List internet facing devices with vulnerabilities that have an exploit available
Internet Facing Devices With Available Exploits
Query
// Collect all internet facing devices
let InternetFacingDevices = DeviceInfo
| summarize arg_max(Timestamp, *) by DeviceId
| where IsInternetFacing
| distinct DeviceId;
// Collect all vulnerabilities for wich an exploit is available
let ExploitableVulnerabilities = DeviceTvmSoftwareVulnerabilitiesKB
| where IsExploitAvailable == 1
| project CveId;
DeviceTvmSoftwareVulnerabilities
| where CveId in~ (ExploitableVulnerabilities)
| where DeviceId in~ (InternetFacingDevices)
// Summarize results to get the stastics for each device
| summarize TotalExploitableVulnerabilities = dcount(CveId), CveIds = make_set(CveId), SoftwareNames = make_set(SoftwareName), RecommendedSecurityUpdates = make_set(RecommendedSecurityUpdate) by DeviceName
| sort by TotalExploitableVulnerabilitiesAbout this query
Explanation
This query is designed to identify internet-facing devices within a network that have known vulnerabilities with available exploits. Here's a simple breakdown of what the query does:
-
Identify Internet-Facing Devices: It first gathers a list of devices that are considered "internet-facing," meaning they have a public IP address and could potentially be exposed to the internet. This is determined by checking if the device is marked as
IsInternetFacing. -
Find Vulnerabilities with Available Exploits: It then identifies vulnerabilities for which an exploit is available. This means that there is a known method to take advantage of these vulnerabilities.
-
Match Devices with Vulnerabilities: The query cross-references the list of internet-facing devices with the list of vulnerabilities that have available exploits.
-
Summarize the Results: For each device, it summarizes the total number of exploitable vulnerabilities, lists the specific vulnerabilities (CVE IDs), the affected software, and any recommended security updates.
-
Sort by Risk: Finally, it sorts the devices by the total number of exploitable vulnerabilities, highlighting those that might be at higher risk.
The purpose of this query is to help security teams quickly identify and prioritize internet-facing devices that are at risk due to known vulnerabilities, allowing them to take appropriate action to secure these devices.
Details

Bert-Jan Pals
Released: December 1, 2024
Tables
Keywords
Operators
MITRE Techniques