Query Details

CISA Known Exploited Vulnerabilities Visualization

Visualization Active CISAKEV

Query

let KnowExploitesVulnsCISA = externaldata(cveID: string, vendorProject: string, product: string, vulnerabilityName: string, dateAdded: datetime, shortDescription: string, requiredAction: string, dueDate: datetime, 
notes: string)[@"https://www.cisa.gov/sites/default/files/csv/known_exploited_vulnerabilities.csv"] with (format="csv", ignoreFirstRecord=True);
DeviceTvmSoftwareVulnerabilities
| join kind=inner KnowExploitesVulnsCISA on $left.CveId == $right.cveID
| summarize TotalDevices = dcount(DeviceId) by CveId
| sort by TotalDevices
| render columnchart with(title="Active CVEIds CISA KEV")

About this query

CISA Known Exploited Vulnerabilities Visualization

Query Information

Description

The CISA has made an active list were the current exploited vulnerabilities are listed, this query visualizes the the number of vulnerable devices per CVEId. This can help prioritize the vulnerabilities that need patching.

Risk

The vulnerabilities is known to be exploited by threat actors, thus depending on your configuration the exploit can also be used to gain access into your environment.

References

Defender XDR

Explanation

This query is designed to help visualize and prioritize vulnerabilities in your environment by showing the number of devices affected by each known exploited vulnerability (CVEId) listed by CISA. Here's a simple breakdown of what the query does:

  1. Data Import: It imports a list of known exploited vulnerabilities from CISA's online catalog, which includes details like CVE ID, vendor, product, and a description of the vulnerability.

  2. Data Join: It matches these vulnerabilities with the vulnerabilities detected on devices in your network by joining the CISA data with your device vulnerability data based on the CVE ID.

  3. Summarization: It counts the number of unique devices affected by each vulnerability (CVE ID).

  4. Sorting: It sorts the vulnerabilities by the number of affected devices, which helps identify which vulnerabilities are most prevalent in your environment.

  5. Visualization: Finally, it creates a column chart to visually represent the number of devices affected by each CVE ID, titled "Active CVEIds CISA KEV".

This visualization helps prioritize which vulnerabilities need immediate attention and patching based on their prevalence in your network.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: December 3, 2024

Tables

DeviceTvmSoftwareVulnerabilities

Keywords

Devices

Operators

letexternaldatajoinkind=inneronsummarizedcountbysortrenderwith

Actions

GitHub