Last active
March 7, 2022 09:50
-
-
Save alexmags/b9f7f336e10a965b524763765395d08b to your computer and use it in GitHub Desktop.
🛡Shields up! Compare CISA Known Exploited Vulnerabilities Catalog to Microsoft Defender for Endpoint data. Use this KQL in DfE Advanced Hunting. https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/advanced-hunting-overview
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // make a table from https://www.cisa.gov/known-exploited-vulnerabilities-catalog | |
| let CISA_NEV = (externaldata(CveId:string,vendorProject:string,product:string,vulnerabilityName:string,dateAdded:string,shortDescription:string,requiredAction:string,dueDate:datetime) | |
| [@"https://www.cisa.gov/sites/default/files/csv/known_exploited_vulnerabilities.csv"] | |
| with (format="csv",ignoreFirstRecord=true)); | |
| let CISA_NEV_CveIDs= CISA_NEV | project CveId; // make a list from CVEs column | |
| DeviceTvmSoftwareVulnerabilities | |
| | where CveId in (CISA_NEV_CveIDs) // compare DfE devices with CVEs to CISA NEV CVEs list | |
| | join kind = inner CISA_NEV on CveId // Join table of CVEs on devices to CISA NEV table | |
| // format results however you like. Below shows count of devices with each CISA NEV CVE, in due date order | |
| | summarize count() by CveId,vendorProject,product,vulnerabilityName,MicrosoftRating=VulnerabilitySeverityLevel,MicrosoftRecommendedUpdate=RecommendedSecurityUpdate, dateAdded,shortDescription,requiredAction,dueDate | |
| | order by dueDate asc |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment