Query Details

Vuln Known Exploitable Vuln

Query

//Query the list of Known Exploited Vulnerabilities provided by CISA - https://www.cisa.gov/known-exploited-vulnerabilities-catalog and query your devices for any that are vulnerable

//Data connector required for this query - Advanced Hunting license
//This query only works in Advanced Hunting as the DeviceTvm* tables aren't sent to Sentinel yet

let KEV=
externaldata(cveID: string, vendorProject: string, product: string, vulnerabilityName: string, dateAdded: datetime, shortDescription: string, requiredAction: string, dueDate: datetime, knownRansomwareCampaignUse:string,notes:string)
[
h@'https://www.cisa.gov/sites/default/files/csv/known_exploited_vulnerabilities.csv'
]
with(format='csv',ignorefirstrecord=true);
DeviceTvmSoftwareVulnerabilities
| project DeviceName, OSPlatform, cveID=CveId
| join kind=inner KEV on cveID
| summarize ['Vulnerabilities']=make_set(cveID) by DeviceName
| extend ['Count of Known Exploited Vulnerabilities'] = array_length(['Vulnerabilities'])
| sort by ['Count of Known Exploited Vulnerabilities']

Explanation

This query is designed to identify devices in your network that are vulnerable to known exploited vulnerabilities as listed by the Cybersecurity and Infrastructure Security Agency (CISA). Here's a simplified breakdown of what the query does:

  1. Data Source: It pulls a list of known exploited vulnerabilities from CISA's online catalog, which is available in CSV format.

  2. Data Connector Requirement: To run this query, you need an Advanced Hunting license, as it uses tables that are not yet available in Microsoft Sentinel.

  3. Data Import: The query imports the CISA data, which includes details like CVE IDs, vendor information, product names, vulnerability descriptions, and more.

  4. Device Vulnerability Check: It checks your devices for any software vulnerabilities by comparing the CVE IDs from the CISA list with those found on your devices.

  5. Result Compilation: For each device, it compiles a list of vulnerabilities that match the known exploited ones from CISA.

  6. Summary and Sorting: The query summarizes the results by listing the vulnerabilities for each device and counts how many known exploited vulnerabilities each device has. Finally, it sorts the devices based on the number of vulnerabilities they have.

In essence, this query helps you identify which of your devices are at risk due to known exploited vulnerabilities, allowing you to prioritize patching and other security measures.

Details

Matt Zorich profile picture

Matt Zorich

Released: October 18, 2023

Tables

DeviceTvmSoftwareVulnerabilities

Keywords

Devices

Operators

letexternaldatah@withprojectjoinsummarizemake_setextendarray_lengthsort

Actions

GitHub