When investigating an endpoint during threat hunting or incident response, having a snapshot of vulnerabilities can help inform next steps. For example, if behavior indicates that a vulnerability is being actively exploited, the endpoint can be immediately quarantined.
Endpoints Vulnerable to each CVE
eventtype="vmware_cbc_vulnerability_os_list"
| rename affected_assets{} as device_name
| mvexpand device_name
| where device_name = "your-device-name-here"
| stats
max(vuln_info.risk_meter_score) as risk_meter_score,
values(category) as category,
max(vuln_info.easily_exploitable) as easily_exploitable,
max(eval(strftime(_time, "%Y-%m-%d"))) as last_seen,
values(vuln_info.cve_description) as description,
values(eval(mvappend(vuln_info.solution, vuln_info.fixed_by))) as solution,
values(vuln_info.nvd_link) as link
by cve
| sort -risk_meter_score
