KQL Search

Query Details

HomeAI ToolsDevice Query

Visualization Active CISAKEV

Query

# CISA Known Exploited Vulnerabilities Visualization

## Query Information

#### Description
The CISA has made an active list were the current exploited vulnerabilities are listed, this query visualizes the the number of vulnerable devices per CVEId. This can help prioritize the vulnerabilities that need patching. 

#### Risk
The vulnerabilities is known to be exploited by threat actors, thus depending on your configuration the exploit can also be used to gain access into your environment. 

#### References
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog

### Defender XDR
```KQL
let KnowExploitesVulnsCISA = externaldata(cveID: string, vendorProject: string, product: string, vulnerabilityName: string, dateAdded: datetime, shortDescription: string, requiredAction: string, dueDate: datetime, 
notes: string)[@"https://www.cisa.gov/sites/default/files/csv/known_exploited_vulnerabilities.csv"] with (format="csv", ignoreFirstRecord=True);
DeviceTvmSoftwareVulnerabilities
| join kind=inner KnowExploitesVulnsCISA on $left.CveId == $right.cveID
| summarize TotalDevices = dcount(DeviceId) by CveId
| sort by TotalDevices
| render columnchart with(title="Active CVEIds CISA KEV")
```

Explanation

This query is designed to help visualize and prioritize vulnerabilities in your environment by showing the number of devices affected by each known exploited vulnerability (CVEId) listed by CISA. Here's a simple breakdown of what the query does:

  1. Data Import: It imports a list of known exploited vulnerabilities from CISA's online catalog, which includes details like CVE ID, vendor, product, and a description of the vulnerability.

  2. Data Join: It matches these vulnerabilities with the vulnerabilities detected on devices in your network by joining the CISA data with your device vulnerability data based on the CVE ID.

  3. Summarization: It counts the number of unique devices affected by each vulnerability (CVE ID).

  4. Sorting: It sorts the vulnerabilities by the number of affected devices, which helps identify which vulnerabilities are most prevalent in your environment.

  5. Visualization: Finally, it creates a column chart to visually represent the number of devices affected by each CVE ID, titled "Active CVEIds CISA KEV".

This visualization helps prioritize which vulnerabilities need immediate attention and patching based on their prevalence in your network.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: December 3, 2024

Tables

DeviceTvmSoftwareVulnerabilities

Keywords

Devices

Operators

letexternaldatajoinkind=inneronsummarizedcountbysortrenderwith

Actions