Custom Reporting Help - Exploitable Vulns + Proof Per Asset Group

Hi!
We are using the hosted IVM.
Looking for some help in building a custom report that can display the following - filtered on a per Asset Group basis (that i specify):

  • Asset Name
  • Exploitable Vulnerabilities + Proof
  • Remediations for Exploitable Vulns

The idea is that each team gets sent a report once per month focused on the assets they own (hence the Asset Group filter).

I dont believe there is an inbuilt way of doing this unless someone can tell me im wrong?

Thanks,

Hi rpivm,

First, we use the on-prem ivm console so i’m not sure of the differences, but assuming they are similar then the report detailed below may help.

However, I’ve learnt the hard way that monthly reports are not the best way to do this as the vulnerabilities can quickly get out of date and teams end up trying to resolve vulns from a 3 week old report that are no longer relevant, but this will depend on how your environment is working currently and how many vulns you have etc.

Also, to use the report below you’d need to create one report per asset group and schedule each one to run against the relevant asset group selected in the report setup page. This is fine until you need to amend the report - if you only have 3 asset groups then that’s probably not much of an issue, but if you have 20 then that soon gets annoying. The better way to do this is use Remediation Projects as you can give access to the teams to view the vulns ‘live’, although they come with their own challenges.

The SQL below contains some things specific to our use such as tags etc and the UNION is used just to merge two queries based on these tags (merging Windows and Non-Windows devices effectively) and the REPLACE are just getting rid of comma’s that appear within some of the fields and mess up the SQL import from CSV process that i was using at the time.

SELECT DISTINCT
   da.asset_id,   
   now() as data_date,
   da.ip_address as IP,
   da.host_name AS "Hostname",
   REPLACE(dos.description,',',' ') AS "Operating System",
   REPLACE(dv.title,',',' ') as "Vuln Title",
   REPLACE(ds.summary,',',' ') AS "Best Solution",
   dv.nexpose_id,
   date_published,
   cvss_score,
   riskscore,
   exploits,
   malware_kits,
   dt.tag_name,
   'non-windows'
FROM
   dim_asset da
   JOIN dim_operating_system dos ON dos.operating_system_id = da.operating_system_id
   JOIN dim_asset_vulnerability_best_solution davbs ON davbs.asset_id = da.asset_id
   JOIN dim_solution ds ON ds.solution_id = davbs.solution_id
   JOIN dim_vulnerability dv ON dv.vulnerability_id = davbs.vulnerability_id
   JOIN dim_tag_asset dta ON dta.asset_id = da.asset_id
   JOIN dim_tag dt ON dt.tag_id = dta.tag_id
WHERE 
   dt.tag_type = 'CUSTOM' AND
   dt.tag_name LIKE '%Non_Windows%'
UNION ALL
SELECT DISTINCT
   da.asset_id,   
   now() as data_date,
   da.ip_address,   
   da.host_name AS "Hostname",
   REPLACE(dos.description,',',' ') AS "Operating System",
   REPLACE(dv.title,',',' ') as "Vuln Title",
   REPLACE(ds.summary,',',' ') AS "Best Solution",
   dv.nexpose_id,
   date_published,
   cvss_score,
   riskscore,
   exploits,
   malware_kits,
   'none',
   'windows'
FROM
   dim_asset da
   JOIN dim_operating_system dos ON dos.operating_system_id = da.operating_system_id
   JOIN dim_asset_vulnerability_best_solution davbs ON davbs.asset_id = da.asset_id
   JOIN dim_solution ds ON ds.solution_id = davbs.solution_id
   JOIN dim_vulnerability dv ON dv.vulnerability_id = davbs.vulnerability_id