Systems without vulnerabilities - exploitable and patchable critical and high¶
Description¶
The percentage of systems that were active in the last 30 days that have vulnerabilities classified as critical or high priority, providing critical insight into the organisation's ability to minimize exposure to known threats and effectively reduce the attack surface.
How we measure it¶
Find all active hosts per your vulnerability management system. Join the hosts with the vulnerability database, and filter the vulnerabilities on the criteria as defined in the metric definition.
Meta Data¶
| Attribute | Value |
|---|---|
| Metric id | vm_posture_critical |
| Category | Vulnerability Management |
| SLO | 80.00% - 95.00% |
| Weight | 0.2 |
| Type |  |
References¶
| Framework | Ref | Domain | Control |
|---|---|---|---|
| ISO 27001:2022 | A.8.8 | 8 Technological controls | Management of technical vulnerabilities |
| CIS 8.1 | 7.5 | Continuous Vulnerability Management | Perform Automated Vulnerability Scans of Internal Enterprise Assets |
| CIS 8.1 | 7.6 | Continuous Vulnerability Management | Perform Automated Vulnerability Scans of Externally-Exposed Enterprise Assets |
| NIST CSF v2.0 | ID.RA-01 | Risk Assessment (ID.RA) | ID.RA-01: Vulnerabilities in assets are identified, validated, and recorded |
Code¶
SELECT
host.hostname AS resource,
'host' as resource_type,
CASE
WHEN count(cve.aid) = 0 THEN 1
ELSE 0
END AS compliance,
CAST(count(cve.*) as text) AS detail
FROM
{{ ref('crowdstrike_hosts') }} AS host
LEFT JOIN
{{ ref('crowdstrike_vulnerabilities') }} AS cve
ON
host.device_id = cve.aid
AND cve.status IN ('open', 'reopen')
AND cve.severity IN ('HIGH', 'CRITICAL')
WHERE
CURRENT_DATE - CAST(STRPTIME(host.last_seen, '%Y-%m-%dT%H:%M:%SZ') AS DATE) < 30
GROUP BY
host.hostname
SELECT
asset.hostname AS resource,
'host' AS resource_type,
CASE
WHEN count(cve.plugin.id) = 0 THEN 1
ELSE 0
END AS compliance,
CAST(count(cve.plugin) AS text) AS detail
FROM
{{ ref('tenable_assets') }} AS asset
LEFT JOIN
{{ ref('tenable_vulnerabilities') }} AS cve
ON
asset.uuid = cve.asset.uuid
AND cve.state IN ('OPEN', 'REOPENED')
AND cve.severity IN ('high', 'critical')
WHERE
CURRENT_DATE - CAST(asset.last_seen AS DATE) < 30
GROUP BY
asset.hostname