Forum Discussion

adityakumar70's avatar
adityakumar70
Copper Contributor
Sep 26, 2024

KQL Queries

Hi team,

Please help me write a KQL query which reflects the devices which are missing windows security patches, the condition i want to apply here is, i need the device's sensor health="Active" and Onboarding status="Onboarded".
right now i am using " 

DeviceTvmSoftwareVulnerabilities  
| where RecommendedSecurityUpdate endswith "August 2024 security updates"
| where DeviceName contains "xyz"
| summarize by DeviceId, DeviceName, RecommendedSecurityUpdate, OSPlatform

"
Please help me out!
Thanks in advance! 🙂

KQL
kusto
  • Rod_Trent's avatar
    Rod_Trent
    Icon for Microsoft rankMicrosoft
    Sep 26, 2024
    I cheated by asking Copilot for Security for the KQL query, but try the following:

    DeviceInfo
    | where SensorHealthState == 'Active' and OnboardingStatus == 'Onboarded'
    | join kind=inner (DeviceTvmSoftwareVulnerabilities) on DeviceId
    | summarize by DeviceId, DeviceName, OSPlatform, RecommendedSecurityUpdate
    • JEANE80's avatar
      JEANE80
      Copper Contributor
      Sep 27, 2024
      Can you also help with a query to pull the top links for the last 30 days?
      • Clive_Watson's avatar
        Clive_Watson
        Bronze Contributor
        Sep 27, 2024
        You didnt mention the Table or Column, but the syntax would be along these lines:

        EmailUrlInfo
        | summarize count() by Url
        | top 10 by count_
        | order by count_ desc

Resources