EXPLORE
Sign In
← Back to Explore
kqlHunting

Vulnerabilities Year To Date CISA KEV Edge Devices

This query uses the CISA Known Exploited Vulnerabilities Catalog to list the vulnerabilities year to date by vendor. This can be used to analyze how many vulnerabilities have been added for each vendor and their products. This specific query leverages a list of Edge Device products to filter specifically on Edge Devices, which is common initial access vector for adversaries.

Detection Query

let EdgeDevices = dynamic([
  "Firebox",
  "SMA100 Appliances",
  "SMA1000 Appliances",
  "SMA1000 appliance",
  "SonicOS",
  "FortiOS",
  "FortiProxy",
  "FortiWeb",
  "DIR-859 Router",
  "Routers",
  "Multiple Routers",
  "RT-AX55 Routers",
  "Small Business RV Series Routers",
  "Vigor Routers",
  "NetScaler",
  "NetScaler ADC",
  "NetScaler Gateway",
  "PAN-OS",
  "ScreenOS",
  "Junos OS",
  "XG Firewall",
  "Connect Secure",
  "Policy Secure",
  "ZTA Gateways",
  "Secure Firewall Adaptive Security Appliance",
  "Secure Firewall Threat Defense"
]);
let KnowExploitesVulnsCISA = externaldata(CVEId: string, Vendor: 
    string, Product: string, VulnerabilityName: string, DateAdded: datetime, 
    Description: string, RequiredAction: string, DueDate: datetime, 
    Notes: string)
    [@"https://www.cisa.gov/sites/default/files/csv/known_exploited_vulnerabilities.csv"] 
    with (format="csv", ignoreFirstRecord=True);
KnowExploitesVulnsCISA
| where DateAdded between (startofyear(now()) .. startofweek(endofyear(now())))
| where Product has_any (EdgeDevices)
| summarize Total = dcount(CVEId) by Vendor
| sort by Total

Platforms

azure-sentinelmicrosoft-defender

References

Tags

vulnerability-management
Raw Content
# Vulnerabilities Year To Date CISA KEV Edge Devices

## Query Information

#### Description
This query uses the CISA Known Exploited Vulnerabilities Catalog to list the vulnerabilities year to date by vendor. This can be used to analyze how many vulnerabilities have been added for each vendor and their products. This specific query leverages a list of Edge Device products to filter specifically on Edge Devices, which is common initial access vector for adversaries.

NOTE: The list of Edge Device products is from 2025 for other years newer models should be added.

#### References
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog

## Defender XDR
```KQL
let EdgeDevices = dynamic([
  "Firebox",
  "SMA100 Appliances",
  "SMA1000 Appliances",
  "SMA1000 appliance",
  "SonicOS",
  "FortiOS",
  "FortiProxy",
  "FortiWeb",
  "DIR-859 Router",
  "Routers",
  "Multiple Routers",
  "RT-AX55 Routers",
  "Small Business RV Series Routers",
  "Vigor Routers",
  "NetScaler",
  "NetScaler ADC",
  "NetScaler Gateway",
  "PAN-OS",
  "ScreenOS",
  "Junos OS",
  "XG Firewall",
  "Connect Secure",
  "Policy Secure",
  "ZTA Gateways",
  "Secure Firewall Adaptive Security Appliance",
  "Secure Firewall Threat Defense"
]);
let KnowExploitesVulnsCISA = externaldata(CVEId: string, Vendor: 
    string, Product: string, VulnerabilityName: string, DateAdded: datetime, 
    Description: string, RequiredAction: string, DueDate: datetime, 
    Notes: string)
    [@"https://www.cisa.gov/sites/default/files/csv/known_exploited_vulnerabilities.csv"] 
    with (format="csv", ignoreFirstRecord=True);
KnowExploitesVulnsCISA
| where DateAdded between (startofyear(now()) .. startofweek(endofyear(now())))
| where Product has_any (EdgeDevices)
| summarize Total = dcount(CVEId) by Vendor
| sort by Total
```

## Sentinel
```KQL
let EdgeDevices = dynamic([
  "Firebox",
  "SMA100 Appliances",
  "SMA1000 Appliances",
  "SMA1000 appliance",
  "SonicOS",
  "FortiOS",
  "FortiProxy",
  "FortiWeb",
  "DIR-859 Router",
  "Routers",
  "Multiple Routers",
  "RT-AX55 Routers",
  "Small Business RV Series Routers",
  "Vigor Routers",
  "NetScaler",
  "NetScaler ADC",
  "NetScaler Gateway",
  "PAN-OS",
  "ScreenOS",
  "Junos OS",
  "XG Firewall",
  "Connect Secure",
  "Policy Secure",
  "ZTA Gateways",
  "Secure Firewall Adaptive Security Appliance",
  "Secure Firewall Threat Defense"
]);
let KnowExploitesVulnsCISA = externaldata(CVEId: string, Vendor: 
    string, Product: string, VulnerabilityName: string, DateAdded: datetime, 
    Description: string, RequiredAction: string, DueDate: datetime, 
    Notes: string)
    [@"https://www.cisa.gov/sites/default/files/csv/known_exploited_vulnerabilities.csv"] 
    with (format="csv", ignoreFirstRecord=True);
KnowExploitesVulnsCISA
| where DateAdded between (startofyear(now()) .. startofweek(endofyear(now())))
| where Product has_any (EdgeDevices)
| summarize Total = dcount(CVEId) by Vendor
| sort by Total
```