We are refreshing our reporting to management and we would like to have a report showing vulnerabilities that were NOT remediated within the timelines dictated within our policy e.g. Critical 30 days, High 60 days.
Is anyone aware of a way (ideally via GUI reporting) to export remediated vulnerabilities with the date they were remediated so we can follow up on those that were not completed within the policy timelines? I’ve searched the Rapid7 InsightVM community, but no obvious solutions.
This data has been readily available for export via standard GUI based reports in previous solutions we’ve used.
Interested in this as well. Considering that you can see the vulnerabilities that were remediated on an assets page, I imagine this would be possible. Perhaps a SQL query - but i’m not real smart on that. I know there is a report you can run that shows vulnerabilities “not found in current scan” but i’ve noticed that isn’t accurate nor does it give a date - its more of a range of time based on previous scans.
We have also been asking for this.
again also interested in this, as it is a required security metric for most organisations
We are also interested in this
Also interested. It would be great to get this information to track what has been accomplished during patching cycles, versus only reporting what still remains
My understanding the only way to get a report with remediation data is to have data warehousing, we are in the process of setting this up. Configuring data warehousing settings | Nexpose Documentation (rapid7.com)
I also played around with some SQL queries, this one shows CVSS score 9-10 over 15 days from first date discovered:
SELECT da.ip_address, da.host_name, dv.nexpose_id, dv.title AS “Vulnerabilty Title”,
FROM dim_asset da
JOIN fact_asset_vulnerability_finding favf
ON da.asset_id = favf.asset_id
JOIN fact_asset_vulnerability_age fava
ON favf.vulnerability_id = fava.vulnerability_id
JOIN dim_vulnerability dv
ON favf.vulnerability_id = dv.vulnerability_id
WHERE dv.cvss_score >= 9
AND NOW() - INTERVAL ‘15 Days’ > fava.first_discovered
GROUP BY da.ip_address, da.host_name, dv.nexpose_id, dv.title, dv.cvss_score,
ORDER BY first_discovered
isn’t “first discovered” the date when the first instance of a vulnerability was discovered in the whole environment? Does it vary between assets for one vulnerability?
Got an update on something that can be used - a dashboard card called New vs. Remediated Vulnerability Comparison Over Time. R7 support provided me this, so hopefully it helps someone else out as well.
Go into your Dashboard and in the Exploited Vulnerability Dashboard, click on the + Add Card button on the right and search for it. Once added you can change dates around and also export to CSV. Ajay from R7 recommended not going beyond a year as it can start to run into issues. The card will show New and Remediated each month during that timeframe and is based on a Monday.
Hope that helps!