Hunting query to extract unique CVEs with only 1 device

Iron Contributor

Hi,

I'm using Defender as my main vulnerability assessment platform and now I want to automate part of the process of opening tickets based on vulnerabilities, so those vulnerabities can be solved.

To start I would like to get a Hunting query to get all vulnerabilities which have unique CVEs and only 1 exposed, so then I can list them and open tickets on our helpdesk platform based on some criteria.

But I'm kind of new to KQL and stugling a bit to be able to build such query. Can someone help me on this?
Thanks

1 Reply

@dmarquesgn I was able to get that query running.

Here is it for reference.

DeviceTvmSoftwareVulnerabilities
    | summarize count(), make_set(DeviceName) by CveId
    | where count_ == 1
    | join kind=leftouter DeviceTvmSoftwareVulnerabilitiesKB on CveId