Forum Discussion

dmarquesgn's avatar
dmarquesgn
Iron Contributor
Aug 21, 2023

Hunting query to extract unique CVEs with only 1 device

Hi,

I'm using Defender as my main vulnerability assessment platform and now I want to automate part of the process of opening tickets based on vulnerabilities, so those vulnerabities can be solved.

To start I would like to get a Hunting query to get all vulnerabilities which have unique CVEs and only 1 exposed, so then I can list them and open tickets on our helpdesk platform based on some criteria.

But I'm kind of new to KQL and stugling a bit to be able to build such query. Can someone help me on this?
Thanks

  • dmarquesgn's avatar
    dmarquesgn
    Iron Contributor

    dmarquesgn I was able to get that query running.

    Here is it for reference.

    DeviceTvmSoftwareVulnerabilities
        | summarize count(), make_set(DeviceName) by CveId
        | where count_ == 1
        | join kind=leftouter DeviceTvmSoftwareVulnerabilitiesKB on CveId

     

Resources