Hamish Burke | 2025-06-29

Reporting Desktop Vulnerabilities

Data source: DeviceTvmSoftwareVulnerabilities

Key columns

To find all high severity vulnerabilities by device

DeviceTvmSoftwareVulnerabilities
| where CveSeverityLevel == 'High'
| summarize HighSeverityCount = count() by DeviceName
| order by HighSeverityCount desc

Trend Analysis of High severity vulnerabilities over last month

// Daily trend of high‑severity vulns over the last month
DeviceTvmSoftwareVulnerabilities
| where CveSeverityLevel == "High" and FirstObserved > ago(30d)
| summarize CountPerDay = count() by bin(FirstObserved, 1d)
| order by FirstObserved asc

Automate the report

flowchart TD
  A[Recurrence Trigger] --> B[Azure Monitor Logs: Run KQL]
  B --> C[Parse JSON]
  C --> D{Any Results?}
  D -- Yes --> E[Teams – Post Adaptive Card]
  D -- Yes --> F[Office 365 – Send Email]
  D -- No  --> G[Terminate (Succeeded)]

Add adaptive card to Microsoft teams

{
  "type": "AdaptiveCard",
  "version": "1.2",
  "body": [
    { "type": "TextBlock", "size": "Large", "weight": "Bolder", "text": "🚨 High‑Severity Vulnerabilities" },
    {
      "type": "FactSet",
      "facts": [
        // loop through top 5 devices:
        {
          "title": "@{items('Parse_JSON')?['DeviceName']}",
          "value": "@{items('Parse_JSON')?['HighSeverityCount']} vulns"
        }
      ]
    }
  ]
}

Send email

Body:

<h2>High‑Severity Vulnerabilities by Device</h2>
<table>
  <tr><th>Device</th><th>Count</th></tr>
  @{
    foreach(item in body('Parse_JSON').tables[0].rows) {
      <tr>
        <td>@{item[0]}</td>
        <td>@{item[1]}</td>
      </tr>
    }
  }
</table>

Visualise in Power BI

Automate Remediation

  1. Create HTTP request (POST)
  2. Url something like https://graph.microsoft.com/beta/deviceManagement/managedDevices/{deviceId}/remoteLock
  3. Bearer token in header
  4. Json payload in body with tag or action