Query Details

New Active CISA Know Exploited Vulnerability Detected

New Active CISA Known Exploited Vulnerability Detected

Query

// Define new
let NewThreshold = 1d;
let KnowExploitesVulnsCISA = externaldata(cveID: string, vendorProject: string, product: string, vulnerabilityName: string, dateAdded: datetime, shortDescription: string, requiredAction: string, dueDate: datetime, notes: string)[@"https://www.cisa.gov/sites/default/files/csv/known_exploited_vulnerabilities.csv"] with (format="csv", ignoreFirstRecord=True);
DeviceTvmSoftwareVulnerabilities
| join kind=inner (KnowExploitesVulnsCISA 
    | where dateAdded > ago(NewThreshold)) 
    on $left.CveId == $right.cveID
| project-reorder DeviceName, CveId, vendorProject, vulnerabilityName, dateAdded, shortDescription
// If you want to alert on this activity join with a random field to include the Timestamp and reportid. This is only needed for MDE, due to the requried fields for custom detections.
| join kind=inner (DeviceProcessEvents
    | where Timestamp > ago(30d)
    | summarize arg_max(Timestamp, Timestamp, DeviceId, ReportId))
    on $left.DeviceId == $right.DeviceId

About this query

Explanation

This query is designed to help you identify new vulnerabilities in your environment that are known to be actively exploited, according to the Cybersecurity and Infrastructure Security Agency (CISA). Here's a simple breakdown:

  1. Purpose: The query checks for newly added vulnerabilities from CISA's list of known exploited vulnerabilities and matches them with vulnerabilities detected in your environment.

  2. Data Source: It uses CISA's publicly available CSV file, which contains details like CVE numbers, vendor names, product names, and descriptions of vulnerabilities.

  3. New Vulnerabilities: The query focuses on vulnerabilities added in the last day (or a different timeframe if you adjust the NewThreshold variable).

  4. Detection: It matches these new vulnerabilities with those found on devices in your environment to see if any are present and active.

  5. Notification: You can set this up as a custom detection rule to alert you whenever a new known exploited vulnerability is detected in your environment.

  6. Risk: These vulnerabilities are actively exploited by attackers, so it's crucial to patch them quickly.

  7. Implementation: The query can be run in Microsoft Defender XDR or Sentinel, with slight variations to accommodate each platform's requirements.

In summary, this query helps you stay updated on the latest security threats by alerting you to new, actively exploited vulnerabilities that could affect your systems.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: October 20, 2024

Tables

DeviceTvmSoftwareVulnerabilitiesDeviceProcessEvents

Keywords

CISAVulnerabilitiesDevicesVendorProductVulnerabilityNameDateDescriptionActionNotesTimestampReportID

Operators

letexternaldatawithjoinkind=innerwhere>agoon==project-reordersummarizearg_max

MITRE Techniques

Actions

GitHub