Sentinel Analytics Rule: CISA Known Exploited Vulnerability Added
Sentinel Analytics Rule New CISA Know Exploited Vulnerability Added
Query
let PreviousAlertTriggers = SecurityIncident
| where TimeGenerated > ago(24h)
| where Title has_all ("CVE-", "CISA Known Exploited Vulnerabilitie Added")
| distinct Title;
let KnowExploitesVulnsCISA = externaldata(CVEid: string, Vendor: string, Product: string, vulnerabilityName: string, DateAdded: datetime, Description: string, RequiredAction: string, dueDate: datetime, Notes: string)[@"https://www.cisa.gov/sites/default/files/csv/known_exploited_vulnerabilities.csv"] with (format="csv", ignoreFirstRecord=True);
KnowExploitesVulnsCISA
| where DateAdded > startofday(now() - 1d)
| extend DueDateinDays = datetime_diff('day', dueDate, now())
| extend CreateIncident = iff (strcat(CVEid, " - CISA Known Exploited Vulnerabilitie Added") in (PreviousAlertTriggers), false, true)
| where CreateIncident == true
| project DateAdded, CVEid, Vendor, Product, Description, RequiredAction, Notes, DueDateinDays, dueDateAbout this query
Explanation
This query is part of a Sentinel Analytics Rule designed to detect when a new vulnerability is added to the CISA Known Exploited Vulnerabilities Catalog. Here's a simple breakdown of what the query does:
-
Purpose: The query checks for new vulnerabilities added to the CISA catalog within the last day and triggers an alert if a new vulnerability is found that hasn't already triggered an alert in the past 24 hours.
-
Data Source: It pulls data from the CISA Known Exploited Vulnerabilities Catalog, which is available as a CSV file online.
-
Process:
- It first checks for any alerts that have already been triggered in the last 24 hours to avoid duplicate alerts.
- It then fetches the latest vulnerabilities added to the CISA catalog.
- For each new vulnerability, it calculates how many days are left until the due date for action.
- It determines whether to create a new incident based on whether the vulnerability has already triggered an alert.
-
Output: If a new vulnerability is found and hasn't been alerted before, it creates an incident with details like the date added, CVE ID, vendor, product, description, required action, notes, and days until the due date.
-
Risk Coverage: This detection helps organizations stay informed about newly identified vulnerabilities that are known to be exploited, allowing them to take timely action to mitigate potential risks.
-
Alert Configuration: The rule is set to check for new vulnerabilities every 10 minutes and will trigger an alert if any new vulnerabilities are found. The alert includes details about the vulnerability and is configured to create an incident in the security system.
In summary, this query helps organizations quickly identify and respond to new vulnerabilities that are actively being exploited, as listed by CISA, thereby enhancing their security posture.
Details

Bert-Jan Pals
Released: December 1, 2024
Tables
Keywords
Operators