Using Advanced Hunting Query to identify Devices missing patch

Paul Bendall · ‎Dec 22 2022

Morning,

Using the following scenario as an example. Microsoft recategorised CVE-2022-37958 in December 2022, it was initially patched in September 2022.

I want to query my environment to determine the level of exposure and turned to Advanced Hunting to generate a query. IT looks like the table "DeviceTvmSoftwareVulnerabilities" contains relevant information regarding missing patches. I'm not experienced with generating KQL queries but came up with:

DeviceTvmSoftwareVulnerabilities  
| where RecommendedSecurityUpdate contains "September 2022 Security Updates"
| summarize by DeviceId, DeviceName, RecommendedSecurityUpdate

Is there a better, more optimised way to meet the original requirement?

Paul

andre4000 · ‎Jan 04 2023

@Paul Bendall

Your approach is fine but if you want to be specific about the CVE, the following will do the trick:

//Amend CVE list in first line to suit
 let CVEcheck = dynamic(["CVE-2022-37958","CVE-XXXX-XXXXX"]);
 DeviceTvmSoftwareVulnerabilities 
 |where CveId in (CVEcheck)
 |summarize Securitypatches= count(),make_set(CveId) by DeviceName,OSPlatform,KBID=RecommendedSecurityUpdateId

Products (50)

Special Topics (28)

Video Hub (462)

Most Active Hubs

Most Active Hubs

Video Hub

Using Advanced Hunting Query to identify Devices missing patch

Using Advanced Hunting Query to identify Devices missing patch

Re: Using Advanced Hunting Query to identify Devices missing patch