Forum Discussion
KQL for Public Facing CVE-2021-44228 Hosts
We came up with the following KQL but are still learning could someone double check our work? DeviceTvmSoftwareVulnerabilities
| where CveId == 'CVE-2021-44228'
| project DeviceId, DeviceNam...
mathurin68
Try using this:
DeviceTvmSoftwareVulnerabilities
| where CveId == 'CVE-2021-44228'
| join kind=inner (DeviceEvents
| distinct LocalIP, DeviceName)
on $left.DeviceId == $right.DeviceId
| distinct DeviceName, LocalIP
Try using this:
DeviceTvmSoftwareVulnerabilities
| where CveId == 'CVE-2021-44228'
| join kind=inner (DeviceEvents
| distinct LocalIP, DeviceName)
on $left.DeviceId == $right.DeviceId
| distinct DeviceName, LocalIP
For whatever reason this doesn't seem to work in ours... BUT many, many thanks for the effort!
- Missed one parameter, please try the below
DeviceTvmSoftwareVulnerabilities
| where CveId in ("CVE-2021-44228")
| join kind = inner(DeviceEvents
| distinct LocalIP, DeviceName, DeviceId)
on $left.DeviceId == $right.DeviceId
| distinct DeviceName, LocalIP