 7
| summarize NumOfVulnerabilities=dcount(CveId),
DeviceName=any(DeviceName) by DeviceId;
DeviceWithCriticalCve
| join kind=inner DeviceWithHighAlerts on DeviceId
| project DeviceId, DeviceName, NumOfVulnerabilities, HighSevAlerts

Source : Official Microsoft Brand
Editor by : BEST Antivirus KBS Team

(Visited 186 times, 1 visits today)

Hunt for exposed devices – threat and vulnerability management (Microsoft)

Use advanced hunting to find devices with vulnerabilities

Schema tables

Check which devices are involved in high severity alerts

Source : Official Microsoft Brand
Editor by : BEST Antivirus KBS Team

About

Partners

Resources

Use advanced hunting to find devices with vulnerabilities

Schema tables

Check which devices are involved in high severity alerts

Source : Official Microsoft Brand Editor by : BEST Antivirus KBS Team

Related Articles

All about Microsoft

Overview of Microsoft 365 Lighthouse

Microsoft Defender for Business (preview) – Frequently asked questions and answers

Get help and support for Microsoft Defender for Business (preview)

Manage your custom rules for firewall policies in Microsoft Defender for Business (preview)

Firewall in Microsoft Defender for Business (preview)

About

Partners

Resources

Source : Official Microsoft Brand
Editor by : BEST Antivirus KBS Team