let AllDomainControllers =
DeviceNetworkEvents
| where LocalPort == 88
| where LocalIPType == "FourToSixMapping"
| summarize make_set(DeviceId);
DeviceTvmSoftwareVulnerabilities
| where DeviceId has_any (AllDomainControllers)
| summarize TotalVulnerabilities = count(), VulnerabeCVE = make_set(CveId) by DeviceName
| sort by TotalVulnerabilities
// Join with random event to get the required fields if you want to detect on this behaviour, the DeviceTvmSoftwareVulnerabilities does not contain the needed events. Ignore the process tree and only look at the raw events.
// join kind=inner (DeviceEvents
//| where Timestamp > ago(30d)
//| summarize arg_max(Timestamp, *) by DeviceId
//| project DeviceId, Timestamp, ReportId) on DeviceId