Technique ID | Title | Link |
---|---|---|
T1190 | Exploit Public-Facing Application | https://attack.mitre.org/techniques/T1190/ |
CISA provides a comprehensive list of known exploited vulnerabilities with CVE numbers, vendor names, product names, vulnerability names, dates, short descriptions, action due dates, and notes. This dynamic list is ingested into a KQL query to detect newly added known exploited vulnerabilities that are active in your environment.
You can implement this query below as a custom detection rule to notify you about newly added vulnerabilities, I would suggest running this a few times every day to be on top of the added vulnerabilities. The NewThreshold variable defines how new a vulnerbility must be, the default is set to one day.
Known exploited vulnerabilities are actively exploited by adversaries and need to be patched as soon as possible.
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog
- https://www.cisa.gov/sites/default/files/csv/known_exploited_vulnerabilities.csv
// Define new
let NewThreshold = 1d;
let KnowExploitesVulnsCISA = externaldata(cveID: string, vendorProject: string, product: string, vulnerabilityName: string, dateAdded: datetime, shortDescription: string, requiredAction: string, dueDate: datetime, notes: string)[@"https://www.cisa.gov/sites/default/files/csv/known_exploited_vulnerabilities.csv"] with (format="csv", ignoreFirstRecord=True);
DeviceTvmSoftwareVulnerabilities
| join kind=inner (KnowExploitesVulnsCISA
| where dateAdded > ago(NewThreshold))
on $left.CveId == $right.cveID
| project-reorder DeviceName, CveId, vendorProject, vulnerabilityName, dateAdded, shortDescription
// If you want to alert on this activity join with a random field to include the Timestamp and reportid. This is only needed for MDE, due to the requried fields for custom detections.
| join kind=inner (DeviceProcessEvents
| where Timestamp > ago(30d)
| summarize arg_max(Timestamp, Timestamp, DeviceId, ReportId))
on $left.DeviceId == $right.DeviceId
// Define new
let NewThreshold = 1d;
let KnowExploitesVulnsCISA = externaldata(cveID: string, vendorProject: string, product: string, vulnerabilityName: string, dateAdded: datetime, shortDescription: string, requiredAction: string, dueDate: datetime, notes: string)[@"https://www.cisa.gov/sites/default/files/csv/known_exploited_vulnerabilities.csv"] with (format="csv", ignoreFirstRecord=True);
DeviceTvmSoftwareVulnerabilities
| join kind=inner (KnowExploitesVulnsCISA
| where dateAdded > ago(NewThreshold))
on $left.CveId == $right.cveID
| project-reorder DeviceName, CveId, vendorProject, vulnerabilityName, dateAdded, shortDescription