Is there a attribute in the InsightVM to pull the Vulnerabilities exploited in Wild using SQL query ? Perhaps if the query can also include asset exposure ( Public/ Internal) if the asset is assigned with Public IP address on it’s NIC.
There is a dimension table called [dim_vulnerability_category] that buckets vulnerabilities using categories. This tables DOES include a category called “Exploited in the Wild”.
Here is a basic example that uses the Data Warehouse schema.
-
public_assets is a CTE that attempts to identify only “public” assets by excluding reserved ip address as listed here. This isn’t an exact science per se but should get you close.
-
wild_vulns is a CTE where we use [dim_vulnerability_category] to only include vulnerabilities that have been identified as ‘Exploited in the Wild’.
Finally we join these to our main fact table, in this instance fact_asset_vulnerability_finding and return the details we might need.
WITH public_assets AS (
SELECT
da.*
FROM
dim_asset da
WHERE
da.ip_address::text NOT LIKE '10.%'
AND da.ip_address::text NOT LIKE '100.%'
AND da.ip_address::text NOT LIKE '127.%'
AND da.ip_address::text NOT LIKE '169.%'
AND da.ip_address::text NOT LIKE '172.%'
AND da.ip_address::text NOT LIKE '192.%'
AND da.ip_address::text NOT LIKE '198.%'
AND da.ip_address::text NOT LIKE '203.%'
AND da.ip_address::text NOT LIKE '240.%'
AND da.ip_address::text NOT LIKE '255.%'
), wild_vulns AS (
SELECT
dv.*
FROM
dim_vulnerability dv
JOIN
dim_vulnerability_category dvc ON dv.vulnerability_id = dvc.vulnerability_id
WHERE
dvc.category_name = 'Exploited in the Wild'
)
SELECT
pa.asset_id
,pa.host_name
,pa.ip_address
,pa.os_type
,DATE(pa.last_assessed_for_vulnerabilities) AS last_assessed_for_vulnerabilities
,wv.vulnerability_id
,wv.title AS vulnerability_title
,wv.severity
FROM
fact_asset_vulnerability_finding favf
JOIN
public_assets pa ON favf.asset_id = pa.asset_id
JOIN
wild_vulns wv ON favf.vulnerability_id = wv.vulnerability_id