← Back to Explore
kqlHunting
Devices with the most known exploited vulnerabilities
Devices with the most known exploited vulnerabilities
Detection Query
//Devices with the most known exploited vulnerabilities
let KnowExploitesVulnsCISA = externaldata(cveID: string, vendorProject: string, product: string, vulnerabilityName: string, dateAdded: datetime, shortDescription: string, requiredAction: string, dueDate: datetime,
notes: string)[@"https://www.cisa.gov/sites/default/files/csv/known_exploited_vulnerabilities.csv"] with (format="csv", ignoreFirstRecord=True);
DeviceTvmSoftwareVulnerabilities
| join KnowExploitesVulnsCISA on $left.CveId == $right.cveID
| summarize
TotalVulnerabilities = count(),
Vulnerabilities = make_set(cveID),
Description = make_set(shortDescription)
by DeviceName
| sort by TotalVulnerabilitiesTags
defender
Raw Content
//Devices with the most known exploited vulnerabilities
let KnowExploitesVulnsCISA = externaldata(cveID: string, vendorProject: string, product: string, vulnerabilityName: string, dateAdded: datetime, shortDescription: string, requiredAction: string, dueDate: datetime,
notes: string)[@"https://www.cisa.gov/sites/default/files/csv/known_exploited_vulnerabilities.csv"] with (format="csv", ignoreFirstRecord=True);
DeviceTvmSoftwareVulnerabilities
| join KnowExploitesVulnsCISA on $left.CveId == $right.cveID
| summarize
TotalVulnerabilities = count(),
Vulnerabilities = make_set(cveID),
Description = make_set(shortDescription)
by DeviceName
| sort by TotalVulnerabilities