Query Details

List internet facing devices with vulnerabilities that have an exploit available

Internet Facing Devices With Available Exploits

Query

// Collect all internet facing devices
let InternetFacingDevices = DeviceInfo
| summarize arg_max(Timestamp, *) by DeviceId
| where IsInternetFacing
| distinct DeviceId;
// Collect all vulnerabilities for wich an exploit is available
let ExploitableVulnerabilities = DeviceTvmSoftwareVulnerabilitiesKB
| where IsExploitAvailable == 1
| project CveId;
DeviceTvmSoftwareVulnerabilities
| where CveId in~ (ExploitableVulnerabilities)
| where DeviceId in~ (InternetFacingDevices)
// Summarize results to get the stastics for each device
| summarize TotalExploitableVulnerabilities = dcount(CveId), CveIds = make_set(CveId), SoftwareNames = make_set(SoftwareName), RecommendedSecurityUpdates = make_set(RecommendedSecurityUpdate) by DeviceName
| sort by TotalExploitableVulnerabilities

About this query

Explanation

This query is designed to identify internet-facing devices within a network that have known vulnerabilities with available exploits. Here's a simple breakdown of what the query does:

  1. Identify Internet-Facing Devices: It first gathers a list of devices that are considered "internet-facing," meaning they have a public IP address and could potentially be exposed to the internet. This is determined by checking if the device is marked as IsInternetFacing.

  2. Find Vulnerabilities with Available Exploits: It then identifies vulnerabilities for which an exploit is available. This means that there is a known method to take advantage of these vulnerabilities.

  3. Match Devices with Vulnerabilities: The query cross-references the list of internet-facing devices with the list of vulnerabilities that have available exploits.

  4. Summarize the Results: For each device, it summarizes the total number of exploitable vulnerabilities, lists the specific vulnerabilities (CVE IDs), the affected software, and any recommended security updates.

  5. Sort by Risk: Finally, it sorts the devices by the total number of exploitable vulnerabilities, highlighting those that might be at higher risk.

The purpose of this query is to help security teams quickly identify and prioritize internet-facing devices that are at risk due to known vulnerabilities, allowing them to take appropriate action to secure these devices.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: December 1, 2024

Tables

DeviceInfoDeviceTvmSoftwareVulnerabilitiesKBDeviceTvmSoftwareVulnerabilities

Keywords

DevicesVulnerabilitiesExploitInternetRiskServersSecurityUpdates

Operators

letsummarizearg_maxbywheredistinctprojectin~dcountmake_setsort

MITRE Techniques

Actions

GitHub