EXPLORE
Sign In
← Back to Explore
crowdstrike_cql

Exploitable Critical Vulnerabilities

Shows Critical CVEs that are considered exploitable (based on ExploitStatusEnum > 30). Results are aggregated by CVE and exploitability state, including the number of affected hosts.

MITRE ATT&CK

TA0001

Detection Query

#event_simpleName=FEMVulnerabilityMutation
| FEMVulnerabilityMutation.VulnerabilityInstance.Cve.Severity = Critical
| FEMVulnerabilityMutation.VulnerabilityInstance.Cve.ExploitStatusEnum > 30
| groupBy([FEMVulnerabilityMutation.VulnerabilityInstance.Cve.Id, FEMVulnerabilityMutation.VulnerabilityInstance.Cve.Severity,FEMVulnerabilityMutation.VulnerabilityInstance.Cve.ExploitStatus],function=count(FEMVulnerabilityMutation.VulnerabilityInstance.HostInfo.Hostname))
| sort(_count)
| rename(field=[[FEMVulnerabilityMutation.VulnerabilityInstance.Cve.Id, CVE_ID], [FEMVulnerabilityMutation.VulnerabilityInstance.Cve.ExploitStatus, Ausnutzbarkeit], [FEMVulnerabilityMutation.VulnerabilityInstance.Cve.Severity, Severity],[_count,"Host(s)"]])

Author

ByteRay GmbH

Data Sources

Endpoint

Platforms

windowslinux

Tags

Monitoring
Raw Content
# --- Query Metadata ---
# Human-readable name for the query. Will be displayed as the title.
name: Exploitable Critical Vulnerabilities

# MITRE ATT&CK technique IDs
mitre_ids:
  - TA0001

# Description of what the query does and its purpose.
# Using the YAML block scalar `|` allows for multi-line strings.
description: |
  Shows Critical CVEs that are considered exploitable (based on ExploitStatusEnum > 30). Results are aggregated by CVE and exploitability state, including the number of affected hosts.

# The author or team that created the query.
author: ByteRay GmbH

# The required log sources to run this query successfully in Next-Gen SIEM.
# This will be displayed in the UI to inform the user.
log_sources:
  - Endpoint

# Tags for filtering and categorization.
# Include relevant techniques, tactics, or platforms.
tags:
  - Monitoring

# --- Query Content ---
# The actual CrowdStrike Query Language (CQL) code.
# Using the YAML block scalar `|` allows for multi-line strings.
cql: |
  #event_simpleName=FEMVulnerabilityMutation
  | FEMVulnerabilityMutation.VulnerabilityInstance.Cve.Severity = Critical
  | FEMVulnerabilityMutation.VulnerabilityInstance.Cve.ExploitStatusEnum > 30
  | groupBy([FEMVulnerabilityMutation.VulnerabilityInstance.Cve.Id, FEMVulnerabilityMutation.VulnerabilityInstance.Cve.Severity,FEMVulnerabilityMutation.VulnerabilityInstance.Cve.ExploitStatus],function=count(FEMVulnerabilityMutation.VulnerabilityInstance.HostInfo.Hostname))
  | sort(_count)
  | rename(field=[[FEMVulnerabilityMutation.VulnerabilityInstance.Cve.Id, CVE_ID], [FEMVulnerabilityMutation.VulnerabilityInstance.Cve.ExploitStatus, Ausnutzbarkeit], [FEMVulnerabilityMutation.VulnerabilityInstance.Cve.Severity, Severity],[_count,"Host(s)"]])