OS vulnerabilities not remediated within SLO - patchable exploitable¶
Description¶
The percentage of systems that were active in the last 30 days that have resolved patchable, exploitable operating system vulnerabilities within the agreed Service Level Objective (SLO), providing critical insight into the organisation's "Patch Tuesday Priority" - Just bloody patch it effectiveness.
How we measure it¶
Find all active hosts per your vulnerability management system. Join the hosts with the vulnerability database, and filter the vulnerabilities on the criteria as defined in the metric definition.
Meta Data¶
| Attribute | Value |
|---|---|
| Metric id | vm_performance_patchable_exploitable_os |
| Category | Vulnerability Management |
| SLO | 95.00% - 98.00% |
| Weight | 0.9 |
| Type |  |
References¶
| Framework | Ref | Domain | Control |
|---|---|---|---|
| CIS 8.1 | 7.7 | Continuous Vulnerability Management | Remediate Detected Vulnerabilities |
| ISO 27001:2022 | A.8.8 | 8 Technological controls | Management of technical vulnerabilities |
| NIST CSF v2.0 | ID.RA-01 | Risk Assessment (ID.RA) | ID.RA-01: Vulnerabilities in assets are identified, validated, and recorded |
Code¶
SELECT
host.hostname AS resource,
'host' AS resource_type,
CASE
WHEN cve.status NOT IN ('open', 'reopen') then 1
WHEN CURRENT_DATE - CAST(cve.published_date AS DATE) < 7 THEN 1
WHEN CURRENT_DATE - CAST(cve.created_timestamp AS DATE) < 3 THEN 1
ELSE 0
END AS compliance,
'Crowdstrike : ' || cve.cve.id || '(' || cve.severity || ') - ' || unnest(cve.remediation.entities).title AS detail
FROM
{{ ref('crowdstrike_hosts') }} AS host
LEFT JOIN
{{ ref('crowdstrike_vulnerabilities') }} AS cve
ON host.device_id = cve.aid
AND cve.status IN ('open', 'reopen')
WHERE
CURRENT_DATE - CAST(STRPTIME(host.last_seen, '%Y-%m-%dT%H:%M:%SZ') AS DATE) < 30 AND
coalesce(cve.cve.remediation_level = 'O', false) is true AND
coalesce(cve.cve.exploit_status > 0, false) is true AND
cve.severity IN ('HIGH', 'CRITICAL')
SELECT
cve.asset.hostname as resource,
'host' AS resource_type,
CASE
WHEN cve.state NOT IN ('OPEN', 'REOPENED') then 1
WHEN CURRENT_DATE - CAST(cve.plugin.publication_date AS DATE) < 7 THEN 1
WHEN CURRENT_DATE - CAST(cve.first_found AS DATE) < 3 THEN 1
ELSE 0
END AS compliance,
'TenableIO : ' || unnest(cve.plugin.cve) || '(' || cve.severity || ') - ' || cve.plugin.name AS detail
FROM
{{ ref('tenable_vulnerabilities') }} AS cve
WHERE
CURRENT_DATE - CAST(cve.last_found AS DATE) < 30 AND
cve.plugin.exploit_available is true AND
cve.plugin.has_patch is true AND
cve.severity in ('high','critical')