Forum Discussion
dmarquesgn
Aug 21, 2023Iron Contributor
Hunting query to extract unique CVEs with only 1 device
Hi,
I'm using Defender as my main vulnerability assessment platform and now I want to automate part of the process of opening tickets based on vulnerabilities, so those vulnerabities can be solved.
To start I would like to get a Hunting query to get all vulnerabilities which have unique CVEs and only 1 exposed, so then I can list them and open tickets on our helpdesk platform based on some criteria.
But I'm kind of new to KQL and stugling a bit to be able to build such query. Can someone help me on this?
Thanks
- dmarquesgnIron Contributor
dmarquesgn I was able to get that query running.
Here is it for reference.
DeviceTvmSoftwareVulnerabilities | summarize count(), make_set(DeviceName) by CveId | where count_ == 1 | join kind=leftouter DeviceTvmSoftwareVulnerabilitiesKB on CveId