KQL Search

Query Details

HomeAI ToolsDevice Query

CISAKEV Year To Date Vulnerabilities Release Year

Query

# Vulnerabilities Year To Date CISA KEV Release Year

## Query Information

#### Description
This query uses the CISA Known Exploited Vulnerabilities Catalog to list the vulnerabilities year to date by year when the vulnerability was released.

#### References
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog

## Defender XDR
```KQL
let KnowExploitesVulnsCISA = externaldata(CVEId: string, Vendor: 
    string, Product: string, VulnerabilityName: string, DateAdded: datetime, 
    Description: string, RequiredAction: string, DueDate: datetime, 
    Notes: string)
    [@"https://www.cisa.gov/sites/default/files/csv/known_exploited_vulnerabilities.csv"] 
    with (format="csv", ignoreFirstRecord=True);
KnowExploitesVulnsCISA
| where DateAdded between (startofyear(now()) .. startofweek(endofyear(now())))
| extend Year = toint((split(CVEId, "-")[1]))
```

## Sentinel
```KQL
let KnowExploitesVulnsCISA = externaldata(CVEId: string, Vendor: 
    string, Product: string, VulnerabilityName: string, DateAdded: datetime, 
    Description: string, RequiredAction: string, DueDate: datetime, 
    Notes: string)
    [@"https://www.cisa.gov/sites/default/files/csv/known_exploited_vulnerabilities.csv"] 
    with (format="csv", ignoreFirstRecord=True);
KnowExploitesVulnsCISA
| where DateAdded between (startofyear(now()) .. startofweek(endofyear(now())))
| extend Year = toint((split(CVEId, "-")[1]))
```

Explanation

This query is designed to extract and list vulnerabilities from the CISA Known Exploited Vulnerabilities Catalog that have been added in the current year. It does this by:

  1. Accessing an external CSV file from the CISA website, which contains information about known exploited vulnerabilities.
  2. Filtering the data to include only those vulnerabilities that were added to the catalog from the beginning of the current year up to the start of the last week of the year.
  3. Extracting the year when each vulnerability was originally released by parsing the CVE ID, which typically follows the format "CVE-Year-Number".
  4. The result is a list of vulnerabilities added this year, along with the year they were initially released.

This query is useful for security analysts who want to track and analyze vulnerabilities that have been recognized as exploited within the current year.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: December 30, 2025

Tables

KnowExploitesVulnsCISA

Keywords

VulnerabilitiesCISAYearDateVendorProductDescriptionActionNotes

Operators

externaldatawithwherebetweenstartofyearnowstartofweekendofyearextendtointsplit

Actions