Hunt for exposed devices
- Microsoft Defender Vulnerability Management
- Microsoft Defender for Endpoint Plan 2
- Microsoft Defender XDR
- Microsoft Defender for Servers Plan 1 & 2
Use advanced hunting to find devices with vulnerabilities
Advanced hunting is a query-based threat-hunting tool that lets you explore up to 30 days of raw data. You can proactively inspect events in your network to locate threat indicators and entities. The flexible access to data enables unconstrained hunting for both known and potential threats. to Learn more about advanced hunting, see Advanced hunting overview.
Tip
Did you know you can try all the features in Microsoft Defender Vulnerability Management for free? Find out how to sign up for a free trial.
Schema tables
DeviceTvmSoftwareInventory - Inventory of software installed on devices, including their version information and end-of-support status.
DeviceTvmSoftwareVulnerabilities - Software vulnerabilities found on devices and the list of available security updates that address each vulnerability.
DeviceTvmSoftwareVulnerabilitiesKB - Knowledge base of publicly disclosed vulnerabilities, including whether exploit code is publicly available.
DeviceTvmSecureConfigurationAssessment - Defender Vulnerability Management assessment events, indicating the status of various security configurations on devices.
DeviceTvmSecureConfigurationAssessmentKB - Knowledge base of various security configurations used by Defender Vulnerability Management to assess devices; includes mappings to various standards and benchmarks
DeviceTvmInfoGathering - Assessment events including the status of various configurations and attack surface area states of devices
DeviceTvmInfoGatheringKB - List of various configuration and attack surface area assessments used by Defender Vulnerability Management information gathering to assess devices
Check which devices are involved in high severity alerts
Go to Hunting > Advanced hunting from the left-hand navigation pane of the Microsoft Defender portal.
Scroll through advanced hunting schemas to familiarize yourself with the column names.
Enter the following queries:
// Search for devices with High active alerts or Critical CVE public exploit let DeviceWithHighAlerts = AlertInfo | where Severity == "High" | project Timestamp, AlertId, Title, ServiceSource, Severity | join kind=inner (AlertEvidence | where EntityType == "Machine" | project AlertId, DeviceId, DeviceName) on AlertId | summarize HighSevAlerts = dcount(AlertId) by DeviceId; let DeviceWithCriticalCve = DeviceTvmSoftwareVulnerabilities | join kind=inner(DeviceTvmSoftwareVulnerabilitiesKB) on CveId | where IsExploitAvailable == 1 and CvssScore >= 7 | summarize NumOfVulnerabilities=dcount(CveId), DeviceName=any(DeviceName) by DeviceId; DeviceWithCriticalCve | join kind=inner DeviceWithHighAlerts on DeviceId | project DeviceId, DeviceName, NumOfVulnerabilities, HighSevAlerts
Related topics
피드백
https://aka.ms/ContentUserFeedback
출시 예정: 2024년 내내 콘텐츠에 대한 피드백 메커니즘으로 GitHub 문제를 단계적으로 폐지하고 이를 새로운 피드백 시스템으로 바꿀 예정입니다. 자세한 내용은 다음을 참조하세요.다음에 대한 사용자 의견 제출 및 보기