Vuln Known Exploitable Vuln
Query
//Query the list of Known Exploited Vulnerabilities provided by CISA - https://www.cisa.gov/known-exploited-vulnerabilities-catalog and query your devices for any that are vulnerable
//Data connector required for this query - Advanced Hunting license
//This query only works in Advanced Hunting as the DeviceTvm* tables aren't sent to Sentinel yet
let KEV=
externaldata(cveID: string, vendorProject: string, product: string, vulnerabilityName: string, dateAdded: datetime, shortDescription: string, requiredAction: string, dueDate: datetime, knownRansomwareCampaignUse:string,notes:string)
[
h@'https://www.cisa.gov/sites/default/files/csv/known_exploited_vulnerabilities.csv'
]
with(format='csv',ignorefirstrecord=true);
DeviceTvmSoftwareVulnerabilities
| project DeviceName, OSPlatform, cveID=CveId
| join kind=inner KEV on cveID
| summarize ['Vulnerabilities']=make_set(cveID) by DeviceName
| extend ['Count of Known Exploited Vulnerabilities'] = array_length(['Vulnerabilities'])
| sort by ['Count of Known Exploited Vulnerabilities']Explanation
This query is designed to identify devices in your network that are vulnerable to known exploited vulnerabilities as listed by the Cybersecurity and Infrastructure Security Agency (CISA). Here's a simplified breakdown of what the query does:
-
Data Source: It pulls a list of known exploited vulnerabilities from CISA's online catalog, which is available in CSV format.
-
Data Connector Requirement: To run this query, you need an Advanced Hunting license, as it uses tables that are not yet available in Microsoft Sentinel.
-
Data Import: The query imports the CISA data, which includes details like CVE IDs, vendor information, product names, vulnerability descriptions, and more.
-
Device Vulnerability Check: It checks your devices for any software vulnerabilities by comparing the CVE IDs from the CISA list with those found on your devices.
-
Result Compilation: For each device, it compiles a list of vulnerabilities that match the known exploited ones from CISA.
-
Summary and Sorting: The query summarizes the results by listing the vulnerabilities for each device and counts how many known exploited vulnerabilities each device has. Finally, it sorts the devices based on the number of vulnerabilities they have.
In essence, this query helps you identify which of your devices are at risk due to known exploited vulnerabilities, allowing you to prioritize patching and other security measures.
Details

Matt Zorich
Released: October 18, 2023
Tables
Keywords
Operators