Saturday, May 17, 2025

Build+Break+Secure

Learn by building. Master by breaking. Secure by obsession.

Build+Break+Secure

Learn by building. Master by breaking. Secure by obsession.

Kusto Query LanguageMicrosoft Defender for EndpointMicrosoft SentinelSECURE

List New Active CISA Known Exploited Vulnerabilities

Wayne Andes 8 min read

Description

CISA provides a comprehensive list of known exploited vulnerabilities with CVE numbers, vendor names, product names, vulnerability names, dates, short descriptions, action due dates, and notes. This dynamic list is ingested into a KQL query to detect newly added known exploited vulnerabilities that are active in your environment.

You can implement this query below as a custom detection rule to notify you about newly added vulnerabilities, I would suggest running this a few times every day to be on top of the added vulnerabilities. The NewThreshold variable defines how new a vulnerability must be, the default is set to one day.

Risk

Known exploited vulnerabilities are actively exploited by adversaries and need to be patched as soon as possible.

Query

Microsoft Defender For Endpoint
Kusto
// Define new
let NewThreshold = 1d;
let KnowExploitesVulnsCISA = externaldata(cveID: string, vendorProject: string, product: string, vulnerabilityName: string, dateAdded: datetime, shortDescription: string, requiredAction: string, dueDate: datetime, notes: string)[@"https://www.cisa.gov/sites/default/files/csv/known_exploited_vulnerabilities.csv"] with (format="csv", ignoreFirstRecord=True);
DeviceTvmSoftwareVulnerabilities
| join kind=inner (KnowExploitesVulnsCISA 
    | where dateAdded > ago(NewThreshold)) 
    on $left.CveId == $right.cveID
| project-reorder DeviceName, CveId, vendorProject, vulnerabilityName, dateAdded, shortDescription
// If you want to alert on this activity join with a random field to include the Timestamp and reportid. This is only needed for MDE, due to the requried fields for custom detections.
| join kind=inner (DeviceProcessEvents
    | where Timestamp > ago(30d)
    | summarize arg_max(Timestamp, Timestamp, DeviceId, ReportId))
    on $left.DeviceId == $right.DeviceId

Microsoft Sentinel
Kusto
// Define new
let NewThreshold = 1d;
let KnowExploitesVulnsCISA = externaldata(cveID: string, vendorProject: string, product: string, vulnerabilityName: string, dateAdded: datetime, shortDescription: string, requiredAction: string, dueDate: datetime, notes: string)[@"https://www.cisa.gov/sites/default/files/csv/known_exploited_vulnerabilities.csv"] with (format="csv", ignoreFirstRecord=True);
DeviceTvmSoftwareVulnerabilities
| join kind=inner (KnowExploitesVulnsCISA 
    | where dateAdded > ago(NewThreshold)) 
    on $left.CveId == $right.cveID
| project-reorder DeviceName, CveId, vendorProject, vulnerabilityName, dateAdded, shortDescription

References

You May Also Like

List Successful Sign-in From A New Country

Wayne Andes

List Most Triggered MITRE Techniques

Wayne Andes

Hunt For Potential Phishing Campaign

Wayne Andes

Leave a Reply

Your email address will not be published. Required fields are marked *