Query Details

Total vulnerable devices for known exploited vulnerabilities from CISA

CISA Know Exploits Vulnerabilities Total Vulnerable Devices

Query

let KnowExploitesVulnsCISA = externaldata(cveID: string, vendorProject: string, product: string, vulnerabilityName: string, dateAdded: datetime, shortDescription: string, requiredAction: string, dueDate: datetime, notes: string)[@"https://www.cisa.gov/sites/default/files/csv/known_exploited_vulnerabilities.csv"] with (format="csv", ignoreFirstRecord=True);
DeviceTvmSoftwareVulnerabilities
| join kind=inner KnowExploitesVulnsCISA on $left.CveId == $right.cveID
| summarize TotalVulnerableDevices = count(), DeviceList = make_set(DeviceName), Description = make_set(shortDescription) by cveID
| sort by TotalVulnerableDevices

About this query

Total vulnerable devices for known exploited vulnerabilities from CISA


Defender XDR

Explanation

This query is designed to identify and summarize devices that are vulnerable to known exploited vulnerabilities as listed by the Cybersecurity and Infrastructure Security Agency (CISA). Here's a breakdown of what the query does:

  1. Data Import: It imports a list of known exploited vulnerabilities from a CISA CSV file. This list includes details such as the CVE ID, vendor, product, vulnerability name, date added, description, required action, due date, and notes.

  2. Data Joining: The query then joins this imported data with another dataset (DeviceTvmSoftwareVulnerabilities) that contains information about software vulnerabilities on devices. The join is performed on the CVE ID to match vulnerabilities from both datasets.

  3. Data Summarization: After joining, the query summarizes the data by counting the total number of vulnerable devices for each CVE ID. It also compiles a list of device names and descriptions of the vulnerabilities.

  4. Sorting: Finally, the results are sorted by the total number of vulnerable devices, likely to prioritize vulnerabilities affecting the most devices.

In simple terms, this query helps identify which devices in your network are vulnerable to specific known exploited vulnerabilities, how many such devices exist, and provides a brief description of each vulnerability.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: January 18, 2026

Tables

DeviceTvmSoftwareVulnerabilities

Keywords

DevicesVulnerabilitiesCISA

Operators

letexternaldatawithjoinonsummarizecountmake_setbysort

Actions

GitHub