Query Details
Devices With The Most Known Exploited Vulnerabilities
Query
//Devices with the most known exploited vulnerabilities
let KnowExploitesVulnsCISA = externaldata(cveID: string, vendorProject: string, product: string, vulnerabilityName: string, dateAdded: datetime, shortDescription: string, requiredAction: string, dueDate: datetime,
notes: string)[@"https://www.cisa.gov/sites/default/files/csv/known_exploited_vulnerabilities.csv"] with (format="csv", ignoreFirstRecord=True);
DeviceTvmSoftwareVulnerabilities
| join KnowExploitesVulnsCISA on $left.CveId == $right.cveID
| summarize
TotalVulnerabilities = count(),
Vulnerabilities = make_set(cveID),
Description = make_set(shortDescription)
by DeviceName
| sort by TotalVulnerabilities
Explanation
This query is designed to identify devices with the most known exploited vulnerabilities. Here's a simple breakdown of what it does:
-
Data Import: It starts by importing a list of known exploited vulnerabilities from a CSV file provided by CISA (Cybersecurity and Infrastructure Security Agency). This list includes details like the CVE ID, vendor, product, vulnerability name, and a short description.
-
Data Joining: It then joins this imported data with another dataset (
DeviceTvmSoftwareVulnerabilities) that contains information about vulnerabilities on various devices. The join is based on matching CVE IDs from both datasets. -
Data Aggregation: After joining, the query summarizes the data for each device by:
- Counting the total number of known exploited vulnerabilities.
- Creating a set of unique CVE IDs associated with each device.
- Creating a set of unique short descriptions of these vulnerabilities.
-
Sorting: Finally, it sorts the devices by the total number of vulnerabilities in ascending order.
In essence, the query identifies which devices have the most vulnerabilities that are known to be exploited, providing a list of these vulnerabilities and their descriptions for each device.
Details
Jay Kerai
Released: November 11, 2024
Tables
Keywords
Operators