KQL Search

Query Details

HomeAI ToolsDevice Query

Sentinel Analytics Rule New CISA Know Exploited Vulnerability Added

Query

# Sentinel Analytics Rule: CISA Known Exploited Vulnerability Added

## Query Information

#### Description
This analytics rule triggers when a new vulnerability has been added to the CISA Known Exploited Vulnerabilities Catalog (https://www.cisa.gov/known-exploited-vulnerabilities).

#### Risk
Explain what risk this detection tries to cover

#### References
- https://www.cisa.gov/known-exploited-vulnerabilities

## Sentinel
```KQL
let PreviousAlertTriggers = SecurityIncident
    | where TimeGenerated > ago(24h)
    | where Title has_all ("CVE-", "CISA Known Exploited Vulnerabilitie Added")
    | distinct Title;
let KnowExploitesVulnsCISA = externaldata(CVEid: string, Vendor: string, Product: string, vulnerabilityName: string, DateAdded: datetime, Description: string, RequiredAction: string, dueDate: datetime, Notes: string)[@"https://www.cisa.gov/sites/default/files/csv/known_exploited_vulnerabilities.csv"] with (format="csv", ignoreFirstRecord=True);
KnowExploitesVulnsCISA
| where DateAdded > startofday(now() - 1d)
| extend DueDateinDays = datetime_diff('day', dueDate, now())
| extend CreateIncident = iff (strcat(CVEid, " - CISA Known Exploited Vulnerabilitie Added") in (PreviousAlertTriggers), false, true)
| where CreateIncident == true
| project DateAdded, CVEid, Vendor, Product, Description, RequiredAction, Notes, DueDateinDays, dueDate
```

### Sentinel Analytics Rule
```JSON
{
    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "workspace": {
            "type": "String"
        }
    },
    "resources": [
        {
            "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/9531b108-1928-4ada-bd96-52308174c7f0')]",
            "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/9531b108-1928-4ada-bd96-52308174c7f0')]",
            "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
            "kind": "Scheduled",
            "apiVersion": "2023-12-01-preview",
            "properties": {
                "displayName": "CISA Known Exploited Vulnerability Added",
                "description": "This analytics rule triggers when a new vulnerability has been added to the CISA Known Exploited Vulnerabilities Catalog (https://www.cisa.gov/known-exploited-vulnerabilities).",
                "severity": "Medium",
                "enabled": true,
                "query": "let PreviousAlertTriggers = SecurityIncident\n    | where TimeGenerated > ago(24h)\n    | where Title has_all (\"CVE-\", \"CISA Known Exploited Vulnerabilitie Added\")\n    | distinct Title;\nlet KnowExploitesVulnsCISA = externaldata(CVEid: string, Vendor: string, Product: string, vulnerabilityName: string, DateAdded: datetime, Description: string, RequiredAction: string, dueDate: datetime, Notes: string)[@\"https://www.cisa.gov/sites/default/files/csv/known_exploited_vulnerabilities.csv\"] with (format=\"csv\", ignoreFirstRecord=True);\nKnowExploitesVulnsCISA\n| where DateAdded > startofday(now() - 1d)\n| extend DueDateinDays = datetime_diff('day', dueDate, now())\n| extend CreateIncident = iff (strcat(CVEid, \" - CISA Known Exploited Vulnerabilitie Added\") in (PreviousAlertTriggers), false, true)\n| where CreateIncident == true\n| project DateAdded, CVEid, Vendor, Product, Description, RequiredAction, Notes, DueDateinDays, dueDate",
                "queryFrequency": "PT10M",
                "queryPeriod": "P1D",
                "triggerOperator": "GreaterThan",
                "triggerThreshold": 0,
                "suppressionDuration": "PT5H",
                "suppressionEnabled": false,
                "startTimeUtc": null,
                "tactics": [],
                "techniques": [],
                "alertRuleTemplateName": null,
                "incidentConfiguration": {
                    "createIncident": true,
                    "groupingConfiguration": {
                        "enabled": true,
                        "reopenClosedIncident": false,
                        "lookbackDuration": "P1D",
                        "matchingMethod": "AllEntities",
                        "groupByEntities": [],
                        "groupByAlertDetails": [],
                        "groupByCustomDetails": []
                    }
                },
                "eventGroupingSettings": {
                    "aggregationKind": "AlertPerResult"
                },
                "alertDetailsOverride": {
                    "alertDisplayNameFormat": "{{CVEid}} - CISA Known Exploited Vulnerabilitie Added",
                    "alertDescriptionFormat": "<div style=\"background-color: ##000000;border-left: 6px solid #f44336;\"></p style=\"padding-left: 5px\"><strong> {{CVEid}} - {{Vendor}}</strong> </p></div>\n\nVulnerabilty description: {{Description}}  \n\nThis analytics rule triggers when a new vulnerability has been added to the CISA Known Exploited Vulnerabilities Catalog (https://www.cisa.gov/known-exploited-vulnerabilities).",
                    "alertDynamicProperties": []
                },
                "customDetails": {
                    "CVEid": "CVEid",
                    "Vendor": "Vendor",
                    "Product": "Product"
                },
                "entityMappings": null,
                "sentinelEntitiesMappings": [
                    {
                        "columnName": "CVEid"
                    }
                ],
                "templateVersion": null,
                "subTechniques": []
            }
        }
    ]
}
```

Explanation

This query checks for new vulnerabilities added to the CISA Known Exploited Vulnerabilities Catalog within the last 24 hours. If a new vulnerability is found, it creates an incident to alert the security team. The rule triggers based on the presence of specific keywords in the incident title and compares against the list of previously triggered alerts. If a new vulnerability is detected, an incident is created with details about the vulnerability.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: April 23, 2024

Tables

SecurityIncidentexternaldata(KnowExploitesVulnsCISA)

Keywords

SecurityIncident,CVEid,Vendor,Product,DateAdded,Description,RequiredAction,Notes,DueDateinDays,CreateIncident,Title,TimeGenerated,Severity,Enabled,Query,QueryFrequency,QueryPeriod,TriggerOperator,TriggerThreshold,SuppressionDuration,SuppressionEnabled,StartTimeUtc,Tactics,Techniques,AlertRuleTemplateName,IncidentConfiguration,GroupingConfiguration,ReopenClosedIncident,LookbackDuration,MatchingMethod,GroupByEntities,GroupByAlertDetails,GroupByCustomDetails,EventGroupingSettings,AggregationKind,AlertDisplayNameFormat,AlertDescriptionFormat,AlertDynamicProperties,CustomDetails,EntityMappings,SentinelEntitiesMappings,ColumnName,TemplateVersion,SubTechniques.

Operators

wherehas_alldistinctexternaldatawithformatignoreFirstRecordextendiffinprojectdatetime_diffstartofdaynowconcatwhereprojectresourceIdconcattypekindapiVersionseverityenabledqueryqueryFrequencyqueryPeriodtriggerOperatortriggerThresholdsuppressionDurationsuppressionEnabledtacticstechniquesalertRuleTemplateNamecreateIncidentgroupingConfigurationenabledreopenClosedIncidentlookbackDurationmatchingMethodgroupByEntitiesgroupByAlertDetailsgroupByCustomDetailseventGroupingSettingsaggregationKindalertDisplayNameFormatalertDescriptionFormatalertDynamicPropertiescustomDetailssentinelEntitiesMappings.

Actions