Need report query for Vulnerable devices

Thanks for the reply and explanation, hopefully Microsoft see this and let us know how/when/if we can access that internal data.

Thanks for the search, it need to be tolower(VulnerabilitySeverityLevel) for anyone that gets an error.

My goal is to try determining a trend to see if the critical vulnerabilities are getting patched accordingly.

This is a search I came up with:

First I need to know the devices that actually was used, to make the graph smoother I use 3 days instead of 1d which makes it dump on weekends.
Then I make sure that a device has at least one critical cve.
Then basically graph it.

DeviceEvents
| summarize count() by bin(Timestamp, 3d), DeviceId
| lookup (DeviceTvmSoftwareVulnerabilities| project CveId,VulnerabilitySeverityLevel,DeviceId) on DeviceId
| lookup DeviceInfo on DeviceId
| where VulnerabilitySeverityLevel == "Critical"
| distinct Timestamp,DeviceId,CveId
| summarize devices=dcount(DeviceId) by Timestamp
| render timechart 

I would like to add(but dont know how) somehow a check that "max(bin) is less then PublishedDate for each "bin". 
For example, lets say all patches was applied up until yesterday (0 critical) then today 10 new was released and found on multiple devices today. My search then would think that there many unpatched devices but they were actually unknown up until today.

the graph shown in the built-in Vulnerable Devices report under Microsoft Defender for Endpoint Reports > Endpoints > Vulnerable devices is generated from data in the DeviceTvmSoftwareVulnerabilities, DeviceTvmSoftwareVulnerabilitiesKB, and DeviceInfo tables combined. The built-in report uses internal aggregation logic that is not fully exposed, but you can closely recreate it using a KQL query that leverages the PublishedDate field from the KB table as a timestamp reference.

Here is a practical version of the query that produces a very similar trend line by severity level:

DeviceTvmSoftwareVulnerabilities
| join kind=inner (DeviceTvmSoftwareVulnerabilitiesKB 
    | project CveId, PublishedDate, Severity = tolower(Severity)) on CveId
| summarize DeviceCount = dcount(DeviceId) by bin(PublishedDate, 1d), Severity
| extend SeverityLevel = case(
    Severity == "critical", "Critical",
    Severity == "high", "High",
    Severity == "medium", "Medium",
    "Low")
| project PublishedDate, SeverityLevel, DeviceCount
| render timechart

This query uses the PublishedDate field as a proxy for when a vulnerability became visible in your data and groups device counts by severity over time. If you want to make it reflect the current active vulnerabilities rather than publication dates, you can replace PublishedDate with the device record ingestion time using ingestion_time().

The built-in report also applies extra filters such as IsExploitAvailable == true or ExposureScore > 0 to refine results depending on your view, so you can easily add those conditions to the query.

In short, while the default table does not include a timestamp, joining it with the KB table gives you the time dimension you need to rebuild the Vulnerable Devices trend report in custom dashboards or workbooks. Please hit like if you like the solution.