Shields up! Find CISA Known Exploited Vulns in your Defender for Endpoint data

Page content

Shields up! This post has some KQL to report CISA Known Exploited Vulns within your environment.

First of all, if you have Ukrainian or Russian staff working with you, check-in with them and do what you can to support them and their families at this time.

The US Cybersecurity and Infrastructure Security Agency (CISA) leads a national effort to understand, manage, and reduce risk to our cyber and physical infrastructure.

They’re maintaining a list of Common Vulnerabilities and Exposures (CVEs) as Known Exploited Vulnerabilities catalog. This list is also published as comma separated variable (CSV) and JSON which is handy for consuming with IT automation. We’ll use the CSV in this post.

If you’re a Microsoft Defender for Endpoint (DfE) customer you have a database of discovered CVEs on your devices. The treat and vulnerability management (TVM) part of DfE already gives you a prioritised list of CVEs you need to patch, but in this post we’ll link it to the list from CISA.

Within M365 Defender for Endpoint Advanced Hunting you can build KQL queries to drill down into your data.

Example KQL to read CISA Known Exploited Vulns CSV and join it to your device software vulnerabilities data.

Find more IT Infrastructure tips at