Query Details
Vuln Public Facing Deviceswith Known Exploited Vuln
Query
//Query the list of Known Exploited Vulnerabilities provided by CISA - https://www.cisa.gov/known-exploited-vulnerabilities-catalog and find any internet facing devices that are vulnerable //Data connector required for this query - Advanced Hunting license let KEV= externaldata(cveID: string, vendorProject: string, product: string, vulnerabilityName: string, dateAdded: datetime, shortDescription: string, requiredAction: string, dueDate: datetime) [ h@'https://www.cisa.gov/sites/default/files/csv/known_exploited_vulnerabilities.csv' ] with(format='csv',ignorefirstrecord=true); let publicdevices= DeviceNetworkEvents | where ActionType == "InboundConnectionAccepted" and RemoteIPType == "Public" | distinct DeviceName; DeviceTvmSoftwareVulnerabilities | project DeviceName, OSPlatform, cveID=CveId | join kind=inner KEV on cveID | where DeviceName in (publicdevices) | summarize ['Vulnerabilities']=make_set(cveID), ['Count of Known Exploited Vulnerabilities']=dcount(cveID) by DeviceName
Explanation
This query retrieves a list of known exploited vulnerabilities from the CISA website and identifies any internet-facing devices that are vulnerable. It uses the Advanced Hunting license and a data connector to access the required data. The query joins the list of vulnerabilities with information about the devices and summarizes the results by device, showing the count of known exploited vulnerabilities for each device.
Details
Matt Zorich
Released: November 2, 2022
Tables
DeviceNetworkEventsDeviceTvmSoftwareVulnerabilities
Keywords
Devices,Intune,User
Operators
externaldataletwithformatignorefirstrecordDeviceNetworkEventswhereanddistinctDeviceNameDeviceTvmSoftwareVulnerabilitiesprojectjoinkindonwhereinsummarizemake_setdcountby