EXPLORE
Sign In
← Back to Explore
kqlHunting

Known exploited vulnerabilities by CISA still active on devices

The CISA has made an active list were the current exploited vulnerabilities are listed, this query uses that information to enrich your vulnerabilitiy management process. This is done by matching the CISA CVEids with the CVEids that are currently active on your devices. This can help prioritize the vulnerabilities that need patching.

Detection Query

let KnowExploitesVulnsCISA = externaldata(cveID: string, vendorProject: string, product: string, vulnerabilityName: string, dateAdded: datetime, shortDescription: string, requiredAction: string, dueDate: datetime, 
notes: string)[@"https://www.cisa.gov/sites/default/files/csv/known_exploited_vulnerabilities.csv"] with (format="csv", ignoreFirstRecord=True);
DeviceTvmSoftwareVulnerabilities
| join kind=inner KnowExploitesVulnsCISA on $left.CveId == $right.cveID
| summarize
     TotalVulnerabilities = count(),
     Vulnerabilities = make_set(cveID),
     Description = make_set(shortDescription)
     by DeviceName
| sort by TotalVulnerabilities

Platforms

microsoft-defender

References

Tags

vulnerability-management
Raw Content
# Known exploited vulnerabilities by CISA still active on devices

## Query Information

#### Description
The CISA has made an active list were the current exploited vulnerabilities are listed, this query uses that information to enrich your vulnerabilitiy management process. This is done by matching the CISA CVEids with the CVEids that are currently active on your devices. This can help prioritize the vulnerabilities that need patching. 

#### Risk
The vulnerabilities is known to be exploited by threat actors, thus depending on your configuration the exploit can also be used to gain access into your environment. 

#### References
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog

## Defender XDR
```KQL
let KnowExploitesVulnsCISA = externaldata(cveID: string, vendorProject: string, product: string, vulnerabilityName: string, dateAdded: datetime, shortDescription: string, requiredAction: string, dueDate: datetime, 
notes: string)[@"https://www.cisa.gov/sites/default/files/csv/known_exploited_vulnerabilities.csv"] with (format="csv", ignoreFirstRecord=True);
DeviceTvmSoftwareVulnerabilities
| join kind=inner KnowExploitesVulnsCISA on $left.CveId == $right.cveID
| summarize
     TotalVulnerabilities = count(),
     Vulnerabilities = make_set(cveID),
     Description = make_set(shortDescription)
     by DeviceName
| sort by TotalVulnerabilities
```