Use advanced hunting to find devices with vulnerabilities
Advanced hunting is a query-based threat-hunting tool that lets you explore up to 30 days of raw data. You can proactively inspect events in your network to locate threat indicators and entities. The flexible access to data enables unconstrained hunting for both known and potential threats. Learn more about advanced hunting
- DeviceTvmSoftwareInventory – Inventory of software installed on devices, including their version information and end-of-support status.
- DeviceTvmSoftwareVulnerabilities – Software vulnerabilities found on devices and the list of available security updates that address each vulnerability.
- DeviceTvmSoftwareVulnerabilitiesKB – Knowledge base of publicly disclosed vulnerabilities, including whether exploit code is publicly available.
- DeviceTvmSecureConfigurationAssessment – Threat and vulnerability management assessment events, indicating the status of various security configurations on devices.
- DeviceTvmSecureConfigurationAssessmentKB – Knowledge base of various security configurations used by Threat & Vulnerability Management to assess devices; includes mappings to various standards and benchmarks
Check which devices are involved in high severity alerts
- Go to Hunting > Advanced hunting from the left-hand navigation pane of the Microsoft 365 Defender portal.
- Scroll down to the TVM advanced hunting schemas to familiarize yourself with the column names.
- Enter the following queries:
// Search for devices with High active alerts or Critical CVE public exploit let DeviceWithHighAlerts = AlertInfo | where Severity == "High" | project Timestamp, AlertId, Title, ServiceSource, Severity | join kind=inner (AlertEvidence | where EntityType == "Machine" | project AlertId, DeviceId, DeviceName) on AlertId | summarize HighSevAlerts = dcount(AlertId) by DeviceId; let DeviceWithCriticalCve = DeviceTvmSoftwareVulnerabilities | join kind=inner(DeviceTvmSoftwareVulnerabilitiesKB) on CveId | where IsExploitAvailable == 1 and CvssScore >= 7 | summarize NumOfVulnerabilities=dcount(CveId), DeviceName=any(DeviceName) by DeviceId; DeviceWithCriticalCve | join kind=inner DeviceWithHighAlerts on DeviceId | project DeviceId, DeviceName, NumOfVulnerabilities, HighSevAlerts