Custom critical filter for EDR/XDR

Copper Contributor

Jan 29, 2025

It depends on what you consider to be 'critical'. If it's for a vulnerability with an exploit available, you could use KQL to detect these and a custom detection rule to generate an alert:

DeviceTvmSoftwareVulnerabilities

| join kind=inner DeviceTvmSoftwareVulnerabilitiesKB on CveId

| where IsExploitAvailable == (1) // 1 is Yes, 0 is N0

//| where OSPlatform contains "server" // Filters for CVEs impacting servers

//| where OSPlatform == "Windows10" or OSPlatform == "Windows11" // Filters for CVEs impacting workstations

| project DeviceName, OSPlatform, OSVersion, SoftwareName, SoftwareVendor, SoftwareVersion, CVE=CveId, CvssScore, Severity=VulnerabilitySeverityLevel, MissingKB=RecommendedSecurityUpdateId, UpdateName=RecommendedSecurityUpdate, Description=VulnerabilityDescription

| sort by DeviceName asc, CvssScore desc

You could also amend this to search for severity = critical, or above a certain CVSS score too.

Forum Discussion

Resources