KQL Search

Query Details

CISA Know Exploits Vulnerabilities Total Vulnerable Devices

Query

# Total vulnerable devices for known exploited vulnerabilities from CISA
----
### Defender For Endpoint
```
let KnowExploitesVulnsCISA = externaldata(cveID: string, vendorProject: 
string, product: string, vulnerabilityName: string, dateAdded: datetime, 
shortDescription: string, requiredAction: string, dueDate: datetime, 
notes: string)
[@"https://www.cisa.gov/sites/default/files/csv/known_exploited_vulnerabilities.csv"] 
with (format="csv", ignoreFirstRecord=True);
DeviceTvmSoftwareVulnerabilities
| join KnowExploitesVulnsCISA on $left.CveId == $right.cveID
| summarize
     TotalVulnerableDevices = count(),
     DeviceList = make_set(DeviceName),
     Description = make_set(shortDescription)
     by cveID
| sort by TotalVulnerableDevices
```

Explanation

This query retrieves data on known exploited vulnerabilities from CISA and combines it with data on vulnerable devices from Defender For Endpoint. It then summarizes the data by counting the total number of vulnerable devices for each vulnerability and creates a list of device names and a description for each vulnerability. The results are sorted by the total number of vulnerable devices.

Details

Bert-Jan Pals

Released: February 14, 2023

Tables

DeviceTvmSoftwareVulnerabilities

Keywords

Devices,Intune,User

Operators

joinsummarizecountmake_setsort by

KQL Search

CISA Know Exploits Vulnerabilities Total Vulnerable Devices

Query

Explanation

Details

Actions