Aug 21 2023 01:13 AM
Hi,
I'm using Defender as my main vulnerability assessment platform and now I want to automate part of the process of opening tickets based on vulnerabilities, so those vulnerabities can be solved.
To start I would like to get a Hunting query to get all vulnerabilities which have unique CVEs and only 1 exposed, so then I can list them and open tickets on our helpdesk platform based on some criteria.
But I'm kind of new to KQL and stugling a bit to be able to build such query. Can someone help me on this?
Thanks
Aug 22 2023 04:25 PM
@dmarquesgn I was able to get that query running.
Here is it for reference.
DeviceTvmSoftwareVulnerabilities
| summarize count(), make_set(DeviceName) by CveId
| where count_ == 1
| join kind=leftouter DeviceTvmSoftwareVulnerabilitiesKB on CveId