Kusto Insights - June Update

and

Jul 01, 2025

Welcome to a new Monthly Update. We will go through some news and the latest queries. The goal is to provide you, the reader, a quick summary of what is going on in the world of KQL including News and Blogs from the Community as well as from Microsoft.

Query of the Month

Windows Server & Client Missing Updates

By: Alex Verboon [GitHub, LinkedIn]

DeviceTvmSoftwareVulnerabilities
| where SoftwareVendor == 'microsoft'
| where SoftwareName has_any ('windows_11','windows_10','Windows_Server')
| where isnotempty(RecommendedSecurityUpdate)
| distinct DeviceId, RecommendedSecurityUpdate, RecommendedSecurityUpdateId, SoftwareName
| join kind=leftouter (
    DeviceInfo
    | where isnotempty(OSPlatform)
    | where OnboardingStatus == 'Onboarded'
    | where isnotempty(OSVersionInfo)
    | summarize arg_max(Timestamp, *) by DeviceId)
    on $left.DeviceId == $right.DeviceId
| summarize MissingDevices = make_set(DeviceName) by SoftwareName
| extend TotalMissingKBDevice = array_length(MissingDevices)
| project  ['Total Exposed devices'] = TotalMissingKBDevice,  SoftwareName

Source: GitHub

News from the Community

We've handpicked a few blog posts for their insightful content and relevance, yet we acknowledge the wealth of quality submissions from the KQL community. While we can't feature every post, each contribution is valued and vital to our collective knowledge. Stay inspired and keep sharing your perspectives!

Mastering Azure Resource Graph: Query & Analyse Tags with KQL - Learn how to query Azure Resource Tags using Azure Resource Graph and KQL. Extract, analyse, and report on metadata efficiently.

Hunting Through APIs - In today’s blog, we’re diving into the world of hunting through APIs. In the blog, the advantages, limitations, and scopes of the Graph API, Azure Monitor API, and Defender ATP API are discussed. For all of these solutions, a ready-to-use PowerShell script is shared.

Querying Azure Resource Graph Without Limits Using KQL - One of the cool features of Microsoft Sentinel and Defender XDR is that they allow us to query Azure resources using KQL. However, this capability has limitations which makes it unusable in large environments. In this post, I’ll explain how to query Azure resources using KQL by bypassing the limits.

Updates and Blog posts from Microsoft

Microsoft Intune data-driven management | Device Query & Copilot - If you're into KQL and working with Intune, this update is worth your attention. You can now run real-time KQL queries directly in the Intune portal to troubleshoot devices on the fly, no need to switch tools. Even better, Copilot can turn plain English into working queries, so you get results fast even if you forget the exact syntax. It's like having a helpful teammate who actually understands your data and gets you what you need without the usual digging.

Performing Advanced Risk Hunting in Defender for Cloud - Defender for Cloud now lets you run advanced risk hunting queries on the same exposure graph used in the UI, so you can follow attack paths, privilege issues, and asset relationships with full control. You get to slice through nested JSON, apply your own logic, and build hunts that go way deeper than the defaults. And once you’ve got something solid, you can turn it into workbooks, detections, or automated playbooks to level up your response.