05-06-2026 12:16 PM
I'm running the following script, it should display the critical vulnerabilities on MacOS systems.
//List critical vulnerabilities on all MacOS endpoints
config case_sensitive = false
| dataset = va_cves
| filter os_type = ENUM.MACOS and severity = ENUM.CRITICAL
| fields severity,name,description,affected_products,type,severity_score,os_type,affected_hosts_count,affected_hosts,modification_date,publication_date,exploitability_score
| sort desc severity_score
The problem is that the affected_hosts array also contains Windows systems that are affected by the same CVE's.
How can I filter so it only reports MacOS systems?
All our Macbook names start with "MBP-" but I was not able to filter on that , so far.
05-07-2026 03:29 AM
was able to sort it out a bit more.
dataset = va_cves
| filter os_type contains "*MAC*" and severity = ENUM.CRITICAL
| arrayexpand affected_hosts
| filter affected_hosts contains "MBP-*"
| arrayexpand os_type
| filter os_type contains "*MAC*"
//| alter abc = json_extract(affected_hosts ,"$.version")
| fields severity,name,description,affected_products,type,severity_score,os_type,affected_hosts_count,affected_hosts,modification_date,publication_date,exploitability_score
| sort desc severity_score, desc name
This returns Macbooks only but hostname_count field needs work and affected_products also.
Would be even nicer to have one row with all the Macbook name for each CVE instead of each Macbook having its own row.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
