CISA provides a comprehensive list of known exploited vulnerabilities with CVE numbers, vendor names, product names, vulnerability names, dates, short descriptions, action due dates, and notes. This dynamic list is ingested into a KQL query to detect newly added known exploited vulnerabilities that are active in your environment.
This query calculates how many days the due date has been exceeded and returns this in a new column namesd DueDateExceededByDays, based on this column you can track vulnerabilities that need to be patched, when they must be patched and when this is not done within the set time.
Known exploited vulnerabilities are actively exploited by adversaries and need to be patched as soon as possible.
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog
- https://www.cisa.gov/sites/default/files/csv/known_exploited_vulnerabilities.csv
let KnowExploitesVulnsCISA = externaldata(cveID: string, vendorProject: string, product: string, vulnerabilityName: string, dateAdded: datetime, shortDescription: string, requiredAction: string, dueDate: datetime, notes: string)[@"https://www.cisa.gov/sites/default/files/csv/known_exploited_vulnerabilities.csv"] with (format="csv", ignoreFirstRecord=True);
DeviceTvmSoftwareVulnerabilities
| join kind=inner (KnowExploitesVulnsCISA
| where dueDate < now()) on $left.CveId == $right.cveID
| summarize VulnerableDevices = make_set(DeviceName) by CveId, vendorProject, vulnerabilityName, dateAdded, dueDate, shortDescription
| extend DueDateExceededByDays = datetime_diff('day', now(), dueDate), TotalVulnerableDevices = array_length(VulnerableDevices)
| project-reorder CveId, vendorProject, DueDateExceededByDays, TotalVulnerableDevices
| sort by DueDateExceededByDays, TotalVulnerableDeviceslet KnowExploitesVulnsCISA = externaldata(cveID: string, vendorProject: string, product: string, vulnerabilityName: string, dateAdded: datetime, shortDescription: string, requiredAction: string, dueDate: datetime, notes: string)[@"https://www.cisa.gov/sites/default/files/csv/known_exploited_vulnerabilities.csv"] with (format="csv", ignoreFirstRecord=True);
DeviceTvmSoftwareVulnerabilities
| join kind=inner (KnowExploitesVulnsCISA
| where dueDate < now()) on $left.CveId == $right.cveID
| summarize VulnerableDevices = make_set(DeviceName) by CveId, vendorProject, vulnerabilityName, dateAdded, dueDate, shortDescription
| extend DueDateExceededByDays = datetime_diff('day', now(), dueDate), TotalVulnerableDevices = array_length(VulnerableDevices)
| project-reorder CveId, vendorProject, DueDateExceededByDays, TotalVulnerableDevices
| sort by DueDateExceededByDays, TotalVulnerableDevices