KQL Search

Query Details

HomeAI ToolsDevice Query

Device Or VM With Critical CVSS And Exploit Is Verified

Query

// Device or VM with critical CVSS and ExploitIsVerified 
// https://www.linkedin.com/posts/activity-7193835506164469761-_1ty/

// The ‘MDE DeviceTvmSoftwareVulnerabilitiesKB’ table includes the ‘IsExploitAvailable’ column, which simply indicates the public availability of an exploit. In contrast, the ‘Exposure Management ExposureGraphNodes’ table features the ‘ExploitabilityLevel’ column, offering more detailed information about the exploit, such as whether ‘ExploitIsVerified’. Bearing this in mind, we have crafted a KQL query to isolate Critical CVEs that are verified as exploitable. This query is then combined with the ‘ExposureGraphEdge’ to identify all devices and virtual machines that are vulnerable to critical, exploitable CVEs. The goal is to prioritize the remediation of these machines urgently, thereby minimizing the potential attack surface.

ExposureGraphNodes 
| where NodeLabel == "Cve"
| extend CVSSScore = tostring(NodeProperties.rawData.cvssScore)
| extend Severity = tostring(NodeProperties.rawData.severity)
| extend HasExploit = tostring(NodeProperties.rawData.hasExploit)
| extend ExploitabilityLevel = tostring(NodeProperties.rawData.exploitabilityLevel)
| where ExploitabilityLevel == "ExploitIsVerified" and Severity == "Critical"
| join ExposureGraphEdges on $left.NodeId == $right.SourceNodeId
| project TargetNodeName, TargetNodeLabel, SourceNodeName, CVSSScore, NodeProperties
| sort by CVSSScore desc

Explanation

This KQL (Kusto Query Language) query is designed to identify devices or virtual machines (VMs) that are vulnerable to critical Common Vulnerabilities and Exposures (CVEs) with verified exploits. Here's a simplified breakdown of what the query does:

  1. Filter for CVEs: It starts by looking at the ExposureGraphNodes table and filters for entries labeled as "Cve" (Common Vulnerabilities and Exposures).

  2. Extract and Filter Data: It extracts several properties from these CVEs, such as their CVSS (Common Vulnerability Scoring System) score, severity, whether an exploit is available, and the exploitability level. It then filters to keep only those CVEs that are marked as "Critical" in severity and have a verified exploit (ExploitIsVerified).

  3. Join with ExposureGraphEdges: The query then joins this filtered list of critical, verified-exploitable CVEs with the ExposureGraphEdges table to find all devices and VMs that are affected by these CVEs.

  4. Project and Sort Results: Finally, it selects relevant columns (like the names of the target nodes, CVSS scores, and node properties) and sorts the results by the CVSS score in descending order, prioritizing the most critical vulnerabilities.

The ultimate goal of this query is to help prioritize the remediation of devices and VMs that are most at risk due to critical vulnerabilities with verified exploits, thereby reducing the potential attack surface.

Details

Steven Lim profile picture

Steven Lim

Released: August 2, 2024

Tables

ExposureGraphNodesExposureGraphEdges

Keywords

DevicesVirtualMachinesVulnerabilitiesExploitsCVEsRemediation

Operators

|==extendtostringjoinonprojectsort bydesc

Actions