Hello All,
We are looking for differentiating between if a vulnerability is an application, configuration or patch vulnerability. We are trying to pull high level numbers in our environment based on this filter.
Thanks in advance,
Jacob
Hello All,
We are looking for differentiating between if a vulnerability is an application, configuration or patch vulnerability. We are trying to pull high level numbers in our environment based on this filter.
Thanks in advance,
Jacob
In this case what you can do is get the solution thatâs tied to the vulnerability, and then get that solutionâs solution_type
from the dim_solution
table. The type will be something like âPATCHâ, or âROLLUPâ, etc. to differentiate the types of vulns/vuln solutions.
I had a quick question on the vulnerability category. Does Rapid7 tag all of the web application vulnerabilities with âWebâ and all of the Microsoft Patch vulnerabilities with âMicrosoft Patchâ? I am noticing a trend with this and hoping to use a filter using this.
There is the dim_vulnerability_category
table that has a lot of different vuln categories (200+ I think), things like Oracle, Adobe, Apple, etc. The âWebâ and âMicrosoft Patchâ categories do exist in there, and the vuln IDâs are there to tie them directly to the vulnerabilities, so you could filter by those.
Thank you for your suggestion. Is there any way to see if the vulnerability directly ties to the operating system on the system?
Hmm, what exactly do you mean by âdirectly ties toâ? Because you can see the vulnerabilities of an asset, and you can see that assetâs OS, so thereâs a tie in that way. But it sounds like youâre trying to accomplish something else here.
Yes, what we are trying to look for is if the vulnerability is just patch OS. Just been difficult trying to find a connection to that.
Itâs going to be tough to write a query that perfectly captures vulns with a patch OS solution, since I donât think any of the fields we have to work with will 100% convey that. But you can narrow things down with the âPATCHâ and âROLLUPâ solution types, and then filter based on vuln categories that are OS-specific. Hereâs an example query with that filtering.
SELECT dv.vulnerability_id, dv.title AS vuln, dvc.category_name,
ds.solution_type, ds.summary AS solution
FROM dim_vulnerability dv
JOIN dim_vulnerability_category dvc USING (vulnerability_id)
JOIN asset_vulnerability_best_solution avbs USING (vulnerability_id)
JOIN dim_solution ds USING (solution_id)
WHERE (dvc.category_name = 'Microsoft Windows')
AND (ds.solution_type = 'PATCH' OR ds.solution_type = 'ROLLUP')
GROUP BY dv.vulnerability_id, dv.title, dvc.category_name,
ds.solution_type, ds.summary
Sorry to comment on OPs topic but this sounds like what Iâm researching. Iâve been asked to gather/build a report of assets that lists patches vs configuration issues. I need total patches missing (high/med/low).
Iâve tried combinations of the pre-built reports but not seeing exact what Iâm looking for (I could easily be missing it).
Did you find a way to find assets with missing patches/Kb and config issues??
I have no yet. I found an SQL Example posted on Rapid7 but it keeps failing to finish a scan/report even though it validates correctly. @holly_wilsey
Iâm not positive why it would fail to finish the report if the query is validating. My first thought is itâs pulling back too many vulnerabilities, and it hangs because of data overload. You could try further narrowing the query by interval, for instance.
tried using this query. getting " Error: The query is invalid" on validate. Iâve been tinkering with it for about 6 hrs and for the life of me i cant figure out why its invalid.
Hi christiansm,
I have been toying around with this as well.
I believe this is due to a typo. Because the asset_vulnerability_best_solution table does not exist, however the dim_asset_vulnerability_best_solution does exist.
Could you try the following query?:
SELECT dv.vulnerability_id, dv.title AS vuln, dvc.category_name,
ds.solution_type, ds.summary AS solution
FROM dim_vulnerability dv
JOIN dim_vulnerability_category dvc USING (vulnerability_id)
JOIN dim_asset_vulnerability_best_solution avbs USING (vulnerability_id)
JOIN dim_solution ds USING (solution_id)
WHERE (dvc.category_name = 'Microsoft Windows')
AND (ds.solution_type = 'PATCH' OR ds.solution_type = 'ROLLUP')
GROUP BY dv.vulnerability_id, dv.title, dvc.category_name,
ds.solution_type, ds.summary
Good morning. I have been trying to work on this the last 2 days and see that although the sql query validates the reports never completes. In fact it aborts. Any other suggestions or is there a report that could be made to accomplish this where patches and configuration related items can be split out?
I just ran the query you posted and it previewed just fine for me (see screenshot)
It could be an issue with the scope if youâre running this against your global list of assets and you happen to have a very large count of assets. Try scoping the query down to a specific site or asset group and re run the query.
Thanks for replying. I did try against a specific asset group. Perhaps itâs too large. Iâll try a smaller scope group. Is there a better way to break out and report patches vs. configuration related issues for say windows servers.
narrowing the scope did in fact work. How would I run this for items that arenât a patch? Configurations related vulnerabilities, ie: smbv1 enabled. Not having much success
Instead of the above, try something like this
WHERE ds.solution_type LIKE 'WORKAROUND'
that did work.Thanks for your help. Is there a way to get this to work on a larger scale? Trying to sort this out for all our Windows Servers. The subset I was successful with was only 200 or so assets. Also can they be grouped by the impacted assets? Not sure what that variable would be