kqlHunting

Vulnerabilities Year To Date CISA KEV Products

This query uses the CISA Known Exploited Vulnerabilities Catalog to list the vulnerabilities year to date by vendor and their products. This can be used to analyze how many vulnerabilities have been added for each vendor and their products.

Detection Query

let KnowExploitesVulnsCISA = externaldata(CVEId: string, Vendor: 
    string, Product: string, VulnerabilityName: string, DateAdded: datetime, 
    Description: string, RequiredAction: string, DueDate: datetime, 
    Notes: string)
    [@"https://www.cisa.gov/sites/default/files/csv/known_exploited_vulnerabilities.csv"] 
    with (format="csv", ignoreFirstRecord=True);
KnowExploitesVulnsCISA
| where DateAdded between (startofyear(now()) .. startofweek(endofyear(now())))
| summarize Total = dcount(CVEId) by Product, Vendor
| top 10 by Total

Platforms

azure-sentinelmicrosoft-defender

References

https://www.cisa.gov/known-exploited-vulnerabilities-catalog

Tags

vulnerability-management

Raw Content

# Vulnerabilities Year To Date CISA KEV Products

## Query Information

#### Description
This query uses the CISA Known Exploited Vulnerabilities Catalog to list the vulnerabilities year to date by vendor and their products. This can be used to analyze how many vulnerabilities have been added for each vendor and their products.

#### References
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog

## Defender XDR
```KQL
let KnowExploitesVulnsCISA = externaldata(CVEId: string, Vendor: 
    string, Product: string, VulnerabilityName: string, DateAdded: datetime, 
    Description: string, RequiredAction: string, DueDate: datetime, 
    Notes: string)
    [@"https://www.cisa.gov/sites/default/files/csv/known_exploited_vulnerabilities.csv"] 
    with (format="csv", ignoreFirstRecord=True);
KnowExploitesVulnsCISA
| where DateAdded between (startofyear(now()) .. startofweek(endofyear(now())))
| summarize Total = dcount(CVEId) by Product, Vendor
| top 10 by Total
```

## Sentinel
```KQL
let KnowExploitesVulnsCISA = externaldata(CVEId: string, Vendor: 
    string, Product: string, VulnerabilityName: string, DateAdded: datetime, 
    Description: string, RequiredAction: string, DueDate: datetime, 
    Notes: string)
    [@"https://www.cisa.gov/sites/default/files/csv/known_exploited_vulnerabilities.csv"] 
    with (format="csv", ignoreFirstRecord=True);
KnowExploitesVulnsCISA
| where DateAdded between (startofyear(now()) .. startofweek(endofyear(now())))
| summarize Total = dcount(CVEId) by Product, Vendor
| top 10 by Total
```