Query Details
CISAKEV Year To Date Vulnerabilities Edge Devices
Query
# Vulnerabilities Year To Date CISA KEV Edge Devices
## Query Information
#### Description
This query uses the CISA Known Exploited Vulnerabilities Catalog to list the vulnerabilities year to date by vendor. This can be used to analyze how many vulnerabilities have been added for each vendor and their products. This specific query leverages a list of Edge Device products to filter specifically on Edge Devices, which is common initial access vector for adversaries.
NOTE: The list of Edge Device products is from 2025 for other years newer models should be added.
#### References
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog
## Defender XDR
```KQL
let EdgeDevices = dynamic([
"Firebox",
"SMA100 Appliances",
"SMA1000 Appliances",
"SMA1000 appliance",
"SonicOS",
"FortiOS",
"FortiProxy",
"FortiWeb",
"DIR-859 Router",
"Routers",
"Multiple Routers",
"RT-AX55 Routers",
"Small Business RV Series Routers",
"Vigor Routers",
"NetScaler",
"NetScaler ADC",
"NetScaler Gateway",
"PAN-OS",
"ScreenOS",
"Junos OS",
"XG Firewall",
"Connect Secure",
"Policy Secure",
"ZTA Gateways",
"Secure Firewall Adaptive Security Appliance",
"Secure Firewall Threat Defense"
]);
let KnowExploitesVulnsCISA = externaldata(CVEId: string, Vendor:
string, Product: string, VulnerabilityName: string, DateAdded: datetime,
Description: string, RequiredAction: string, DueDate: datetime,
Notes: string)
[@"https://www.cisa.gov/sites/default/files/csv/known_exploited_vulnerabilities.csv"]
with (format="csv", ignoreFirstRecord=True);
KnowExploitesVulnsCISA
| where DateAdded between (startofyear(now()) .. startofweek(endofyear(now())))
| where Product has_any (EdgeDevices)
| summarize Total = dcount(CVEId) by Vendor
| sort by Total
```
## Sentinel
```KQL
let EdgeDevices = dynamic([
"Firebox",
"SMA100 Appliances",
"SMA1000 Appliances",
"SMA1000 appliance",
"SonicOS",
"FortiOS",
"FortiProxy",
"FortiWeb",
"DIR-859 Router",
"Routers",
"Multiple Routers",
"RT-AX55 Routers",
"Small Business RV Series Routers",
"Vigor Routers",
"NetScaler",
"NetScaler ADC",
"NetScaler Gateway",
"PAN-OS",
"ScreenOS",
"Junos OS",
"XG Firewall",
"Connect Secure",
"Policy Secure",
"ZTA Gateways",
"Secure Firewall Adaptive Security Appliance",
"Secure Firewall Threat Defense"
]);
let KnowExploitesVulnsCISA = externaldata(CVEId: string, Vendor:
string, Product: string, VulnerabilityName: string, DateAdded: datetime,
Description: string, RequiredAction: string, DueDate: datetime,
Notes: string)
[@"https://www.cisa.gov/sites/default/files/csv/known_exploited_vulnerabilities.csv"]
with (format="csv", ignoreFirstRecord=True);
KnowExploitesVulnsCISA
| where DateAdded between (startofyear(now()) .. startofweek(endofyear(now())))
| where Product has_any (EdgeDevices)
| summarize Total = dcount(CVEId) by Vendor
| sort by Total
```
Explanation
This query is designed to analyze vulnerabilities in edge devices that have been identified as exploited by adversaries, according to the CISA Known Exploited Vulnerabilities Catalog. Here's a simple breakdown of what the query does:
-
Edge Devices List: It defines a list of edge device products, such as routers, firewalls, and other network security devices. These are common targets for initial access by attackers.
-
Data Source: The query pulls data from the CISA Known Exploited Vulnerabilities Catalog, which is a publicly available list of vulnerabilities that have been actively exploited.
-
Time Frame: It focuses on vulnerabilities that have been added from the start of the current year up to the current week.
-
Filtering: The query filters the data to include only those vulnerabilities that affect the specified edge devices.
-
Summarization: It counts the number of distinct vulnerabilities (CVE IDs) for each vendor of these edge devices.
-
Sorting: Finally, it sorts the results by the total number of vulnerabilities for each vendor, allowing you to see which vendors have the most vulnerabilities reported in their edge devices for the year.
This query helps security analysts understand which vendors' edge devices are most frequently targeted by exploits, enabling them to prioritize security measures and updates accordingly.
Details
Bert-Jan Pals
Released: December 30, 2025
Tables
Keywords
Operators