Query Details

Function: ListCISAExploitedVulnerabilites()

List CISA Exploited Vulnerabilites

Query

let ListCISAExploitedVulnerabilites = (StartYear:long) { 
    let KnowExploitesVulnsCISA = externaldata(cveID: string, vendorProject: string, product: string, vulnerabilityName: string, dateAdded: datetime, shortDescription: string, requiredAction: string, dueDate: datetime, notes: string)[@"https://www.cisa.gov/sites/default/files/csv/known_exploited_vulnerabilities.csv"] with (format="csv", ignoreFirstRecord=True);
    KnowExploitesVulnsCISA
    | extend DueDateExceededByDays = datetime_diff('day', now(), dueDate) 
    | extend ReleaseYear = tolong(extract(@'CVE-(.*?)-', 1, cveID))
    | where ReleaseYear >= StartYear
};
// Example only list from 2023 or newer
ListCISAExploitedVulnerabilites(2023);

About this query

Function: ListCISAExploitedVulnerabilites()

Query Information

Description

This function lists all Known Exploited Vulnerabilities as classified by CISA. The parameter StartYear determines from which year on you want to list the vulnerabilities.

References

Defender XDR

Sentinel

let ListCISAExploitedVulnerabilites = (StartYear:long) { 
    let KnowExploitesVulnsCISA = externaldata(cveID: string, vendorProject: string, product: string, vulnerabilityName: string, dateAdded: datetime, shortDescription: string, requiredAction: string, dueDate: datetime, notes: string)[@"https://www.cisa.gov/sites/default/files/csv/known_exploited_vulnerabilities.csv"] with (format="csv", ignoreFirstRecord=True);
    KnowExploitesVulnsCISA
    | extend DueDateExceededByDays = datetime_diff('day', now(), dueDate) 
    | extend ReleaseYear = tolong(extract(@'CVE-(.*?)-', 1, cveID))
    | where ReleaseYear >= StartYear
};
// Example only list from 2023 or newer
ListCISAExploitedVulnerabilites(2023);

Explanation

This query defines a function called ListCISAExploitedVulnerabilities that retrieves a list of known exploited vulnerabilities as identified by the Cybersecurity and Infrastructure Security Agency (CISA). The function takes a parameter, StartYear, which specifies the starting year from which you want to list the vulnerabilities.

Here's a simple breakdown of what the query does:

  1. Data Source: It pulls data from a CSV file hosted on CISA's website, which contains information about known exploited vulnerabilities.

  2. Data Processing:

    • It calculates how many days have passed since the due date for addressing each vulnerability.
    • It extracts the release year from the CVE ID (Common Vulnerabilities and Exposures Identifier) of each vulnerability.
  3. Filtering: The function filters the vulnerabilities to include only those that were released in or after the specified StartYear.

  4. Usage Example: The example provided in the query shows how to use the function to list vulnerabilities from the year 2023 or later.

This function can be used in both Defender XDR and Sentinel environments to help security teams track and manage vulnerabilities that have been exploited and are recognized by CISA.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: October 20, 2024

Tables

KnowExploitesVulnsCISA

Keywords

KnownExploitedVulnerabilitiesCISACVEVendorProjectProductVulnerabilityNameDateAddedShortDescriptionRequiredActionDueNotesReleaseYear

Operators

letexternaldatawithformatignoreFirstRecordextenddatetime_diffnowtolongextractwhere

Actions

GitHub