Query Details
Exposure Management Slims Metric Max CVSS DAW
Query
//Exposure Management - Slim's Metric (MaxCVSS-DAW) //https://www.linkedin.com/posts/activity-7178429122094772224-aK3e/ //Maximum CVSS for Domain Admin Workstations. A favorite KQL wish list for all CISO 😜 Secure your "keys" to your kingdom before it gets breached! //KQL Code: ExposureGraphNodes | where NodeProperties.rawData.criticalityLevel contains "Domain Admin Workstations" | where isnotnull(NodeProperties.rawData.highRiskVulnerabilityInsights) | extend MaxCvssScore = toreal(NodeProperties.rawData.highRiskVulnerabilityInsights.maxCvssScore) | sort by MaxCvssScore desc
Explanation
This KQL query is designed to identify and prioritize high-risk vulnerabilities on Domain Admin Workstations by focusing on their maximum CVSS (Common Vulnerability Scoring System) scores. Here's a simplified breakdown:
- Data Source: The query starts by accessing the
ExposureGraphNodestable. - Filter for Domain Admin Workstations: It filters the data to include only those nodes (workstations) that are classified as "Domain Admin Workstations".
- Check for High-Risk Vulnerabilities: It further filters to include only those workstations that have high-risk vulnerabilities.
- Extract Max CVSS Score: It extracts the maximum CVSS score for these high-risk vulnerabilities.
- Sort by CVSS Score: Finally, it sorts the workstations in descending order based on their maximum CVSS scores.
In essence, this query helps security teams quickly identify which Domain Admin Workstations have the highest risk vulnerabilities, allowing them to prioritize their security efforts effectively.
Details
Steven Lim
Released: August 2, 2024
Tables
ExposureGraphNodes
Keywords
ExposureManagementDomainAdminWorkstationsVulnerabilityInsights
Operators
containsisnotnullextendtorealsort bydesc