KQL Search

Query Details

HomeAI ToolsDevice Query

List CISA Exploited Vulnerabilites

Query

# Function: ListCISAExploitedVulnerabilites()

## Query Information

#### Description
This function lists all Known Exploited Vulnerabilities as classified by CISA. The parameter *StartYear* determines from which year on you want to list the vulnerabilities.

#### References
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog
- https://www.cisa.gov/sites/default/files/csv/known_exploited_vulnerabilities.csv

## Defender For Endpoint
```
let ListCISAExploitedVulnerabilites = (StartYear:long) { 
    let KnowExploitesVulnsCISA = externaldata(cveID: string, vendorProject: string, product: string, vulnerabilityName: string, dateAdded: datetime, shortDescription: string, requiredAction: string, dueDate: datetime, notes: string)[@"https://www.cisa.gov/sites/default/files/csv/known_exploited_vulnerabilities.csv"] with (format="csv", ignoreFirstRecord=True);
    KnowExploitesVulnsCISA
    | extend DueDateExceededByDays = datetime_diff('day', now(), dueDate) 
    | extend ReleaseYear = tolong(extract(@'CVE-(.*?)-', 1, cveID))
    | where ReleaseYear >= StartYear
};
// Example only list from 2023 or newer
ListCISAExploitedVulnerabilites(2023);
```
## Sentinel
```
let ListCISAExploitedVulnerabilites = (StartYear:long) { 
    let KnowExploitesVulnsCISA = externaldata(cveID: string, vendorProject: string, product: string, vulnerabilityName: string, dateAdded: datetime, shortDescription: string, requiredAction: string, dueDate: datetime, notes: string)[@"https://www.cisa.gov/sites/default/files/csv/known_exploited_vulnerabilities.csv"] with (format="csv", ignoreFirstRecord=True);
    KnowExploitesVulnsCISA
    | extend DueDateExceededByDays = datetime_diff('day', now(), dueDate) 
    | extend ReleaseYear = tolong(extract(@'CVE-(.*?)-', 1, cveID))
    | where ReleaseYear >= StartYear
};
// Example only list from 2023 or newer
ListCISAExploitedVulnerabilites(2023);
```

Explanation

The query is a function called "ListCISAExploitedVulnerabilites" that lists all known exploited vulnerabilities classified by CISA. The function takes a parameter called "StartYear" which determines from which year onwards the vulnerabilities should be listed. The function retrieves data from a CSV file hosted on the CISA website and performs some calculations and filtering on the data. The example provided shows how to use the function to list vulnerabilities from the year 2023 or newer.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: November 30, 2023

Tables

known_exploited_vulnerabilities

Keywords

Keywords:ListCISAExploitedVulnerabilites,StartYear,KnowExploitesVulnsCISA,externaldata,cveID,vendorProject,product,vulnerabilityName,dateAdded,shortDescription,requiredAction,dueDate,notes,format,ignoreFirstRecord,extend,datetime_diff,now,tolong,extract,where.

Operators

externaldataextenddatetime_diffnowtolongextractwhere

Actions