KQL Search

Query Details

HomeAI ToolsDevice Query

Enriching CVE Tables With CVE Mitre Data

Query

**Enriching CVE Tables with CVE Mitre Data**

**Description**: This query takes the info from the CVE Mitre site (https://cve.mitre.org) enriching the Defender tables with different URL's related to the vulnerability itself, how to remediate it and additional information.

```
et CVE = externaldata(CVEData:string)
[@"https://cve.mitre.org/data/downloads/allitems.csv"] with (format="txt");
CVE
| where CVEData !startswith '"' and CVEData !startswith ","
| extend Name = split(CVEData, ',')[0],
 Status = split(CVEData, ',')[1],
 Description = split(CVEData, ',')[2],
 AdditionalInfo0 = split(CVEData, '"')[3]
| extend AdditionalInfo1 = split(AdditionalInfo0, '|')[0],
 AdditionalInfo2 = split(AdditionalInfo0, '|')[1],
 AdditionalInfo3 = split(AdditionalInfo0, '|')[2]
| extend Description = substring(Description, 1)
| extend Name = tostring(Name)
// You can use this line to search for specific CVE ID | where Name has ""
| join kind=inner ( DeviceTvmSoftwareVulnerabilities) on $left.Name == $right.CveId
| join kind=inner ( DeviceTvmSoftwareVulnerabilitiesKB) on $left.Name == $right.CveId
| project Name,DeviceName, CvssScore, IsExploitAvailable, SoftwareName ,Status, Description, AdditionalInfo0,AdditionalInfo1, AdditionalInfo2, AdditionalInfo3
```

Explanation

This query enriches the Defender vulnerability tables with detailed information from the CVE Mitre site. Here's a simplified breakdown:

  1. Fetch CVE Data: It retrieves CVE data from the Mitre website in CSV format.
  2. Filter and Parse Data: It filters out unwanted rows and splits the data into meaningful columns like Name, Status, Description, and Additional Information.
  3. Join with Defender Tables: It joins this enriched CVE data with two Defender tables (DeviceTvmSoftwareVulnerabilities and DeviceTvmSoftwareVulnerabilitiesKB) based on the CVE ID.
  4. Select Relevant Columns: Finally, it selects and displays relevant columns such as CVE Name, Device Name, CVSS Score, Exploit Availability, Software Name, Status, Description, and additional information.

In essence, this query combines CVE details from the Mitre site with Defender vulnerability data to provide a comprehensive view of vulnerabilities, their status, and additional context.

Details

Sergio Albea profile picture

Sergio Albea

Released: August 25, 2024

Tables

CVEDeviceTvmSoftwareVulnerabilitiesDeviceTvmSoftwareVulnerabilitiesKB

Keywords

CVEMitreDefenderVulnerabilityDeviceTvmSoftwareVulnerabilitiesDeviceTvmSoftwareVulnerabilitiesKBDeviceNameCvssScoreIsExploitAvailableSoftwareNameStatusDescriptionAdditionalInfo

Operators

externaldatawithwhere!startswithextendsplitsubstringtostringjoinonproject

Actions