Hunt for exposed devices

Use advanced hunting to find devices with vulnerabilities

Advanced hunting is a query-based threat-hunting tool that lets you explore up to 30 days of raw data. You can proactively inspect events in your network to locate threat indicators and entities. The flexible access to data enables unconstrained hunting for both known and potential threats. to Learn more about advanced hunting, see Advanced hunting overview.


Did you know you can try all the features in Microsoft Defender Vulnerability Management for free? Find out how to sign up for a free trial.

Schema tables

  • DeviceTvmSoftwareInventory - Inventory of software installed on devices, including their version information and end-of-support status.

  • DeviceTvmSoftwareVulnerabilities - Software vulnerabilities found on devices and the list of available security updates that address each vulnerability.

  • DeviceTvmSoftwareVulnerabilitiesKB - Knowledge base of publicly disclosed vulnerabilities, including whether exploit code is publicly available.

  • DeviceTvmSecureConfigurationAssessment - Defender Vulnerability Management assessment events, indicating the status of various security configurations on devices.

  • DeviceTvmSecureConfigurationAssessmentKB - Knowledge base of various security configurations used by Defender Vulnerability Management to assess devices; includes mappings to various standards and benchmarks

  • DeviceTvmInfoGathering - Assessment events including the status of various configurations and attack surface area states of devices

  • DeviceTvmInfoGatheringKB - List of various configuration and attack surface area assessments used by Defender Vulnerability Management information gathering to assess devices

Check which devices are involved in high severity alerts

  1. Go to Hunting > Advanced hunting from the left-hand navigation pane of the Microsoft 365 Defender portal.

  2. Scroll through advanced hunting schemas to familiarize yourself with the column names.

  3. Enter the following queries:

    // Search for devices with High active alerts or Critical CVE public exploit
    let DeviceWithHighAlerts = AlertInfo
    | where Severity == "High"
    | project Timestamp, AlertId, Title, ServiceSource, Severity
    | join kind=inner (AlertEvidence | where EntityType == "Machine" | project AlertId, DeviceId, DeviceName) on AlertId
    | summarize HighSevAlerts = dcount(AlertId) by DeviceId;
    let DeviceWithCriticalCve = DeviceTvmSoftwareVulnerabilities
    | join kind=inner(DeviceTvmSoftwareVulnerabilitiesKB) on CveId
    | where IsExploitAvailable == 1 and CvssScore >= 7
    | summarize NumOfVulnerabilities=dcount(CveId),
    DeviceName=any(DeviceName) by DeviceId;
    | join kind=inner DeviceWithHighAlerts on DeviceId
    | project DeviceId, DeviceName, NumOfVulnerabilities, HighSevAlerts