Sunday, May 18, 2025

Build+Break+Secure

Learn by building. Master by breaking. Secure by obsession.

Build+Break+Secure

Learn by building. Master by breaking. Secure by obsession.

Kusto Query LanguageMicrosoft Defender for EndpointMicrosoft SentinelSECURE

Monitor Active CISA Exploited CVEs Using This KQL Query

Wayne Andes 8 min read

CISA maintains a live catalog of known exploited vulnerabilities (KEVs), complete with CVE identifiers, vendor and product info, vulnerability details, action due dates, and more. These vulnerabilities are already in the wild — meaning adversaries are actively exploiting them. By feeding this dynamic list into a KQL query, you can pinpoint which newly added threats may be lurking within your environment.

This query uses Microsoft Defender for Endpoint and Microsoft Sentinel to ingest the CSV from CISA’s catalog and match it against your device data. It checks for vulnerabilities added within a set time threshold (default is 1 day), giving you near-real-time insight into active threats and helping prioritize your response.

Risk

CISA’s Known Exploited Vulnerabilities Catalog lists high-risk CVEs currently under active exploitation. Ignoring newly added items means leaving your doors wide open for attackers. These vulnerabilities should be patched or mitigated as soon as detected.

Query

Microsoft Defender For Endpoint

Kusto
// Define new
let NewThreshold = 1d;
let KnowExploitesVulnsCISA = externaldata(cveID: string, vendorProject: string, product: string, vulnerabilityName: string, dateAdded: datetime, shortDescription: string, requiredAction: string, dueDate: datetime, notes: string)[@"https://www.cisa.gov/sites/default/files/csv/known_exploited_vulnerabilities.csv"] with (format="csv", ignoreFirstRecord=True);
DeviceTvmSoftwareVulnerabilities
| join kind=inner (KnowExploitesVulnsCISA 
    | where dateAdded > ago(NewThreshold)) 
    on $left.CveId == $right.cveID
| project-reorder DeviceName, CveId, vendorProject, vulnerabilityName, dateAdded, shortDescription
// If you want to alert on this activity join with a random field to include the Timestamp and reportid. This is only needed for MDE, due to the requried fields for custom detections.
| join kind=inner (DeviceProcessEvents
    | where Timestamp > ago(30d)
    | summarize arg_max(Timestamp, Timestamp, DeviceId, ReportId))
    on $left.DeviceId == $right.DeviceId

Microsoft Sentinel

Kusto
// Define new
let NewThreshold = 1d;
let KnowExploitesVulnsCISA = externaldata(cveID: string, vendorProject: string, product: string, vulnerabilityName: string, dateAdded: datetime, shortDescription: string, requiredAction: string, dueDate: datetime, notes: string)[@"https://www.cisa.gov/sites/default/files/csv/known_exploited_vulnerabilities.csv"] with (format="csv", ignoreFirstRecord=True);
DeviceTvmSoftwareVulnerabilities
| join kind=inner (KnowExploitesVulnsCISA 
    | where dateAdded > ago(NewThreshold)) 
    on $left.CveId == $right.cveID
| project-reorder DeviceName, CveId, vendorProject, vulnerabilityName, dateAdded, shortDescription

What this script does:
The KQL query pulls in the latest CSV from CISA, filters out entries added within the last day (NewThreshold), and compares it to your current device vulnerabilities. The Microsoft Defender version also joins process event data to help meet custom detection schema requirements.

References

You May Also Like

List Conditional Access Policy That Have Been Deleted

Wayne Andes

List Domain User Account Added To Sensitive Group Using Command-line

Wayne Andes

Visualize Devices That Initiate The Most Cleartext LDAP Authentications

Wayne Andes

Leave a Reply

Your email address will not be published. Required fields are marked *