Function: ListCISAExploitedVulnerabilites()
List CISA Exploited Vulnerabilites
Query
let ListCISAExploitedVulnerabilites = (StartYear:long) {
let KnowExploitesVulnsCISA = externaldata(cveID: string, vendorProject: string, product: string, vulnerabilityName: string, dateAdded: datetime, shortDescription: string, requiredAction: string, dueDate: datetime, notes: string)[@"https://www.cisa.gov/sites/default/files/csv/known_exploited_vulnerabilities.csv"] with (format="csv", ignoreFirstRecord=True);
KnowExploitesVulnsCISA
| extend DueDateExceededByDays = datetime_diff('day', now(), dueDate)
| extend ReleaseYear = tolong(extract(@'CVE-(.*?)-', 1, cveID))
| where ReleaseYear >= StartYear
};
// Example only list from 2023 or newer
ListCISAExploitedVulnerabilites(2023);About this query
Function: ListCISAExploitedVulnerabilites()
Query Information
Description
This function lists all Known Exploited Vulnerabilities as classified by CISA. The parameter StartYear determines from which year on you want to list the vulnerabilities.
References
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog
- https://www.cisa.gov/sites/default/files/csv/known_exploited_vulnerabilities.csv
Defender XDR
Sentinel
let ListCISAExploitedVulnerabilites = (StartYear:long) {
let KnowExploitesVulnsCISA = externaldata(cveID: string, vendorProject: string, product: string, vulnerabilityName: string, dateAdded: datetime, shortDescription: string, requiredAction: string, dueDate: datetime, notes: string)[@"https://www.cisa.gov/sites/default/files/csv/known_exploited_vulnerabilities.csv"] with (format="csv", ignoreFirstRecord=True);
KnowExploitesVulnsCISA
| extend DueDateExceededByDays = datetime_diff('day', now(), dueDate)
| extend ReleaseYear = tolong(extract(@'CVE-(.*?)-', 1, cveID))
| where ReleaseYear >= StartYear
};
// Example only list from 2023 or newer
ListCISAExploitedVulnerabilites(2023);
Explanation
This query defines a function called ListCISAExploitedVulnerabilities that retrieves a list of known exploited vulnerabilities as identified by the Cybersecurity and Infrastructure Security Agency (CISA). The function takes a parameter, StartYear, which specifies the starting year from which you want to list the vulnerabilities.
Here's a simple breakdown of what the query does:
-
Data Source: It pulls data from a CSV file hosted on CISA's website, which contains information about known exploited vulnerabilities.
-
Data Processing:
- It calculates how many days have passed since the due date for addressing each vulnerability.
- It extracts the release year from the CVE ID (Common Vulnerabilities and Exposures Identifier) of each vulnerability.
-
Filtering: The function filters the vulnerabilities to include only those that were released in or after the specified
StartYear. -
Usage Example: The example provided in the query shows how to use the function to list vulnerabilities from the year 2023 or later.
This function can be used in both Defender XDR and Sentinel environments to help security teams track and manage vulnerabilities that have been exploited and are recognized by CISA.
Details

Bert-Jan Pals
Released: October 20, 2024
Tables
Keywords
Operators