Forum Discussion

marktait19's avatar
marktait19
Copper Contributor
Feb 08, 2023
Solved

Security Recommendation - is it available in any table in KQL query editor

Hi.   When in Security Recommendations, I can enter a CVE reference, and there is a column in the display for "Security Recommendation" (please see attached screenshot).   So for example, for: CV...
microsoft defender for endpoint
microsoft defender for office 365
threat hunting
  • BaruchAbitbol's avatar
    BaruchAbitbol
    Mar 01, 2023
    fixed it.

    try this:

    DeviceTvmSecureConfigurationAssessment
    | project DeviceName, ConfigurationId
    | join kind=inner ( DeviceTvmSecureConfigurationAssessmentKB
    | project ConfigurationName, ConfigurationDescription, RiskDescription, ConfigurationCategory, ConfigurationImpact, ConfigurationSubcategory, RemediationOptions, ConfigurationId
    )
    on ConfigurationId
    | project ConfigurationId, DeviceName, ConfigurationName, ConfigurationDescription, RiskDescription, ConfigurationCategory, ConfigurationImpact, ConfigurationSubcategory, RemediationOptions
    | distinct DeviceName, ConfigurationId, ConfigurationName, ConfigurationDescription, RiskDescription, ConfigurationCategory, ConfigurationImpact, ConfigurationSubcategory, RemediationOptions
    | sort by DeviceName asc
marktait19's avatar
marktait19
Copper Contributor
Mar 01, 2023
Thank you for your suggestion.

When I run this, I'm only getting 1 device returned (with 118 results - I'm looking over the last 30 days), but I can't see anything in the query which would limit the results.

I'll keep working with the query you've provided though -it must be a restriction on my end thats limiting it.

Cheers, Mark
BaruchAbitbol's avatar
BaruchAbitbol
Copper Contributor
Mar 01, 2023
you can in line 2 the following filter on order to limit it to 7 days
| where Timestamp > ago (7d)

Resources