Dec 22 2022 04:16 AM
Morning,
Using the following scenario as an example. Microsoft recategorised CVE-2022-37958 in December 2022, it was initially patched in September 2022.
I want to query my environment to determine the level of exposure and turned to Advanced Hunting to generate a query. IT looks like the table "DeviceTvmSoftwareVulnerabilities" contains relevant information regarding missing patches. I'm not experienced with generating KQL queries but came up with:
DeviceTvmSoftwareVulnerabilities
| where RecommendedSecurityUpdate contains "September 2022 Security Updates"
| summarize by DeviceId, DeviceName, RecommendedSecurityUpdate
Is there a better, more optimised way to meet the original requirement?
Paul
Jan 04 2023 07:31 AM
Your approach is fine but if you want to be specific about the CVE, the following will do the trick:
//Amend CVE list in first line to suit
let CVEcheck = dynamic(["CVE-2022-37958","CVE-XXXX-XXXXX"]);
DeviceTvmSoftwareVulnerabilities
|where CveId in (CVEcheck)
|summarize Securitypatches= count(),make_set(CveId) by DeviceName,OSPlatform,KBID=RecommendedSecurityUpdateId