Using Advanced Hunting Query to identify Devices missing patch

Iron Contributor


Using the following scenario as an example. Microsoft recategorised CVE-2022-37958 in December 2022, it was initially patched in September 2022. 

I want to query my environment to determine the level of exposure and turned to Advanced Hunting to generate a query. IT looks like the table "DeviceTvmSoftwareVulnerabilities" contains relevant information regarding missing patches. I'm not experienced with generating KQL queries but came up with:



| where RecommendedSecurityUpdate contains "September 2022 Security Updates"
| summarize by DeviceId, DeviceName, RecommendedSecurityUpdate



Is there a better, more optimised way to meet the original requirement?


1 Reply

@Paul Bendall

Your approach is fine but if you want to be specific about the CVE, the following will do the trick:

//Amend CVE list in first line to suit
 let CVEcheck = dynamic(["CVE-2022-37958","CVE-XXXX-XXXXX"]);
 |where CveId in (CVEcheck)
 |summarize Securitypatches= count(),make_set(CveId) by DeviceName,OSPlatform,KBID=RecommendedSecurityUpdateId