From 0368e24c701675d4df2045995025a944736f5124 Mon Sep 17 00:00:00 2001 From: Dulce Montemayor Date: Sun, 27 Oct 2019 23:27:36 -0700 Subject: [PATCH] Added TVM hunting scenario --- .../threat-and-vuln-mgt-scenarios.md | 23 +++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md index b60fa10848..fd56a9b315 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md +++ b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md @@ -150,6 +150,29 @@ When an exception is created for a recommendation, the recommendation is no long 6. Navigate to the **Remediation** page under the **Threat & Vulnerability Management** menu and click the **Exceptions** tab to view all your exceptions (current and past). +## Use Advanced hunting query to search for machines with High active alerts or Critical CVE public exploit + +1. Go to **Advanced hunting** from the left-hand navigation pane. + +2. Scroll down to the TVM advanced hunting schemas to familiarize yourself with the column names. + +3. Enter the following queries: + +``` +// Search for machines with High active alerts or Critical CVE public exploit +DeviceTvmSoftwareInventoryVulnerabilities +| join kind=inner(DeviceTvmSoftwareVulnerabilitiesKB) on CveId +| where IsExploitAvailable == 1 and CvssScore >= 7 +| summarize NumOfVulnerabilities=dcount(CveId), +ComputerName=any(ComputerName) by MachineId +| join kind =inner(AlertEvents) on MachineId +| summarize NumOfVulnerabilities=any(NumOfVulnerabilities), +ComputerName=any(ComputerName) by MachineId, AlertId +| project ComputerName, NumOfVulnerabilities, AlertId +| order by NumOfVulnerabilities desc + +``` + ## Related topics - [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) - [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)