Systems without vulnerabilities - non critical patched in a month¶
Description¶
The percentage of systems that have been active in the last 30 days and that have resolved non critical vulnerabilities published in the last month, providing critical insight into the organisation's ability to minimize exposure to known threats and effectively reduce the attack surface.
How we measure it¶
Find all active hosts per your vulnerability management system. Join the hosts with the vulnerability database, and filter the vulnerabilities on the criteria as defined in the metric definition.
Meta Data¶
| Attribute | Value |
|---|---|
| Metric id | vm_posture_non_critical_month |
| Category | Vulnerability Management |
| SLO | 90.00% - 95.00% |
| Weight | 0.8 |
| Type |  |
References¶
| Framework | Ref | Domain | Control |
|---|---|---|---|
| ISO 27001:2022 | A.8.8 | 8 Technological controls | Management of technical vulnerabilities |
| CIS 8.1 | 7.5 | Continuous Vulnerability Management | Perform Automated Vulnerability Scans of Internal Enterprise Assets |
| CIS 8.1 | 7.6 | Continuous Vulnerability Management | Perform Automated Vulnerability Scans of Externally-Exposed Enterprise Assets |
| NIST CSF v2.0 | ID.RA-01 | Risk Assessment (ID.RA) | ID.RA-01: Vulnerabilities in assets are identified, validated, and recorded |
| Essential8-ML2 | ISM-1693 | Patch applications | Patches, updates or other vendor mitigations for vulnerabilities in applications other than office productivity suites, web browsers and their extensions, email clients, PDF software, and security products are applied within one month of release. |
| Essential8-ML3 | ISM-1693 | Patch applications | Patches, updates or other vendor mitigations for vulnerabilities in applications other than office productivity suites, web browsers and their extensions, email clients, PDF software, and security products are applied within one month of release. |
| Essential8-ML1 | ISM-1695 | Patch operating systems | Patches, updates or other vendor mitigations for vulnerabilities in operating systems of workstations, non-internet-facing servers and non-internet-facing network devices are applied within one month of release. |
| Essential8-ML2 | ISM-1695 | Patch operating systems | Patches, updates or other vendor mitigations for vulnerabilities in operating systems of workstations, non-internet-facing servers and non-internet-facing network devices are applied within one month of release. |
| Essential8-ML3 | ISM-1697 | Patch operating systems | Patches, updates or other vendor mitigations for vulnerabilities in drivers are applied within one month of release when vulnerabilities are assessed as non-critical by vendors and no working exploits exist. |
| Essential8-ML3 | ISM-1902 | Patch operating systems | Patches, updates or other vendor mitigations for vulnerabilities in operating systems of workstations, non-internet-facing servers and non-internet-facing network devices are applied within one month of release when vulnerabilities are assessed as non-critical by vendors and no working exploits exist. |
| Essential8-ML3 | ISM-1904 | Patch operating systems | Patches, updates or other vendor mitigations for vulnerabilities in firmware are applied within one month of release when vulnerabilities are assessed as non-critical by vendors and no working exploits exist. |
Code¶
SELECT
host.hostname AS resource,
'host' as resource_type,
CASE
WHEN count(cve.aid) = 0 THEN 1
ELSE 0
END AS compliance,
CAST(count(cve.*) as text) AS detail
FROM
{{ ref('crowdstrike_hosts') }} AS host
LEFT JOIN
{{ ref('crowdstrike_vulnerabilities') }} AS cve
ON
host.device_id = cve.aid
AND cve.status IN ('open', 'reopen')
AND cve.severity NOT IN ('HIGH', 'CRITICAL')
WHERE
CURRENT_DATE - CAST(STRPTIME(host.last_seen, '%Y-%m-%dT%H:%M:%SZ') AS DATE) < 30 and
CURRENT_DATE - CAST(cve.published_date AS DATE) >= 30
GROUP BY
host.hostname
SELECT
asset.hostname AS resource,
'host' AS resource_type,
CASE
WHEN count(cve.plugin.id) = 0 THEN 1
ELSE 0
END AS compliance,
CAST(count(cve.plugin) AS text) AS detail
FROM
{{ ref('tenable_assets') }} AS asset
LEFT JOIN
{{ ref('tenable_vulnerabilities') }} AS cve
ON
asset.uuid = cve.asset.uuid
AND cve.state IN ('OPEN', 'REOPENED')
AND cve.severity IN ('high', 'critical')
WHERE
CURRENT_DATE - CAST(asset.last_seen AS DATE) < 30 AND
CURRENT_DATE - CAST(cve.last_found AS DATE) >= 30
GROUP BY
asset.hostname