KQL Search

Query Details

HomeAI ToolsDevice Query

Due Date Passed CISA Known Exploited Vulnerability

Query

# Due Date Passed CISA Known Exploited Vulnerabilities

## Query Information

#### Description
CISA provides a comprehensive list of known exploited vulnerabilities with CVE numbers, vendor names, product names, vulnerability names, dates, short descriptions, action due dates, and notes. This dynamic list is ingested into a KQL query to detect newly added known exploited vulnerabilities that are active in your environment.

This query calculates how many days the due date has been exceeded and returns this in a new column namesd *DueDateExceededByDays*, based on this column you can track vulnerabilities that need to be patched, when they must be patched and when this is not done within the set time.

#### Risk
Known exploited vulnerabilities are actively exploited by adversaries and need to be patched as soon as possible.

#### References
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog
- https://www.cisa.gov/sites/default/files/csv/known_exploited_vulnerabilities.csv

## Defender For Endpoint
```KQL
let KnowExploitesVulnsCISA = externaldata(cveID: string, vendorProject: string, product: string, vulnerabilityName: string, dateAdded: datetime, shortDescription: string, requiredAction: string, dueDate: datetime, notes: string)[@"https://www.cisa.gov/sites/default/files/csv/known_exploited_vulnerabilities.csv"] with (format="csv", ignoreFirstRecord=True); 
DeviceTvmSoftwareVulnerabilities 
| join kind=inner (KnowExploitesVulnsCISA 
| where dueDate < now()) on $left.CveId == $right.cveID 
| summarize VulnerableDevices = make_set(DeviceName) by CveId, vendorProject, vulnerabilityName, dateAdded, dueDate, shortDescription 
| extend DueDateExceededByDays = datetime_diff('day', now(), dueDate), TotalVulnerableDevices = array_length(VulnerableDevices) 
| project-reorder CveId, vendorProject, DueDateExceededByDays, TotalVulnerableDevices 
| sort by DueDateExceededByDays, TotalVulnerableDevices
```
## Sentinel
```KQL
let KnowExploitesVulnsCISA = externaldata(cveID: string, vendorProject: string, product: string, vulnerabilityName: string, dateAdded: datetime, shortDescription: string, requiredAction: string, dueDate: datetime, notes: string)[@"https://www.cisa.gov/sites/default/files/csv/known_exploited_vulnerabilities.csv"] with (format="csv", ignoreFirstRecord=True); 
DeviceTvmSoftwareVulnerabilities 
| join kind=inner (KnowExploitesVulnsCISA 
| where dueDate < now()) on $left.CveId == $right.cveID 
| summarize VulnerableDevices = make_set(DeviceName) by CveId, vendorProject, vulnerabilityName, dateAdded, dueDate, shortDescription 
| extend DueDateExceededByDays = datetime_diff('day', now(), dueDate), TotalVulnerableDevices = array_length(VulnerableDevices) 
| project-reorder CveId, vendorProject, DueDateExceededByDays, TotalVulnerableDevices 
| sort by DueDateExceededByDays, TotalVulnerableDevices
```

Explanation

This query is used to detect known exploited vulnerabilities that have exceeded their due date for patching. It retrieves a list of known exploited vulnerabilities from CISA, joins it with the DeviceTvmSoftwareVulnerabilities table, and calculates the number of days the due date has been exceeded. It also provides the total number of vulnerable devices for each vulnerability. The results are sorted by the number of days the due date has been exceeded and the total number of vulnerable devices.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: December 4, 2023

Tables

DeviceTvmSoftwareVulnerabilitiesKnowExploitesVulnsCISA

Keywords

Devices,Intune,User

Operators

externaldatawithformatignoreFirstRecordjoinkindonsummarizemake_setbyextenddatetime_diffproject-reordersort

Actions