Known exploited vulnerabilities by CISA still active on devices
CISA Know Exploits Vulnerabilities Device Total
Query
let KnowExploitesVulnsCISA = externaldata(cveID: string, vendorProject: string, product: string, vulnerabilityName: string, dateAdded: datetime, shortDescription: string, requiredAction: string, dueDate: datetime,
notes: string)[@"https://www.cisa.gov/sites/default/files/csv/known_exploited_vulnerabilities.csv"] with (format="csv", ignoreFirstRecord=True);
DeviceTvmSoftwareVulnerabilities
| join kind=inner KnowExploitesVulnsCISA on $left.CveId == $right.cveID
| summarize
TotalVulnerabilities = count(),
Vulnerabilities = make_set(cveID),
Description = make_set(shortDescription)
by DeviceName
| sort by TotalVulnerabilitiesAbout this query
Known exploited vulnerabilities by CISA still active on devices
Query Information
Description
The CISA has made an active list were the current exploited vulnerabilities are listed, this query uses that information to enrich your vulnerabilitiy management process. This is done by matching the CISA CVEids with the CVEids that are currently active on your devices. This can help prioritize the vulnerabilities that need patching.
Risk
The vulnerabilities is known to be exploited by threat actors, thus depending on your configuration the exploit can also be used to gain access into your environment.
References
Defender XDR
Explanation
This query is designed to help you identify and prioritize vulnerabilities on your devices that are known to be actively exploited by threat actors, as listed by the Cybersecurity and Infrastructure Security Agency (CISA). Here's a simple breakdown of what the query does:
-
Data Source: It pulls in a list of known exploited vulnerabilities from CISA's online catalog. This list includes details like the CVE ID, vendor, product, vulnerability name, and a short description.
-
Matching Vulnerabilities: The query then matches these CISA-listed vulnerabilities with the vulnerabilities currently present on your devices, as recorded in your Defender XDR system.
-
Summarizing Results: For each device, it counts the total number of matched vulnerabilities and compiles a list of these vulnerabilities along with their descriptions.
-
Sorting: Finally, it sorts the devices by the total number of vulnerabilities, helping you quickly identify which devices have the most known exploited vulnerabilities.
In essence, this query helps you focus on the most critical vulnerabilities that need patching by highlighting those that are actively being exploited in the wild.
Details

Bert-Jan Pals
Released: January 18, 2026
Tables
Keywords
Operators