Share via

No access to DeviceTvmSoftwareVulnerabilities table in Sentinel?

David Broggy 6,101 Reputation points MVP
2025-02-07T20:06:08.39+00:00

There is an XDR analytic rule in Sentinel named "Execution of software vulnerable to webp buffer overflow of CVE-2023-4863"

However the kql query used by this rule requires access to the DeviceTvmSoftwareVulnerabilities table.

But according to what I'm reading, that table is not accessible from Sentinel and the XDR data connector doesn't provide an option to make it available.

So am I correct in assuming this rule will never work in Sentinel?

(I'm not trying to criticize Sentinel, I was just looking for a way to correlate using the XDR vulnerability data).

Thanks.

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,225 questions
Accepted answer
  1. Akhilesh Vallamkonda 12,100 Reputation points Microsoft Vendor
    2025-02-07T21:45:20.6933333+00:00

    Hi @David Broggy
    Thank you for reaching Microsoft Q&A Forum!

    Your understating is correct, The DeviceTvmSoftwareVulnerabilities table is applies to Microsoft Defender XDR, which is not currently accessible from Sentinel.
    The list off available Log Analytics table for sentinel is here
    Appreciate if you could share the feedback on our feedback forum which is closely monitored by our product team.

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Jonathan James 0 Reputation points
    2025-02-12T12:23:17.3333333+00:00
    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.