High Risk Software Vulnerabilities Detected Via EPSS Scoring
Query
// Lists all vulnerabilities with an EPSS score above the defined threshold,
// enriched with installation paths and registry keys from the evidence table.
let EpssThreshold = 0.20;
// Load CVE metadata from the knowledge base
let KbData = DeviceTvmSoftwareVulnerabilitiesKB
| where isnotempty(CveId)
| project
CveId,
CvssScore,
EpssScore,
IsExploitAvailable,
PublishedDate,
VulnerabilitySeverityLevel;
// Filter affected devices to those with EPSS above the threshold
let FilteredVulns = DeviceTvmSoftwareVulnerabilities
| where isnotempty(CveId)
| join kind=inner KbData on CveId
| where EpssScore >= EpssThreshold
| project
DeviceId,
DeviceName,
CveId,
EpssScore = round(EpssScore * 100, 2),
CvssScore,
VulnerabilitySeverityLevel,
IsExploitAvailable,
SoftwareName,
SoftwareVersion,
SoftwareVendor,
RecommendedSecurityUpdate,
RecommendedSecurityUpdateId,
PublishedDate,
OSPlatform,
OSVersion;
// Restrict evidence lookup to affected devices only for better performance
let AffectedDeviceIds = FilteredVulns | distinct DeviceId;
let EvidenceData = DeviceTvmSoftwareEvidenceBeta
| where DeviceId in (AffectedDeviceIds)
| project
DeviceId,
SoftwareName,
SoftwareVersion,
SoftwareVendor,
DiskPaths,
RegistryPaths;
FilteredVulns
| join kind=leftouter EvidenceData on DeviceId, SoftwareName, SoftwareVersion, SoftwareVendor
| project-away
DeviceId,
DeviceId1,
SoftwareName1,
SoftwareVersion1,
SoftwareVendor1
| sort by EpssScore desc, CvssScore descAbout this query
Explanation
This query is designed to identify high-risk software vulnerabilities on devices by using the Exploit Prediction Scoring System (EPSS). Here's a simplified breakdown:
-
Purpose: The query aims to find software installed on devices that have known vulnerabilities with an EPSS score of 0.20 or higher. This score indicates a higher likelihood of the vulnerability being exploited.
-
Data Sources:
- It uses data from a knowledge base that contains information about vulnerabilities (like CVE IDs, scores, and severity levels).
- It also looks at evidence data from devices to find where the vulnerable software is installed (disk paths and registry keys).
-
Process:
- First, it filters the vulnerabilities to only include those with an EPSS score above 0.20. - It then matches these vulnerabilities with the devices they affect.
- Finally, it gathers additional information about the software's installation paths and registry keys on those devices.
-
Output: The result is a list of devices with high-risk vulnerabilities, enriched with details about the software and its installation, sorted by the highest EPSS and CVSS scores. This helps prioritize which vulnerabilities to address first.
-
Use Case: This query is useful for security teams to quickly identify and prioritize patching efforts for software vulnerabilities that are most likely to be exploited, thereby reducing the risk of security breaches.
