Total vulnerable devices for known exploited vulnerabilities from CISA
CISA Know Exploits Vulnerabilities Total Vulnerable Devices
Query
let KnowExploitesVulnsCISA = externaldata(cveID: string, vendorProject: string, product: string, vulnerabilityName: string, dateAdded: datetime, shortDescription: string, requiredAction: string, dueDate: datetime, notes: string)[@"https://www.cisa.gov/sites/default/files/csv/known_exploited_vulnerabilities.csv"] with (format="csv", ignoreFirstRecord=True);
DeviceTvmSoftwareVulnerabilities
| join kind=inner KnowExploitesVulnsCISA on $left.CveId == $right.cveID
| summarize TotalVulnerableDevices = count(), DeviceList = make_set(DeviceName), Description = make_set(shortDescription) by cveID
| sort by TotalVulnerableDevicesAbout this query
Total vulnerable devices for known exploited vulnerabilities from CISA
Defender XDR
Explanation
This query is designed to identify and summarize devices that are vulnerable to known exploited vulnerabilities as listed by the Cybersecurity and Infrastructure Security Agency (CISA). Here's a breakdown of what the query does:
-
Data Import: It imports a list of known exploited vulnerabilities from a CISA CSV file. This list includes details such as the CVE ID, vendor, product, vulnerability name, date added, description, required action, due date, and notes.
-
Data Joining: The query then joins this imported data with another dataset (
DeviceTvmSoftwareVulnerabilities) that contains information about software vulnerabilities on devices. The join is performed on the CVE ID to match vulnerabilities from both datasets. -
Data Summarization: After joining, the query summarizes the data by counting the total number of vulnerable devices for each CVE ID. It also compiles a list of device names and descriptions of the vulnerabilities.
-
Sorting: Finally, the results are sorted by the total number of vulnerable devices, likely to prioritize vulnerabilities affecting the most devices.
In simple terms, this query helps identify which devices in your network are vulnerable to specific known exploited vulnerabilities, how many such devices exist, and provides a brief description of each vulnerability.
Details

Bert-Jan Pals
Released: January 18, 2026
Tables
Keywords
Operators