KQL Search

Query Details

HomeAI ToolsDevice Query

CISAKEV Year To Date Vulnerabilities Product

Query

# Vulnerabilities Year To Date CISA KEV Products

## Query Information

#### Description
This query uses the CISA Known Exploited Vulnerabilities Catalog to list the vulnerabilities year to date by vendor and their products. This can be used to analyze how many vulnerabilities have been added for each vendor and their products.

#### References
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog

## Defender XDR
```KQL
let KnowExploitesVulnsCISA = externaldata(CVEId: string, Vendor: 
    string, Product: string, VulnerabilityName: string, DateAdded: datetime, 
    Description: string, RequiredAction: string, DueDate: datetime, 
    Notes: string)
    [@"https://www.cisa.gov/sites/default/files/csv/known_exploited_vulnerabilities.csv"] 
    with (format="csv", ignoreFirstRecord=True);
KnowExploitesVulnsCISA
| where DateAdded between (startofyear(now()) .. startofweek(endofyear(now())))
| summarize Total = dcount(CVEId) by Product, Vendor
| top 10 by Total
```

## Sentinel
```KQL
let KnowExploitesVulnsCISA = externaldata(CVEId: string, Vendor: 
    string, Product: string, VulnerabilityName: string, DateAdded: datetime, 
    Description: string, RequiredAction: string, DueDate: datetime, 
    Notes: string)
    [@"https://www.cisa.gov/sites/default/files/csv/known_exploited_vulnerabilities.csv"] 
    with (format="csv", ignoreFirstRecord=True);
KnowExploitesVulnsCISA
| where DateAdded between (startofyear(now()) .. startofweek(endofyear(now())))
| summarize Total = dcount(CVEId) by Product, Vendor
| top 10 by Total
```

Explanation

This query is designed to analyze vulnerabilities from the CISA Known Exploited Vulnerabilities Catalog for the current year. It retrieves data from an external CSV file hosted by CISA, which contains information about known exploited vulnerabilities, including details such as the CVE ID, vendor, product, and the date the vulnerability was added.

Here's a simple breakdown of what the query does:

  1. Data Source: It pulls data from a CSV file provided by CISA, which lists known exploited vulnerabilities.

  2. Filter by Date: The query filters the data to include only those vulnerabilities that were added from the start of the current year up to the start of the last week of the current year.

  3. Summarize Data: It counts the distinct number of vulnerabilities (CVE IDs) for each product and vendor combination.

  4. Top 10 Results: Finally, it selects the top 10 products and vendors with the highest number of vulnerabilities added this year.

This query helps in identifying which vendors and products have had the most vulnerabilities reported in the current year, allowing for a focused analysis of security risks.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: December 30, 2025

Tables

KnowExploitesVulnsCISA

Keywords

VulnerabilitiesVendorProductCISAKEV

Operators

externaldatawithwherebetweenstartofyearnowstartofweekendofyearsummarizedcountbytop

Actions