KQL Search

Query Details

HomeAI ToolsDevice Query

CISAKEV Year To Date Vulnerabilities

Query

# Vulnerabilities Year To Date CISA KEV

## Query Information

#### Description
This query uses the CISA Known Exploited Vulnerabilities Catalog to list the vulnerabilities year to date by vendor. This can be used to analyze how many vulnerabilities have been added for each vendor and their products.

#### References
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog

## Defender XDR
```KQL
let KnowExploitesVulnsCISA = externaldata(CVEId: string, Vendor: 
    string, Product: string, VulnerabilityName: string, DateAdded: datetime, 
    Description: string, RequiredAction: string, DueDate: datetime, 
    Notes: string)
    [@"https://www.cisa.gov/sites/default/files/csv/known_exploited_vulnerabilities.csv"] 
    with (format="csv", ignoreFirstRecord=True);
KnowExploitesVulnsCISA
| where DateAdded between (startofyear(now()) .. startofweek(endofyear(now())))
| summarize Total = dcount(CVEId) by Vendor
```

## Sentinel
```KQL
let KnowExploitesVulnsCISA = externaldata(CVEId: string, Vendor: 
    string, Product: string, VulnerabilityName: string, DateAdded: datetime, 
    Description: string, RequiredAction: string, DueDate: datetime, 
    Notes: string)
    [@"https://www.cisa.gov/sites/default/files/csv/known_exploited_vulnerabilities.csv"] 
    with (format="csv", ignoreFirstRecord=True);
KnowExploitesVulnsCISA
| where DateAdded between (startofyear(now()) .. startofweek(endofyear(now())))
| summarize Total = dcount(CVEId) by Vendor
```

Explanation

This query is designed to analyze vulnerabilities from the CISA Known Exploited Vulnerabilities Catalog for the current year. It retrieves data from an external CSV file provided by CISA, which includes details about various vulnerabilities such as their ID, vendor, product, and the date they were added to the catalog.

The query specifically focuses on vulnerabilities that have been added since the beginning of the current year up to the start of the last week of the year. It then counts the distinct number of vulnerabilities (using their CVE IDs) for each vendor and summarizes this information to show how many vulnerabilities have been reported for each vendor's products so far this year. This helps in understanding which vendors have had more vulnerabilities reported and may require more attention or action.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: December 30, 2025

Tables

KnowExploitesVulnsCISA

Keywords

VulnerabilitiesVendorProductDateAddedDescriptionRequiredActionDueDateNotes

Operators

letexternaldatawithwherebetweenstartofyearnowstartofweekendofyearsummarizedcountby

Actions