Forum Discussion
SergioVargas
Feb 13, 2024Copper Contributor
KQL Script to count the total of vulnerabilities over a time period.
Hi everyone,
I'm having some trouble crafting a KQL script to count vulnerabilities over a specific time period. I've been using the DeviceTvmSoftwareVulnerabilities table, but unfortunately, I couldn't find a Timestamp column in that table. I've also tried looking into other tables that might have a Timestamp field, but so far, I haven't had any success.
Here's the script I've been trying to work with:
DeviceTvmSoftwareVulnerabilities
| where Timestamp >= datetime(2024-01-01) and Timestamp < datetime(2024-02-01)
| summarize VulnerabilityCount = count() by DeviceId, VulnerabilityTitle
If anyone has any suggestions or guidance on how to proceed, I would greatly appreciate it. I've been reading documentation and searching forums online, but I'm currently running short on options.
Thank you in advance for any help you can provide!
Best regards,
Sergio
- cyb3rmik3Iron Contributor
Hi SergioVargas,
Not sure if you can do anything more about this, if the tables had Timestamp information, it would be feasible but as TVM continuously assesses your endpoints, the query you are looking for is probably impossible to materialize.
If you have access to DeviceBaselineComplianceAssessment, though Timestamp as well is not available, you might be able to derive information upon baseline assessments hence having an overview of what your status is in a periods of time.
If I have answered your question, please mark your post as Solved
If you like my response, please consider giving it a like
- SergioVargasCopper ContributorThanks for your answer cyb3rmik3
I will further investigate these options and explore how they can be utilized to gain insights into vulnerability trends and endpoint status over time. Additionally, I am aware that Microsoft Defender offers built-in reporting features that provide detailed vulnerability reports over specific periods, so I guess that, in some way, it could be possible to build those reports; anyway, I will explore other ways to have those reports.