05-29-2024 11:15 PM
Is it possible to create a Vulnerability Assessment base on endpoint with endpoint name, amount of CVE’s, Severity, Severity Score, Last reported Timestamp and Endpoint Type.
05-30-2024 04:49 AM
This is not the valid query.
May be you can just run dataset = va_endpoints analyze the output and create your own as per your requirement.
05-29-2024 11:37 PM
Hello @Toppenberg ,
Thank you for reaching out to Live Community.
You can refer to below query as sample:
dataset = va_cves
| fields name, cve_id , severity , severity_score, affected_hosts
|arrayexpand affected_hosts
| join(preset = host_inventory_endpoints | fields endpoint_name, operating_system , endpoint_type, last_report_time )
as ep ep.endpoint_name = affected_hosts
If you feel this has answered your query, please let us know by clicking on "mark this as a Solution".
05-30-2024 12:08 AM
Hi Ashutosh,
Thanks for your reply.
But the query that you did send me don't get me the report the way I want it.
What i want to see in the report is:
"Endpoint Name", The number of CVE's that the endpoint is vulnerable for, "Severity", "Severity Score" and "Last Reported Timestamp".
With other words, I want to have a report that give me the same information as when I navigate to:
"Assets" => "Vulnerability Assessment" => and then click on "Endpoints" in the upper corner.
05-30-2024 12:14 AM
Hello @Toppenberg ,
Please check below:
dataset = va_cves
| fields name, cve_id , severity , severity_score, affected_hosts
|arrayexpand affected_hosts
| join(preset = host_inventory_endpoints | fields endpoint_name, operating_system , endpoint_type, last_report_time )
as ep ep.endpoint_name = affected_hosts
|comp count(name ) as Total_cve by endpoint_name , severity , severity_score , last_report_time
05-30-2024 12:23 AM
Hi Ashutosh,
Still this is not the way I want the report to be because this way the report will be very long.
The way I want the report to be is like below:
Endpoint, the amount of CVE’s (Total CVE’s), Severity Score (the highes severity score of the CVE), Severity (base on the endpoint)
In advance thanks
05-30-2024 04:45 AM
Hi Ashutosh,
So the query will look like this:
dataset = va_endpoints
| fields affected_hosts, severity , severity_score, name
|arrayexpand affected_hosts
| join(preset = host_inventory_endpoints | fields endpoint_name, operating_system , endpoint_type, last_report_time )
as ep ep.endpoint_name = affected_hosts
But than I can not press "Run"
05-30-2024 04:49 AM
This is not the valid query.
May be you can just run dataset = va_endpoints analyze the output and create your own as per your requirement.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
