I am looking for an option to add a vulnerability age filter while creating a report. For example, I want to create a report with the below-mentioned filters:
Thatâs correct. I am getting these options in the query builder. But I need this option in the report section as I need to pull the report with this filter and eventually we will reduce the days from 90 to 60 and 30.
The simplest way is a custom SQL report. I have included a step-by-step for you to learn how to do this yourself.
Step by step:
Click reports
Click new
Click all tab
In search templates search box search for SQL
Click the SQL Query Export report
Click the box that says click to define or edit a query, and preview the results.
Click on the ? next to define a SQL query
Select Vulnerability Findings
Find the last line that starts with order by
Insert a new line above the last line where dv.date_published > current_date - interval '90 days'
TIP: when testing SQL, sometimes it can take a while. To save time. Scope The report to a small site, asset group, or a small number of assets before doing a preview or running the query.
When you get done it should look like this
SELECT ds.name AS site, da.ip_address, da.host_name, da.mac_address, dv.title AS vulnerability_title, dv.severity,
round(dv.cvss_score::numeric, 2) AS cvss_score, round(dv.riskscore::numeric, 0) AS risk
FROM fact_asset_vulnerability_finding favf
JOIN dim_asset da USING (asset_id)
JOIN dim_operating_system dos USING (operating_system_id)
JOIN dim_vulnerability dv USING (vulnerability_id)
JOIN dim_site_asset dsa USING (asset_id)
JOIN dim_site ds USING (site_id)
where dv.date_published < current_date - interval '90 days'
ORDER BY da.ip_address ASC, dv.title ASC
If you want to learn more SQL reporting, I would recommend messing around with the sample reports that are included in step 7 above, then looking up the tables below on the web links. Try and add or remove a field for one of the tables that are included. Next thing you know you will be making your own from scratch. If you get stuck, google try your best. post what you are trying here, it is easier to help someone if they share what they are struggling with.
Thanks for the detailed explanation and for sharing the final query. I am trying to edit the query and add a condition where the CVSS score is greater than equals 7. However, facing some challenges (that is because of not having hands-on on SQL queries).
SELECT ds.name AS site, da.ip_address, da.host_name, da.mac_address, dv.title AS vulnerability_title, dv.severity,
round(dv.cvss_score::numeric, 2) AS cvss_score, round(dv.riskscore::numeric, 0) AS risk
FROM fact_asset_vulnerability_finding favf
JOIN dim_asset da USING (asset_id)
JOIN dim_operating_system dos USING (operating_system_id)
JOIN dim_vulnerability dv USING (vulnerability_id)
JOIN dim_site_asset dsa USING (asset_id)
JOIN dim_site ds USING (site_id)
where dv.date_published < current_date - interval '90 days' and dv.cvss_score >= 7
ORDER BY da.ip_address ASC, dv.title ASC
To further narrow down the results, I have added âdos.description LIKE âMICROSOFTââ to the query, and the final query is as below. However, not getting any output.
SELECT ds.name AS site, da.ip_address, da.host_name, da.mac_address, dv.title AS vulnerability_title, dv.severity, dos.description AS operating_system,
round(dv.cvss_score::numeric, 2) AS cvss_score, round(dv.riskscore::numeric, 0) AS risk
FROM fact_asset_vulnerability_finding favf
JOIN dim_asset da USING (asset_id)
JOIN dim_operating_system dos USING (operating_system_id)
JOIN dim_vulnerability dv USING (vulnerability_id)
JOIN dim_site_asset dsa USING (asset_id)
JOIN dim_site ds USING (site_id)
where dv.date_published < current_date - interval â90 daysâ and dv.cvss_score >= 7 and dos.description LIKE âMICROSOFTâ
ORDER BY da.ip_address ASC, dv.title ASC
Ok. I did multiple trials and errors and was able to get the right query. Below is the one.
SELECT ds.name AS site, da.ip_address, da.host_name, da.mac_address, dv.title AS vulnerability_title, dv.severity, dos.description AS operating_system,
round(dv.cvss_score::numeric, 2) AS cvss_score, round(dv.riskscore::numeric, 0) AS risk
FROM fact_asset_vulnerability_finding favf
JOIN dim_asset da USING (asset_id)
JOIN dim_operating_system dos USING (operating_system_id)
JOIN dim_vulnerability dv USING (vulnerability_id)
JOIN dim_site_asset dsa USING (asset_id)
JOIN dim_site ds USING (site_id)
where dv.date_published > current_date - interval â90 daysâ and dv.cvss_score >= 7 and dos.description LIKE â%Microsoft Windows%â is true
ORDER BY da.ip_address ASC, dv.title ASC
SELECT ds.name AS site, da.ip_address, da.host_name, da.mac_address, dv.title AS vulnerability_title, dv.severity, dos.description AS operating_system,
round(dv.cvss_score::numeric, 2) AS cvss_score, round(dv.riskscore::numeric, 0) AS risk, round (age_in_days::numeric, 0) as age_in_days
FROM fact_asset_vulnerability_finding favf
JOIN dim_asset da USING (asset_id)
JOIN dim_operating_system dos USING (operating_system_id)
JOIN dim_vulnerability dv USING (vulnerability_id)
JOIN dim_site_asset dsa USING (asset_id)
JOIN dim_site ds USING (site_id)
join fact_asset_vulnerability_age fava using (asset_id, vulnerability_id)
where dv.date_published > current_date - interval '90 days' and dv.cvss_score >= 7 and dos.description LIKE '%Microsoft Windows%' is true
ORDER BY da.ip_address ASC, dv.title ASC
When I validate the query, the query seems to be working fine however I am unable to pull the report. When I try to run the report is getting aborted. I am trying to pull the report for a custom tag which has around 187 assets.
Any idea what could be the reason? is it because of server resources?
You should share your query and put in preformatted text looks like </>
Try a preview after you validate the SQL.
Reduce the scope of the report to one asset that you know should have vulnerabilities. Maybe try on a small site or another tab.