Categorize vulnerabilities by detection type?

kcollazo · May 10, 2023, 1:17am

Can i categorize vulnerabilities by type? ie.
-Operating System Vulnerabilities
-Application vulnerabilities (detected by installed program or detected file path)
-Configuration Findings (ie. SNMP or TLS related)

john_hartman · May 10, 2023, 12:57pm

We don’t have a current filter at a high level that makes this easy. The only way to currently do that would be to take an output of the current vulnerability categories and group them based on what exists.

If you run a SQL export with a query of:

SELECT category_name FROM dim_vulnerability_category GROUP BY category_name

This output will give you a list of ALL of the possible values for a category. Keep in mind that a lot of these are essentially like tags so a vulnerability may be a part of multiple categories.

However, this is not the first time this has been asked and I believe there is an IDEA in currently for this to include a few more categories for the high level OS/Application type vulnerabilities.

brandon_mcclure · May 10, 2023, 1:15pm

I’ve asked for this as well, currently I have some really ugly filters on my Remediation Projects that would be so easy if there were vulnerability categories or tags to look for. Also to know if a vulnerability is fixed by a standard patch or something manual like an out-of-band patch or config change, this way we can identify systems that are missing standard patches vs fixes that we haven’t gotten to yet.

kyoung · May 18, 2023, 2:22pm

Currently, this is a difficult, messy process. We exported all of the vulnerability categories and assigned them as “app” or “OS” based on the division of responsibility in our organization. Then I used those lists to build ugly queries for dashboards and remediation projects for each team.

I also had a request from a manager for a breakout of configuration related vulnerabilities. There is not a vulnerability category for that, so the best workaround I could come up with was to build a filter where vulnerability.title DOES NOT CONTAIN ‘CVE’ && vulnerability.title DOES NOT CONTAIN ‘RHSA’ (I needed to exclude Red Hat vulns as well). It’s not perfect but it is good enough to meet the need I had.

kcollazo · May 18, 2023, 2:37pm

Does anyone know what the IDEA “id” is in place for this? I feel like this is strange that they dont have a more seamless solution for this especially considering capabilities of competitors. I know another product has a super easy filter for “Detection Method” (ie. = Library, Installed Program, File Path, Package, Operation System).
This is critical for creating metrics and assigning to remediation teams.