KQL Search

# New Active CISA Know Exploited Vulnerability Detected

## Query Information

#### MITRE ATT&CK Technique(s)

| Technique ID | Title    | Link    |
| ---  | --- | --- |
| T1190 | Exploit Public-Facing Application | https://attack.mitre.org/techniques/T1190/ |

#### Description
CISA provides a comprehensive list of known exploited vulnerabilities with CVE numbers, vendor names, product names, vulnerability names, dates, short descriptions, action due dates, and notes. This dynamic list is ingested into a KQL query to detect newly added known exploited vulnerabilities that are active in your environment.

You can implement this query below as a custom detection rule to notify you about newly added vulnerabilities, I would suggest running this a few times every day to be on top of the added vulnerabilities. The *NewThreshold* variable defines how new a vulnerbility must be, the default is set to one day.

#### Risk
Known exploited vulnerabilities are actively exploited by adversaries and need to be patched as soon as possible.

#### References
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog
- https://www.cisa.gov/sites/default/files/csv/known_exploited_vulnerabilities.csv

## Defender For Endpoint
```KQL
// Define new
let NewThreshold = 1d;
let KnowExploitesVulnsCISA = externaldata(cveID: string, vendorProject: string, product: string, vulnerabilityName: string, dateAdded: datetime, shortDescription: string, requiredAction: string, dueDate: datetime, notes: string)[@"https://www.cisa.gov/sites/default/files/csv/known_exploited_vulnerabilities.csv"] with (format="csv", ignoreFirstRecord=True);
DeviceTvmSoftwareVulnerabilities
| join kind=inner (KnowExploitesVulnsCISA 
    | where dateAdded > ago(NewThreshold)) 
    on $left.CveId == $right.cveID
| project-reorder DeviceName, CveId, vendorProject, vulnerabilityName, dateAdded, shortDescription
// If you want to alert on this activity join with a random field to include the Timestamp and reportid.
| join kind=inner (DeviceProcessEvents
    | where Timestamp > ago(30d)
    | summarize arg_max(Timestamp, Timestamp, DeviceId, ReportId))
    on $left.DeviceId == $right.DeviceId
```
## Sentinel
```KQL
// Define new
let NewThreshold = 1d;
let KnowExploitesVulnsCISA = externaldata(cveID: string, vendorProject: string, product: string, vulnerabilityName: string, dateAdded: datetime, shortDescription: string, requiredAction: string, dueDate: datetime, notes: string)[@"https://www.cisa.gov/sites/default/files/csv/known_exploited_vulnerabilities.csv"] with (format="csv", ignoreFirstRecord=True);
DeviceTvmSoftwareVulnerabilities
| join kind=inner (KnowExploitesVulnsCISA 
    | where dateAdded > ago(NewThreshold)) 
    on $left.CveId == $right.cveID
| project-reorder DeviceName, CveId, vendorProject, vulnerabilityName, dateAdded, shortDescription
// If you want to alert on this activity join with a random field to include the TimeGenerated and reportid.
| join kind=inner (DeviceProcessEvents
    | where TimeGenerated > ago(30d)
    | summarize arg_max(TimeGenerated, Timestamp, DeviceId, ReportId))
    on $left.DeviceId == $right.DeviceId
```