Query Details

High Risk Software Vulnerabilities Detected Via EPSS Scoring

Query

// Lists all vulnerabilities with an EPSS score above the defined threshold,
// enriched with installation paths and registry keys from the evidence table.
let EpssThreshold = 0.20;
// Load CVE metadata from the knowledge base
let KbData = DeviceTvmSoftwareVulnerabilitiesKB
    | where isnotempty(CveId)
    | project
        CveId,
        CvssScore,
        EpssScore,
        IsExploitAvailable,
        PublishedDate,
        VulnerabilitySeverityLevel;
// Filter affected devices to those with EPSS above the threshold
let FilteredVulns = DeviceTvmSoftwareVulnerabilities
    | where isnotempty(CveId)
    | join kind=inner KbData on CveId
    | where EpssScore >= EpssThreshold
    | project
        DeviceId,
        DeviceName,
        CveId,
        EpssScore                   = round(EpssScore * 100, 2),
        CvssScore,
        VulnerabilitySeverityLevel,
        IsExploitAvailable,
        SoftwareName,
        SoftwareVersion,
        SoftwareVendor,
        RecommendedSecurityUpdate,
        RecommendedSecurityUpdateId,
        PublishedDate,
        OSPlatform,
        OSVersion;
// Restrict evidence lookup to affected devices only for better performance
let AffectedDeviceIds = FilteredVulns | distinct DeviceId;
let EvidenceData = DeviceTvmSoftwareEvidenceBeta
    | where DeviceId in (AffectedDeviceIds)
    | project
        DeviceId,
        SoftwareName,
        SoftwareVersion,
        SoftwareVendor,
        DiskPaths,
        RegistryPaths;
FilteredVulns
| join kind=leftouter EvidenceData on DeviceId, SoftwareName, SoftwareVersion, SoftwareVendor
| project-away
    DeviceId,
    DeviceId1,
    SoftwareName1,
    SoftwareVersion1,
    SoftwareVendor1
| sort by EpssScore desc, CvssScore desc

About this query

Explanation

This query is designed to identify high-risk software vulnerabilities on devices by using the Exploit Prediction Scoring System (EPSS). Here's a simplified breakdown:

  1. Purpose: The query aims to find software installed on devices that have known vulnerabilities with an EPSS score of 0.20 or higher. This score indicates a higher likelihood of the vulnerability being exploited.

  2. Data Sources:

    • It uses data from a knowledge base that contains information about vulnerabilities (like CVE IDs, scores, and severity levels).
    • It also looks at evidence data from devices to find where the vulnerable software is installed (disk paths and registry keys).
  3. Process:

    • First, it filters the vulnerabilities to only include those with an EPSS score above 0.20. - It then matches these vulnerabilities with the devices they affect.
    • Finally, it gathers additional information about the software's installation paths and registry keys on those devices.
  4. Output: The result is a list of devices with high-risk vulnerabilities, enriched with details about the software and its installation, sorted by the highest EPSS and CVSS scores. This helps prioritize which vulnerabilities to address first.

  5. Use Case: This query is useful for security teams to quickly identify and prioritize patching efforts for software vulnerabilities that are most likely to be exploited, thereby reducing the risk of security breaches.

Details

Benjamin Zulliger profile picture

Benjamin Zulliger

Released: July 15, 2026

Tables

DeviceTvmSoftwareVulnerabilitiesKBDeviceTvmSoftwareVulnerabilitiesDeviceTvmSoftwareEvidenceBeta

Keywords

Devices

Operators

letisnotemptyprojectjoinwhererounddistinctinproject-awaysort by

MITRE Techniques

Actions

GitHub