Volver al hub

Exploitable Critical Vulnerabilities

Shows Critical CVEs that are considered exploitable (based on ExploitStatusEnum > 30). Results are aggregated by CVE and exploitability state, including the number of affected hosts.

EDRmonitoringTA0001
FDR intermediatepor ByteRay GmbH (cql-hub.com) 1 min read

Query

#event_simpleName=FEMVulnerabilityMutation
| FEMVulnerabilityMutation.VulnerabilityInstance.Cve.Severity = Critical
| FEMVulnerabilityMutation.VulnerabilityInstance.Cve.ExploitStatusEnum > 30
| groupBy([FEMVulnerabilityMutation.VulnerabilityInstance.Cve.Id, FEMVulnerabilityMutation.VulnerabilityInstance.Cve.Severity,FEMVulnerabilityMutation.VulnerabilityInstance.Cve.ExploitStatus],function=count(FEMVulnerabilityMutation.VulnerabilityInstance.HostInfo.Hostname))
| sort(_count)
| rename(field=[[FEMVulnerabilityMutation.VulnerabilityInstance.Cve.Id, CVE_ID], [FEMVulnerabilityMutation.VulnerabilityInstance.Cve.ExploitStatus, Ausnutzbarkeit], [FEMVulnerabilityMutation.VulnerabilityInstance.Cve.Severity, Severity],[_count,"Host(s)"]])

Explicación

Importado desde cql-hub.com. Agrega explicación de pipes aquí.

Variables a ajustar

Revisa y ajusta los valores según tu entorno.