KQL Search

# Known exploited vulnerabilities by CISA still active on devices

## Query Information

#### Description
The CISA has made an active list were the current exploited vulnerabilities are listed, this query uses that information to enrich your vulnerabilitiy management process. This is done by matching the CISA CVEids with the CVEids that are currently active on your devices. This can help prioritize the vulnerabilities that need patching. 

#### Risk
The vulnerabilities is known to be exploited by threat actors, thus depending on your configuration the exploit can also be used to gain access into your environment. 

#### References
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog

### Defender For Endpoint
```
Devices with the most know exploited vulnerabilities
let KnowExploitesVulnsCISA = externaldata(cveID: string, vendorProject: string, product: string, vulnerabilityName: string, dateAdded: datetime, shortDescription: string, requiredAction: string, dueDate: datetime, 
notes: string)[@"https://www.cisa.gov/sites/default/files/csv/known_exploited_vulnerabilities.csv"] with (format="csv", ignoreFirstRecord=True);
DeviceTvmSoftwareVulnerabilities
| join KnowExploitesVulnsCISA on $left.CveId == $right.cveID
| summarize
     TotalVulnerabilities = count(),
     Vulnerabilities = make_set(cveID),
     Description = make_set(shortDescription)
     by DeviceName
| sort by TotalVulnerabilities
```