KQL Search

# Vulnerabilities that have a publicly available POC

## Query Information

#### Description
A list has been made on Github with links to available POCs for CVE's. This query lists the vulnerabilities in your environment that have a publicly available POC. This might help to prioritize which vulnerabilities need to be patches first. 

#### Risk
The vulnerabilities is known to be have a POC available, which increases the changes of it being used by threat actors, thus depending on your configuration the exploit can also be used to gain access into your environment. 

#### References
- https://github.com/tg12/PoC_CVEs

### Defender For Endpoint
```
// Extract the CVE IDs that have an available POC
let VulnerabilitiesWithPOC = externaldata(CVE: string, URL: string )[@"https://raw.githubusercontent.com/tg12/PoC_CVEs/main/cve_links.csv"] with (format="csv", ignoreFirstRecord=True);
DeviceTvmSoftwareVulnerabilities
// Join POC information with the Software Vulnerabilities based on CVE
| join kind=inner (VulnerabilitiesWithPOC
| summarize POCLinks = make_set(URL), POCTotal = dcount(URL) by CVE) on $left.CveId == $right.CVE
// Summarize Results to get statistics
| summarize TotalVulnerableDevices = dcount(DeviceName), arg_max(CveId, POCTotal, POCLinks) by CveId
// Sort the results
| sort by POCTotal, TotalVulnerableDevices
```