KQL Search

Query Details

HomeAI ToolsDevice Query

CVE 2024 7971 Patch Prioritization

Query

// CVE-2024-7971 Patch Prioritization

//Google has addressed a high-severity Chrome vulnerability that is currently being actively exploited. It’s crucial to identify which of your global administrators are using a vulnerable version of Chrome, especially if their credential cookies are stored on their endpoints. Given that threat actors are exploiting this flaw, it’s strongly recommended to patch the global admin endpoints immediately to significantly reduce the attack surface.

let CriticalIdentities =
ExposureGraphNodes
| where set_has_element(Categories, "identity")
| where isnotnull(NodeProperties.rawData.criticalityLevel) 
and NodeProperties.rawData.criticalityLevel.criticalityLevel < 4
| where NodeProperties has "Global Administrator"
| distinct NodeName;
let VulnerableEndPointwithBCookie =
ExposureGraphEdges
| where EdgeLabel == @"has credentials of"
| where EdgeProperties has "BrowserCookies"
| where TargetNodeName has_any (CriticalIdentities)
| distinct SourceNodeName;
DeviceTvmSoftwareVulnerabilities
| where CveId == "CVE-2024-7971"
| where DeviceName has_any (VulnerableEndPointwithBCookie)

Explanation

This query is designed to help prioritize patching for a high-severity Chrome vulnerability (CVE-2024-7971) that is actively being exploited. Here's a simplified breakdown:

  1. Identify Critical Global Administrators:

    • It first identifies global administrators who have a criticality level below 4 (indicating high importance).

  2. Find Vulnerable Endpoints with Browser Cookies:

    • Then, it looks for endpoints (devices) that store browser cookies for these critical global administrators.

  3. Check for Vulnerable Chrome Versions:

    • Finally, it checks if these identified endpoints are running a version of Chrome that is vulnerable to CVE-2024-7971. The goal is to quickly identify and prioritize patching for devices used by critical global administrators to reduce the risk of exploitation.

Details

Steven Lim profile picture

Steven Lim

Released: August 22, 2024

Tables

ExposureGraphNodesExposureGraphEdgesDeviceTvmSoftwareVulnerabilities

Keywords

DevicesIntuneUserVulnerabilityBrowserCookiesGlobalAdministratorEndpointsCredentialExposureGraphNodesEdges

Operators

`let|whereset_has_elementisnotnulland<hasdistinct==has_any`

Actions