Forum Discussion

SergioVargas's avatar
SergioVargas
Copper Contributor
Feb 13, 2024

KQL Script to count the total of vulnerabilities over a time period.

Hi everyone,

I'm having some trouble crafting a KQL script to count vulnerabilities over a specific time period. I've been using the DeviceTvmSoftwareVulnerabilities table, but unfortunately, I couldn't find a Timestamp column in that table. I've also tried looking into other tables that might have a Timestamp field, but so far, I haven't had any success.

Here's the script I've been trying to work with:

DeviceTvmSoftwareVulnerabilities
| where Timestamp >= datetime(2024-01-01) and Timestamp < datetime(2024-02-01)
| summarize VulnerabilityCount = count() by DeviceId, VulnerabilityTitle

If anyone has any suggestions or guidance on how to proceed, I would greatly appreciate it. I've been reading documentation and searching forums online, but I'm currently running short on options.


Thank you in advance for any help you can provide!

Best regards,

Sergio







  • cyb3rmik3's avatar
    cyb3rmik3
    Iron Contributor

    Hi SergioVargas,

     

    Not sure if you can do anything more about this, if the tables had Timestamp information, it would be feasible but as TVM continuously assesses your endpoints, the query you are looking for is probably impossible to materialize. 

     

    If you have access to DeviceBaselineComplianceAssessment, though Timestamp as well is not available, you might be able to derive information upon baseline assessments hence having an overview of what your status is in a periods of time.

     

    If I have answered your question, please mark your post as Solved

    If you like my response, please consider giving it a like

    • SergioVargas's avatar
      SergioVargas
      Copper Contributor
      Thanks for your answer cyb3rmik3

      I will further investigate these options and explore how they can be utilized to gain insights into vulnerability trends and endpoint status over time. Additionally, I am aware that Microsoft Defender offers built-in reporting features that provide detailed vulnerability reports over specific periods, so I guess that, in some way, it could be possible to build those reports; anyway, I will explore other ways to have those reports.

Resources