CISA Known Exploited Vulnerabilities Visualization
Visualization Active CISAKEV
Query
let KnowExploitesVulnsCISA = externaldata(cveID: string, vendorProject: string, product: string, vulnerabilityName: string, dateAdded: datetime, shortDescription: string, requiredAction: string, dueDate: datetime,
notes: string)[@"https://www.cisa.gov/sites/default/files/csv/known_exploited_vulnerabilities.csv"] with (format="csv", ignoreFirstRecord=True);
DeviceTvmSoftwareVulnerabilities
| join kind=inner KnowExploitesVulnsCISA on $left.CveId == $right.cveID
| summarize TotalDevices = dcount(DeviceId) by CveId
| sort by TotalDevices
| render columnchart with(title="Active CVEIds CISA KEV")About this query
CISA Known Exploited Vulnerabilities Visualization
Query Information
Description
The CISA has made an active list were the current exploited vulnerabilities are listed, this query visualizes the the number of vulnerable devices per CVEId. This can help prioritize the vulnerabilities that need patching.
Risk
The vulnerabilities is known to be exploited by threat actors, thus depending on your configuration the exploit can also be used to gain access into your environment.
References
Defender XDR
Explanation
This query is designed to help visualize and prioritize vulnerabilities in your environment by showing the number of devices affected by each known exploited vulnerability (CVEId) listed by CISA. Here's a simple breakdown of what the query does:
-
Data Import: It imports a list of known exploited vulnerabilities from CISA's online catalog, which includes details like CVE ID, vendor, product, and a description of the vulnerability.
-
Data Join: It matches these vulnerabilities with the vulnerabilities detected on devices in your network by joining the CISA data with your device vulnerability data based on the CVE ID.
-
Summarization: It counts the number of unique devices affected by each vulnerability (CVE ID).
-
Sorting: It sorts the vulnerabilities by the number of affected devices, which helps identify which vulnerabilities are most prevalent in your environment.
-
Visualization: Finally, it creates a column chart to visually represent the number of devices affected by each CVE ID, titled "Active CVEIds CISA KEV".
This visualization helps prioritize which vulnerabilities need immediate attention and patching based on their prevalence in your network.
Details

Bert-Jan Pals
Released: December 3, 2024
Tables
Keywords
Operators