Custom critical filter for EDR/XDR

If you're looking for a specific CVE, you could try this: 

let CVE_Details =

DeviceTvmSoftwareVulnerabilities

    | join kind=leftouter DeviceTvmSoftwareVulnerabilitiesKB on CveId // Merges the two tables where there is a match on CveId

| where CveId == "CVE-2024-21338" // Enter relevant CVE number here

| sort by DeviceName asc

| project CveId, Exploitable=IsExploitAvailable, Severity=VulnerabilitySeverityLevel, DeviceName, OSVersion, SoftwareName, SoftwareVersion, RecommendedSecurityUpdate, RecommendedSecurityUpdateId, CVE_Description=VulnerabilityDescription, DeviceId ;

CVE_Details

| join kind=inner DeviceInfo on DeviceName

| distinct DeviceName, CveId, Exploitable, Severity, LoggedOnUsers, OSVersion, SoftwareName, SoftwareVersion, RecommendedSecurityUpdate, RecommendedSecurityUpdateId, CVE_Description

| where LoggedOnUsers contains "UserName"

| sort by DeviceName asc