KQL for search CVE in Sentinel

[fpsilva-source]

What tip can you pass to create a query to validate if a particular CVE has generated an incident in the environment?

For example, CVE XXXX, in my environment I have incident related to it.

[SQLtattoo]

Hi,
well, there is no easy integration currently for this, meaning bringing the M365D TVM information in the Sentinel workspace, at least to my knowledge. I see that it is coming, though:

(partial image from the Microsoft 365 Defender connector that is currently in preview)

You can read more here.

Now, if you want to have this info from the Sentinel there are solutions with 3rd party solutions that you can deploy on Sentinel workspace i.e. Tenable TVM you can read a related blog post here.

In case you want to do it with M365D you can go to https://security.microsoft.com and then go to "Advanced Hunting" and run the following type of query:

DeviceTvmSoftwareVulnerabilities 
| where CveId =~ "CVE-2022-33631"

and you will get something like that back:

Don't forget that this is coming soon to Sentinel, so as always patience will be rewarding :)

HTH
Vassilis

[SQLtattoo]

I see that the Tenable TVM solution is also available at the "Content Hub" inside the Sentinel's environment.
So you can take it for test drive from there directly :)

[fpsilva-source]

Thanks for the information, it will help a lot. I also need to associate the CVE with a certain incident. For example, in my entire incident history, I have someone associated with CVE-2022-33631. I need to find out if I have and if so how many incidents associated with a given CVE.

[CliveWatsonQC]

You can sometimes find other CVE info, but as above it depends what Tables you have and if there is any CVE to be found, a quick check would be:

search "CVE-2022"
| where TimeGenerated > ago(7d)
| summarize count() by Type