The CISA has made an active list were the current exploited vulnerabilities are listed, this query uses that information to enrich your vulnerabilitiy management process. This is done by matching the CISA CVEids with the CVEids that are currently active on your devices. This can help prioritize the vulnerabilities that need patching.
The vulnerabilities is known to be exploited by threat actors, thus depending on your configuration the exploit can also be used to gain access into your environment.
Devices with the most know exploited vulnerabilities
let KnowExploitesVulnsCISA = externaldata(cveID: string, vendorProject: string, product: string, vulnerabilityName: string, dateAdded: datetime, shortDescription: string, requiredAction: string, dueDate: datetime,
notes: string)[@"https://www.cisa.gov/sites/default/files/csv/known_exploited_vulnerabilities.csv"] with (format="csv", ignoreFirstRecord=True);
DeviceTvmSoftwareVulnerabilities
| join KnowExploitesVulnsCISA on $left.CveId == $right.cveID
| summarize
TotalVulnerabilities = count(),
Vulnerabilities = make_set(cveID),
Description = make_set(shortDescription)
by DeviceName
| sort by TotalVulnerabilities