Total vulnerable devices for known exploited vulnerabilities from CISA Defender XDR let KnowExploitesVulnsCISA = externaldata(cveID: string, vendorProject: string, product: string, vulnerabilityName: string, dateAdded: datetime, shortDescription: string, requiredAction: string, dueDate: datetime, notes: string)[@"https://www.cisa.gov/sites/default/files/csv/known_exploited_vulnerabilities.csv"] with (format="csv", ignoreFirstRecord=True); DeviceTvmSoftwareVulnerabilities | join kind=inner KnowExploitesVulnsCISA on $left.CveId == $right.cveID | summarize TotalVulnerableDevices = count(), DeviceList = make_set(DeviceName), Description = make_set(shortDescription) by cveID | sort by TotalVulnerableDevices