Need report query for Vulnerable devices

the graph shown in the built-in Vulnerable Devices report under Microsoft Defender for Endpoint Reports > Endpoints > Vulnerable devices is generated from data in the DeviceTvmSoftwareVulnerabilities, DeviceTvmSoftwareVulnerabilitiesKB, and DeviceInfo tables combined. The built-in report uses internal aggregation logic that is not fully exposed, but you can closely recreate it using a KQL query that leverages the PublishedDate field from the KB table as a timestamp reference.

Here is a practical version of the query that produces a very similar trend line by severity level:

DeviceTvmSoftwareVulnerabilities
| join kind=inner (DeviceTvmSoftwareVulnerabilitiesKB 
    | project CveId, PublishedDate, Severity = tolower(Severity)) on CveId
| summarize DeviceCount = dcount(DeviceId) by bin(PublishedDate, 1d), Severity
| extend SeverityLevel = case(
    Severity == "critical", "Critical",
    Severity == "high", "High",
    Severity == "medium", "Medium",
    "Low")
| project PublishedDate, SeverityLevel, DeviceCount
| render timechart

This query uses the PublishedDate field as a proxy for when a vulnerability became visible in your data and groups device counts by severity over time. If you want to make it reflect the current active vulnerabilities rather than publication dates, you can replace PublishedDate with the device record ingestion time using ingestion_time().

The built-in report also applies extra filters such as IsExploitAvailable == true or ExposureScore > 0 to refine results depending on your view, so you can easily add those conditions to the query.

In short, while the default table does not include a timestamp, joining it with the KB table gives you the time dimension you need to rebuild the Vulnerable Devices trend report in custom dashboards or workbooks. Please hit like if you like the solution.