Query Details

Vuln Public Facing Deviceswith Known Exploited Vuln

Query

//Query the list of Known Exploited Vulnerabilities provided by CISA - https://www.cisa.gov/known-exploited-vulnerabilities-catalog and find any internet facing devices that are vulnerable

//Data connector required for this query - Advanced Hunting license

let KEV=
externaldata(cveID: string, vendorProject: string, product: string, vulnerabilityName: string, dateAdded: datetime, shortDescription: string, requiredAction: string, dueDate: datetime, knownRansomwareCampaignUse:string,notes:string)
[
h@'https://www.cisa.gov/sites/default/files/csv/known_exploited_vulnerabilities.csv'
]
with(format='csv',ignorefirstrecord=true);
let publicdevices=
DeviceInfo
| where IsInternetFacing
| summarize arg_max(Timestamp, *) by DeviceId
| distinct DeviceName;
DeviceTvmSoftwareVulnerabilities
| project DeviceName, OSPlatform, cveID=CveId
| join kind=inner KEV on cveID
| where DeviceName in (publicdevices)
| summarize ['Vulnerabilities']=make_set(cveID), ['Count of Known Exploited Vulnerabilities']=dcount(cveID) by DeviceName

Explanation

This query is designed to identify internet-facing devices within an organization's network that are vulnerable to known exploited vulnerabilities, as listed by the Cybersecurity and Infrastructure Security Agency (CISA). Here's a simplified breakdown of what the query does:

  1. Data Source: It pulls data from CISA's Known Exploited Vulnerabilities catalog, which is available as a CSV file. This catalog contains information about vulnerabilities that are actively being exploited.

  2. Identify Internet-Facing Devices: It filters the organization's devices to find those that are internet-facing, meaning they are exposed to the internet and potentially more vulnerable to attacks.

  3. Match Vulnerabilities: The query then checks these internet-facing devices against the list of known exploited vulnerabilities from CISA.

  4. Output: For each internet-facing device that has a known exploited vulnerability, the query provides:

    • A list of the vulnerabilities (CVE IDs) affecting the device.
    • A count of these vulnerabilities.

This helps organizations quickly identify and prioritize the remediation of vulnerabilities on devices that are most at risk of being exploited due to their exposure to the internet.

Details

Matt Zorich profile picture

Matt Zorich

Released: October 18, 2023

Tables

DeviceInfoDeviceTvmSoftwareVulnerabilities

Keywords

KnownExploitedVulnerabilitiesInternetFacingDevicesDeviceInfoTvmSoftware

Operators

letexternaldatah@withformatignorefirstrecordwheresummarizearg_maxbydistinctprojectjoinkindoninmake_setdcount

Actions

GitHub