Skip to content

Latest commit

 

History

History
49 lines (41 loc) · 2.86 KB

NewActiveCISAKnownExploitedVulnerabilityDetected.md

File metadata and controls

49 lines (41 loc) · 2.86 KB

New Active CISA Know Exploited Vulnerability Detected

Query Information

MITRE ATT&CK Technique(s)

Technique ID Title Link
T1190 Exploit Public-Facing Application https://attack.mitre.org/techniques/T1190/

Description

CISA provides a comprehensive list of known exploited vulnerabilities with CVE numbers, vendor names, product names, vulnerability names, dates, short descriptions, action due dates, and notes. This dynamic list is ingested into a KQL query to detect newly added known exploited vulnerabilities that are active in your environment.

You can implement this query below as a custom detection rule to notify you about newly added vulnerabilities, I would suggest running this a few times every day to be on top of the added vulnerabilities. The NewThreshold variable defines how new a vulnerbility must be, the default is set to one day.

Risk

Known exploited vulnerabilities are actively exploited by adversaries and need to be patched as soon as possible.

References

Defender For Endpoint

// Define new
let NewThreshold = 1d;
let KnowExploitesVulnsCISA = externaldata(cveID: string, vendorProject: string, product: string, vulnerabilityName: string, dateAdded: datetime, shortDescription: string, requiredAction: string, dueDate: datetime, notes: string)[@"https://www.cisa.gov/sites/default/files/csv/known_exploited_vulnerabilities.csv"] with (format="csv", ignoreFirstRecord=True);
DeviceTvmSoftwareVulnerabilities
| join kind=inner (KnowExploitesVulnsCISA 
    | where dateAdded > ago(NewThreshold)) 
    on $left.CveId == $right.cveID
| project-reorder DeviceName, CveId, vendorProject, vulnerabilityName, dateAdded, shortDescription
// If you want to alert on this activity join with a random field to include the Timestamp and reportid. This is only needed for MDE, due to the requried fields for custom detections.
| join kind=inner (DeviceProcessEvents
    | where Timestamp > ago(30d)
    | summarize arg_max(Timestamp, Timestamp, DeviceId, ReportId))
    on $left.DeviceId == $right.DeviceId

Sentinel

// Define new
let NewThreshold = 1d;
let KnowExploitesVulnsCISA = externaldata(cveID: string, vendorProject: string, product: string, vulnerabilityName: string, dateAdded: datetime, shortDescription: string, requiredAction: string, dueDate: datetime, notes: string)[@"https://www.cisa.gov/sites/default/files/csv/known_exploited_vulnerabilities.csv"] with (format="csv", ignoreFirstRecord=True);
DeviceTvmSoftwareVulnerabilities
| join kind=inner (KnowExploitesVulnsCISA 
    | where dateAdded > ago(NewThreshold)) 
    on $left.CveId == $right.cveID
| project-reorder DeviceName, CveId, vendorProject, vulnerabilityName, dateAdded, shortDescription