Query Details
Vuln Known Exploitable Vuln
Query
//Query the list of Known Exploited Vulnerabilities provided by CISA - https://www.cisa.gov/known-exploited-vulnerabilities-catalog and query your devices for any that are vulnerable //Data connector required for this query - Advanced Hunting license //This query only works in Advanced Hunting as the DeviceTvm* tables aren't sent to Sentinel yet let KEV= externaldata(cveID: string, vendorProject: string, product: string, vulnerabilityName: string, dateAdded: datetime, shortDescription: string, requiredAction: string, dueDate: datetime) [ h@'https://www.cisa.gov/sites/default/files/csv/known_exploited_vulnerabilities.csv' ] with(format='csv',ignorefirstrecord=true); DeviceTvmSoftwareVulnerabilities | project DeviceName, OSPlatform, cveID=CveId | join kind=inner KEV on cveID | summarize ['Vulnerabilities']=make_set(cveID) by DeviceName | extend ['Count of Known Exploited Vulnerabilities'] = array_length(['Vulnerabilities']) | sort by ['Count of Known Exploited Vulnerabilities']
Explanation
This query retrieves a list of known exploited vulnerabilities from the CISA website and checks if any of these vulnerabilities exist on your devices. It requires an Advanced Hunting license and can only be run in Advanced Hunting as the necessary tables are not available in Sentinel yet. The query retrieves the list of vulnerabilities from the CISA website, joins it with the DeviceTvmSoftwareVulnerabilities table, and summarizes the number of vulnerabilities for each device. The result is sorted by the count of known exploited vulnerabilities.
Details
Matt Zorich
Released: June 17, 2022
Tables
DeviceTvmSoftwareVulnerabilities
Keywords
Devices,Intune,User
Operators
letexternaldatawithprojectjoinsummarizemake_setbyextendarray_lengthsort by