├── Asset-Count,-Total-Vulns,-Risk-Score-by-Asset-Group.sql ├── Assets with Vulns Beyond SLA Count.sql ├── Authenticated Scan Percentage-by-Asset-Group-Detailed.sql ├── Authenticated Scan Percentage-by-Asset-Group.sql ├── Authenticated Scan Percentage.sql ├── Daily-New-Vulns.sql ├── Daily-Remediated-Vulns.sql ├── No High+ Vulns-by-Asset-Group.sql ├── No High+ Vulns.sql ├── README.md ├── SMB-Share-Finder.sql ├── Weekly-New-Vulns.sql ├── Weekly-Remediated-Vulns.sql ├── _config.yml ├── detailed-vulns.sql ├── fingerprint-check.sql ├── new-asset-report-daily.sql ├── vuln-count-by-severity.sql ├── vulns-beyond-sla-detailed.sql └── vulns-beyond-sla.sql /Asset-Count,-Total-Vulns,-Risk-Score-by-Asset-Group.sql: -------------------------------------------------------------------------------- 1 | WITH CTE AS ( 2 | SELECT 3 | CASE 4 | WHEN (asset_group_id = '2') then 'Group 1' 5 | WHEN (asset_group_id = '29') then 'Group 2' 6 | WHEN (asset_group_id = '25') then 'Group 3' 7 | WHEN (asset_group_id = '56') then 'Group 4' 8 | WHEN (asset_group_id = '55') then 'Group 5' 9 | WHEN (asset_group_id = '40') then 'Group 6' 10 | WHEN (asset_group_id = '4') then 'Group 7' 11 | WHEN (asset_group_id = '66') then 'Group 8' 12 | WHEN (asset_group_id = '28') then 'Group 9' 13 | WHEN (asset_group_id = '26') then 'Group 10' 14 | WHEN (asset_group_id = '8') then 'Group 11' 15 | WHEN (asset_group_id = '27') then 'Group 12' 16 | END AS asset_group, assets, vulnerabilities, round(riskscore::numeric,0) as riskscore 17 | FROM fact_asset_group 18 | 19 | WHERE asset_group_id IN (2,4,8,25,26,27,28,29,40,55,56,66) 20 | 21 | ) 22 | SELECT * 23 | FROM CTE 24 | Order by asset_group DESC 25 | -------------------------------------------------------------------------------- /Assets with Vulns Beyond SLA Count.sql: -------------------------------------------------------------------------------- 1 | WITH 2 | CTE AS ( 3 | 4 | SELECT 5 | favf.asset_id, 6 | CASE 7 | WHEN (asset_group_id = '2') then 'Group 1' 8 | WHEN (asset_group_id = '29') then 'Group 2' 9 | WHEN (asset_group_id = '25') then 'Group 3' 10 | WHEN (asset_group_id = '56') then 'Group 4' 11 | WHEN (asset_group_id = '55') then 'Group 5' 12 | WHEN (asset_group_id = '40') then 'Group 6' 13 | WHEN (asset_group_id = '4') then 'Group 7' 14 | WHEN (asset_group_id = '66') then 'Group 8' 15 | WHEN (asset_group_id = '28') then 'Group 9' 16 | WHEN (asset_group_id = '26') then 'Group 10' 17 | WHEN (asset_group_id = '8') then 'Group 11' 18 | WHEN (asset_group_id = '27') then 'Group 12' 19 | END AS asset_group, 20 | 21 | count (favf.vulnerability_instances) AS Urgent_beyond_SLA, 22 | 23 | CASE 24 | WHEN (1=1) then sum(1-1) 25 | END AS Critical_beyond_SLA, 26 | 27 | CASE 28 | WHEN (1=1) then sum(1-1) 29 | END AS High_beyond_SLA, 30 | 31 | CASE 32 | WHEN (1=1) then sum(1-1) 33 | END AS Medium_beyond_SLA, 34 | 35 | CASE 36 | WHEN (1=1) then sum(1-1) 37 | END AS Low_beyond_SLA 38 | 39 | 40 | FROM fact_asset_vulnerability_finding favf 41 | JOIN dim_vulnerability dv USING (vulnerability_id) 42 | JOIN dim_asset_group_asset daga USING (asset_id) 43 | JOIN dim_tag_asset dta USING (asset_id) 44 | WHERE daga.asset_group_id IN (2,4,8,25,26,27,28,29,40,55,56,66) AND now() - dv.date_added > INTERVAL '1 days' AND 45 | ( 46 | (dta.tag_id = 1 AND 2*dv.riskscore >= 1201 ) OR 47 | (dta.tag_id = 2 AND 1.2*dv.riskscore >= 1201 ) OR 48 | (dta.tag_id = 3 AND 1.1*dv.riskscore >= 1201 ) OR 49 | (dta.tag_id = 4 AND dv.riskscore >= 1201) OR 50 | (dta.tag_id = 5 AND .75*dv.riskscore >= 1201 ) OR 51 | (dta.tag_id NOT IN (1,2,3,4,5) AND dta.tag_id = 90 AND dv.riskscore >= 1201 ) 52 | ) 53 | GROUP BY daga.asset_group_id, favf.asset_id 54 | 55 | 56 | 57 | 58 | union all 59 | 60 | 61 | 62 | 63 | SELECT 64 | favf.asset_id, 65 | CASE 66 | WHEN (asset_group_id = '2') then 'Group 1' 67 | WHEN (asset_group_id = '29') then 'Group 2' 68 | WHEN (asset_group_id = '25') then 'Group 3' 69 | WHEN (asset_group_id = '56') then 'Group 4' 70 | WHEN (asset_group_id = '55') then 'Group 5' 71 | WHEN (asset_group_id = '40') then 'Group 6' 72 | WHEN (asset_group_id = '4') then 'Group 7' 73 | WHEN (asset_group_id = '66') then 'Group 8' 74 | WHEN (asset_group_id = '28') then 'Group 9' 75 | WHEN (asset_group_id = '26') then 'Group 10' 76 | WHEN (asset_group_id = '8') then 'Group 11' 77 | WHEN (asset_group_id = '27') then 'Group 12' 78 | END AS asset_group, 79 | 80 | CASE 81 | WHEN (1=1) then sum(1-1) 82 | END AS Urgent_beyond_SLA, 83 | 84 | count (favf.vulnerability_instances) AS Critical_beyond_SLA, 85 | 86 | CASE 87 | WHEN (1=1) then sum(1-1) 88 | END AS High_beyond_SLA, 89 | 90 | CASE 91 | WHEN (1=1) then sum(1-1) 92 | END AS Medium_beyond_SLA, 93 | 94 | CASE 95 | WHEN (1=1) then sum(1-1) 96 | END AS Low_beyond_SLA 97 | 98 | 99 | FROM fact_asset_vulnerability_finding favf 100 | JOIN dim_vulnerability dv USING (vulnerability_id) 101 | JOIN dim_asset_group_asset daga USING (asset_id) 102 | JOIN dim_tag_asset dta USING (asset_id) 103 | 104 | WHERE daga.asset_group_id IN (2,4,8,25,26,27,28,29,40,55,56,66) AND now() - dv.date_added > INTERVAL '7 days' AND 105 | ( 106 | (dta.tag_id = 1 AND 2*dv.riskscore >= 900 AND 2*dv.riskscore <= 1200) OR 107 | (dta.tag_id = 2 AND 1.2*dv.riskscore >= 900 AND 1.2*dv.riskscore <= 1200) OR 108 | (dta.tag_id = 3 AND 1.1*dv.riskscore >= 900 AND 1.1*dv.riskscore <= 1200) OR 109 | (dta.tag_id = 4 AND dv.riskscore >= 900 AND dv.riskscore <= 1200) OR 110 | (dta.tag_id = 5 AND .75*dv.riskscore >= 900 AND .75*dv.riskscore <= 1200) OR 111 | (dta.tag_id NOT IN (1,2,3,4,5) AND dta.tag_id = 90 AND dv.riskscore >= 900 AND dv.riskscore <= 1200) 112 | ) 113 | 114 | GROUP BY daga.asset_group_id, favf.asset_id 115 | 116 | 117 | 118 | 119 | 120 | union all 121 | 122 | 123 | 124 | 125 | SELECT 126 | favf.asset_id, 127 | CASE 128 | WHEN (asset_group_id = '2') then 'Group 1' 129 | WHEN (asset_group_id = '29') then 'Group 2' 130 | WHEN (asset_group_id = '25') then 'Group 3' 131 | WHEN (asset_group_id = '56') then 'Group 4' 132 | WHEN (asset_group_id = '55') then 'Group 5' 133 | WHEN (asset_group_id = '40') then 'Group 6' 134 | WHEN (asset_group_id = '4') then 'Group 7' 135 | WHEN (asset_group_id = '66') then 'Group 8' 136 | WHEN (asset_group_id = '28') then 'Group 9' 137 | WHEN (asset_group_id = '26') then 'Group 10' 138 | WHEN (asset_group_id = '8') then 'Group 11' 139 | WHEN (asset_group_id = '27') then 'Group 12' 140 | END AS asset_group, 141 | 142 | CASE 143 | WHEN (1=1) then sum(1-1) 144 | END AS Urgent_beyond_SLA, 145 | 146 | CASE 147 | WHEN (1=1) then sum(1-1) 148 | END AS Critical_beyond_SLA, 149 | 150 | count (favf.vulnerability_instances) AS High_beyond_SLA, 151 | 152 | CASE 153 | WHEN (1=1) then sum(1-1) 154 | END AS Medium_beyond_SLA, 155 | 156 | CASE 157 | WHEN (1=1) then sum(1-1) 158 | END AS Low_beyond_SLA 159 | 160 | 161 | FROM fact_asset_vulnerability_finding favf 162 | JOIN dim_vulnerability dv USING (vulnerability_id) 163 | JOIN dim_asset_group_asset daga USING (asset_id) 164 | JOIN dim_tag_asset dta USING (asset_id) 165 | 166 | WHERE daga.asset_group_id IN (2,4,8,25,26,27,28,29,40,55,56,66) AND now() - dv.date_added > INTERVAL '14 days' AND 167 | ( 168 | (dta.tag_id = 1 AND 2*dv.riskscore >= 600 AND 2*dv.riskscore <= 899) OR 169 | (dta.tag_id = 2 AND 1.2*dv.riskscore >= 600 AND 1.2*dv.riskscore <= 899) OR 170 | (dta.tag_id = 3 AND 1.1*dv.riskscore >= 600 AND 1.1*dv.riskscore <= 899) OR 171 | (dta.tag_id = 4 AND dv.riskscore >= 600 AND dv.riskscore <= 899) OR 172 | (dta.tag_id = 5 AND .75*dv.riskscore >= 600 AND .75*dv.riskscore <= 899) OR 173 | (dta.tag_id NOT IN (1,2,3,4,5) AND dta.tag_id = 90 AND dv.riskscore >= 600 AND dv.riskscore <= 899) 174 | ) 175 | GROUP BY daga.asset_group_id, favf.asset_id 176 | 177 | 178 | 179 | 180 | 181 | 182 | union all 183 | 184 | 185 | 186 | 187 | 188 | SELECT 189 | favf.asset_id, 190 | CASE 191 | WHEN (asset_group_id = '2') then 'Group 1' 192 | WHEN (asset_group_id = '29') then 'Group 2' 193 | WHEN (asset_group_id = '25') then 'Group 3' 194 | WHEN (asset_group_id = '56') then 'Group 4' 195 | WHEN (asset_group_id = '55') then 'Group 5' 196 | WHEN (asset_group_id = '40') then 'Group 6' 197 | WHEN (asset_group_id = '4') then 'Group 7' 198 | WHEN (asset_group_id = '66') then 'Group 8' 199 | WHEN (asset_group_id = '28') then 'Group 9' 200 | WHEN (asset_group_id = '26') then 'Group 10' 201 | WHEN (asset_group_id = '8') then 'Group 11' 202 | WHEN (asset_group_id = '27') then 'Group 12' 203 | END AS asset_group, 204 | 205 | CASE 206 | WHEN (1=1) then sum(1-1) 207 | END AS Urgent_beyond_SLA, 208 | 209 | CASE 210 | WHEN (1=1) then sum(1-1) 211 | END AS Critical_beyond_SLA, 212 | 213 | CASE 214 | WHEN (1=1) then sum(1-1) 215 | END AS High_beyond_SLA, 216 | 217 | count (favf.vulnerability_instances) AS Medium_beyond_SLA, 218 | 219 | CASE 220 | WHEN (1=1) then sum(1-1) 221 | END AS Low_beyond_SLA 222 | 223 | 224 | FROM fact_asset_vulnerability_finding favf 225 | JOIN dim_vulnerability dv USING (vulnerability_id) 226 | JOIN dim_asset_group_asset daga USING (asset_id) 227 | JOIN dim_tag_asset dta USING (asset_id) 228 | 229 | WHERE daga.asset_group_id IN (2,4,8,25,26,27,28,29,40,55,56,66) AND now() - dv.date_added > INTERVAL '30 days' AND 230 | ( 231 | (dta.tag_id = 1 AND 2*dv.riskscore >= 300 AND 2*dv.riskscore <= 599) OR 232 | (dta.tag_id = 2 AND 1.2*dv.riskscore >= 300 AND 1.2*dv.riskscore <= 599) OR 233 | (dta.tag_id = 3 AND 1.1*dv.riskscore >= 300 AND 1.1*dv.riskscore <= 599) OR 234 | (dta.tag_id = 4 AND dv.riskscore >= 300 AND dv.riskscore <= 599) OR 235 | (dta.tag_id = 5 AND .75*dv.riskscore >= 300 AND .75*dv.riskscore <= 599) OR 236 | (dta.tag_id NOT IN (1,2,3,4,5) AND dta.tag_id = 90 AND dv.riskscore >= 300 AND dv.riskscore <= 599) 237 | ) 238 | 239 | GROUP BY daga.asset_group_id, favf.asset_id 240 | 241 | 242 | 243 | 244 | 245 | union all 246 | 247 | 248 | 249 | 250 | SELECT 251 | favf.asset_id, 252 | CASE 253 | WHEN (asset_group_id = '2') then 'Group 1' 254 | WHEN (asset_group_id = '29') then 'Group 2' 255 | WHEN (asset_group_id = '25') then 'Group 3' 256 | WHEN (asset_group_id = '56') then 'Group 4' 257 | WHEN (asset_group_id = '55') then 'Group 5' 258 | WHEN (asset_group_id = '40') then 'Group 6' 259 | WHEN (asset_group_id = '4') then 'Group 7' 260 | WHEN (asset_group_id = '66') then 'Group 8' 261 | WHEN (asset_group_id = '28') then 'Group 9' 262 | WHEN (asset_group_id = '26') then 'Group 10' 263 | WHEN (asset_group_id = '8') then 'Group 11' 264 | WHEN (asset_group_id = '27') then 'Group 12' 265 | END AS asset_group, 266 | 267 | CASE 268 | WHEN (1=1) then sum(1-1) 269 | END AS Urgent_beyond_SLA, 270 | 271 | CASE 272 | WHEN (1=1) then sum(1-1) 273 | END AS Critical_beyond_SLA, 274 | 275 | CASE 276 | WHEN (1=1) then sum(1-1) 277 | END AS High_beyond_SLA, 278 | 279 | CASE 280 | WHEN (1=1) then sum(1-1) 281 | END AS Medium_beyond_SLA, 282 | 283 | count (favf.vulnerability_instances) AS Low_beyond_SLA 284 | 285 | 286 | FROM fact_asset_vulnerability_finding favf 287 | JOIN dim_vulnerability dv USING (vulnerability_id) 288 | JOIN dim_asset_group_asset daga USING (asset_id) 289 | JOIN dim_tag_asset dta USING (asset_id) 290 | 291 | WHERE daga.asset_group_id IN (2,4,8,25,26,27,28,29,40,55,56,66) AND now() - dv.date_added > INTERVAL '90 days' AND 292 | ( 293 | (dta.tag_id = 1 AND 2*dv.riskscore <= 299) OR 294 | (dta.tag_id = 2 AND 1.2*dv.riskscore <= 299) OR 295 | (dta.tag_id = 3 AND 1.1*dv.riskscore <= 299) OR 296 | (dta.tag_id = 4 AND dv.riskscore <= 299) OR 297 | (dta.tag_id = 5 AND .75*dv.riskscore <= 299) OR 298 | (dta.tag_id NOT IN (1,2,3,4,5) AND dta.tag_id = 90 AND dv.riskscore <= 299) 299 | ) 300 | 301 | GROUP BY daga.asset_group_id, favf.asset_id 302 | 303 | ), 304 | 305 | STEP_2 AS ( 306 | SELECT DISTINCT ON (asset_group, asset_id) 307 | asset_group, asset_id 308 | FROM CTE 309 | GROUP BY asset_group, asset_id 310 | ORDER BY asset_group ASC, asset_id 311 | ), 312 | STEP_3 AS ( 313 | SELECT 314 | asset_group, asset_id, sum(2-1) 315 | FROM STEP_2 316 | GROUP BY asset_group, asset_id 317 | ORDER BY asset_group ASC, asset_id 318 | ) 319 | 320 | SELECT 321 | asset_group, sum(sum) 322 | FROM STEP_3 323 | GROUP BY asset_group 324 | ORDER BY asset_group DESC 325 | -------------------------------------------------------------------------------- /Authenticated Scan Percentage-by-Asset-Group-Detailed.sql: -------------------------------------------------------------------------------- 1 | SELECT DISTINCT ON (ip_address) 2 | CASE 3 | WHEN (asset_group_id = '2') then 'Group 1' 4 | WHEN (asset_group_id = '29') then 'Group 2' 5 | WHEN (asset_group_id = '25') then 'Group 3' 6 | WHEN (asset_group_id = '56') then 'Group 4' 7 | WHEN (asset_group_id = '55') then 'Group 5' 8 | WHEN (asset_group_id = '40') then 'Group 6' 9 | WHEN (asset_group_id = '4') then 'Group 7' 10 | WHEN (asset_group_id = '66') then 'Group 8' 11 | WHEN (asset_group_id = '28') then 'Group 9' 12 | WHEN (asset_group_id = '26') then 'Group 10' 13 | WHEN (asset_group_id = '8') then 'Group 11' 14 | WHEN (asset_group_id = '27') then 'Group 12' 15 | END AS asset_group, 16 | da.ip_address, da.host_name, dos.description AS operating_system, 17 | fa.scan_finished AS last_scanned, aos.certainty 18 | 19 | FROM fact_asset AS fa 20 | JOIN dim_asset da USING (asset_id) 21 | JOIN dim_operating_system dos USING (operating_system_id) 22 | JOIN dim_asset_operating_system aos USING (asset_id) 23 | JOIN dim_asset_group_asset daga USING (asset_id) 24 | 25 | WHERE daga.asset_group_id IN (2,4,8,25,26,27,28,29,40,55,56,66) 26 | 27 | GROUP BY daga.asset_group_id, da.ip_address, da.host_name, dos.description, fa.scan_finished, aos.certainty, aos.fingerprint_source_id 28 | ORDER BY da.ip_address ASC 29 | -------------------------------------------------------------------------------- /Authenticated Scan Percentage-by-Asset-Group.sql: -------------------------------------------------------------------------------- 1 | WITH 2 | CTE AS ( 3 | SELECT DISTINCT ON (ip_address) 4 | da.ip_address, da.host_name, dos.description AS operating_system, 5 | fa.scan_finished AS last_scanned, aos.certainty,aos.fingerprint_source_id, 6 | CASE 7 | WHEN (aos.certainty = 1) then sum(2-1) 8 | ELSE sum(1-1) 9 | END AS authenticated, 10 | 11 | CASE 12 | WHEN (aos.certainty >=0) then sum(2-1) 13 | ELSE sum(1-1) 14 | END AS total, 15 | CASE 16 | WHEN (asset_group_id = '2') then 'Group 1' 17 | WHEN (asset_group_id = '29') then 'Group 2' 18 | WHEN (asset_group_id = '25') then 'Group 3' 19 | WHEN (asset_group_id = '56') then 'Group 4' 20 | WHEN (asset_group_id = '55') then 'Group 5' 21 | WHEN (asset_group_id = '40') then 'Group 6' 22 | WHEN (asset_group_id = '4') then 'Group 7' 23 | WHEN (asset_group_id = '66') then 'Group 8' 24 | WHEN (asset_group_id = '28') then 'Group 9' 25 | WHEN (asset_group_id = '26') then 'Group 10' 26 | WHEN (asset_group_id = '8') then 'Group 11' 27 | WHEN (asset_group_id = '27') then 'Group 12' 28 | END AS asset_group 29 | 30 | FROM fact_asset AS fa 31 | JOIN dim_asset da USING (asset_id) 32 | JOIN dim_operating_system dos USING (operating_system_id) 33 | JOIN dim_asset_operating_system aos USING (asset_id) 34 | JOIN dim_asset_group_asset daga USING (asset_id) 35 | 36 | WHERE daga.asset_group_id IN (2,4,8,25,26,27,28,29,40,55,56,66) 37 | 38 | GROUP BY daga.asset_group_id, da.ip_address, da.host_name, dos.description, fa.scan_finished, aos.certainty, aos.fingerprint_source_id 39 | ORDER BY da.ip_address ASC 40 | ) 41 | SELECT asset_group, sum(authenticated) as authenticated, sum(total) as total, round(sum(authenticated)/sum(total),2) AS percentage_authenticated 42 | FROM CTE 43 | Group by asset_group 44 | -------------------------------------------------------------------------------- /Authenticated Scan Percentage.sql: -------------------------------------------------------------------------------- 1 | WITH 2 | CTE AS ( 3 | SELECT DISTINCT ON (ip_address) 4 | da.ip_address, da.host_name, dos.description AS operating_system, 5 | fa.scan_finished AS last_scanned, aos.certainty,aos.fingerprint_source_id, 6 | CASE 7 | WHEN (aos.certainty = 1) then sum(2-1) 8 | ELSE sum(1-1) 9 | END AS authenticated, 10 | 11 | CASE 12 | WHEN (aos.certainty >=0) then sum(2-1) 13 | ELSE sum(1-1) 14 | END AS total 15 | 16 | 17 | FROM fact_asset AS fa 18 | JOIN dim_asset da USING (asset_id) 19 | JOIN dim_operating_system dos USING (operating_system_id) 20 | JOIN dim_asset_operating_system aos USING (asset_id) 21 | GROUP BY da.ip_address, da.host_name, dos.description, fa.scan_finished, aos.certainty, aos.fingerprint_source_id 22 | ORDER BY da.ip_address ASC 23 | ) 24 | SELECT sum(authenticated) as authenticated, sum(total) as total, round(sum(authenticated)/sum(total),2) AS percentage_authenticated 25 | FROM CTE 26 | -------------------------------------------------------------------------------- /Daily-New-Vulns.sql: -------------------------------------------------------------------------------- 1 | WITH 2 | today_date AS ( 3 | SELECT now() AS date 4 | ), 5 | asset_scans AS ( 6 | SELECT asset_id, scanAsOfDate(asset_id, now()::date) AS scan_today, scanAsOfDate(asset_id, ((SELECT date FROM today_date) - INTERVAL '1 day')::date) AS scan_day_ago 7 | FROM dim_asset 8 | ), 9 | asset_scan_results AS ( 10 | -- results from the scan on each asset for today's results 11 | SELECT fasvf.asset_id, fasvf.vulnerability_id, fasvf.scan_id, 2 AS state 12 | FROM fact_asset_scan_vulnerability_finding fasvf 13 | JOIN asset_scans a ON a.asset_id = fasvf.asset_id AND fasvf.scan_id = a.scan_today 14 | UNION ALL 15 | -- results from the scan on each asset for the results one day ago 16 | SELECT fasvf.asset_id, fasvf.vulnerability_id, fasvf.scan_id, 1 AS state 17 | FROM fact_asset_scan_vulnerability_finding fasvf 18 | JOIN asset_scans a ON a.asset_id = fasvf.asset_id AND fasvf.scan_id = a.scan_day_ago 19 | ), 20 | asset_scan_results_diff AS ( 21 | SELECT asset_id, vulnerability_id, baselineComparison(state, 2) AS diff 22 | FROM asset_scan_results 23 | GROUP BY asset_id, vulnerability_id 24 | ) 25 | SELECT da.ip_address, da.host_name, da.mac_address, asrd.diff, dv.title AS vulnerability_title, to_char(now(), 'YYYY-mm-dd') AS current_date 26 | FROM asset_scan_results_diff asrd 27 | JOIN dim_asset da USING (asset_id) 28 | JOIN dim_vulnerability dv USING (vulnerability_id) 29 | WHERE asrd.diff = 'New' 30 | ORDER BY da.ip_address, asrd.diff, dv.title 31 | -------------------------------------------------------------------------------- /Daily-Remediated-Vulns.sql: -------------------------------------------------------------------------------- 1 | WITH 2 | today_date AS ( 3 | SELECT now() AS date 4 | ), 5 | asset_scans AS ( 6 | SELECT asset_id, scanAsOfDate(asset_id, now()::date) AS scan_today, scanAsOfDate(asset_id, ((SELECT date FROM today_date) - INTERVAL '1 day')::date) AS scan_day_ago 7 | FROM dim_asset 8 | ), 9 | asset_scan_results AS ( 10 | -- results from the scan on each asset for today's results 11 | SELECT fasvf.asset_id, fasvf.vulnerability_id, fasvf.scan_id, 2 AS state 12 | FROM fact_asset_scan_vulnerability_finding fasvf 13 | JOIN asset_scans a ON a.asset_id = fasvf.asset_id AND fasvf.scan_id = a.scan_today 14 | UNION ALL 15 | -- results from the scan on each asset for the results one day ago 16 | SELECT fasvf.asset_id, fasvf.vulnerability_id, fasvf.scan_id, 1 AS state 17 | FROM fact_asset_scan_vulnerability_finding fasvf 18 | JOIN asset_scans a ON a.asset_id = fasvf.asset_id AND fasvf.scan_id = a.scan_day_ago 19 | ), 20 | asset_scan_results_diff AS ( 21 | SELECT asset_id, vulnerability_id, baselineComparison(state, 2) AS diff 22 | FROM asset_scan_results 23 | GROUP BY asset_id, vulnerability_id 24 | ) 25 | SELECT da.ip_address, da.host_name, da.mac_address, asrd.diff, dv.title AS vulnerability_title, to_char(now(), 'YYYY-mm-dd') AS current_date 26 | FROM asset_scan_results_diff asrd 27 | JOIN dim_asset da USING (asset_id) 28 | JOIN dim_vulnerability dv USING (vulnerability_id) 29 | WHERE asrd.diff = 'Old' 30 | ORDER BY da.ip_address, asrd.diff, dv.title 31 | -------------------------------------------------------------------------------- /No High+ Vulns-by-Asset-Group.sql: -------------------------------------------------------------------------------- 1 | WITH 2 | CTE AS ( 3 | 4 | SELECT 5 | CASE 6 | WHEN (daga.asset_group_id = '2') then 'Group 1' 7 | WHEN (daga.asset_group_id = '29') then 'Group 2' 8 | WHEN (daga.asset_group_id = '25') then 'Group 3' 9 | WHEN (daga.asset_group_id = '56') then 'Group 4' 10 | WHEN (daga.asset_group_id = '55') then 'Group 5' 11 | WHEN (daga.asset_group_id = '40') then 'Group 6' 12 | WHEN (daga.asset_group_id = '4') then 'Group 7' 13 | WHEN (daga.asset_group_id = '66') then 'Group 8' 14 | WHEN (daga.asset_group_id = '28') then 'Group 9' 15 | WHEN (daga.asset_group_id = '26') then 'Group 10' 16 | WHEN (daga.asset_group_id = '8') then 'Group 11' 17 | WHEN (daga.asset_group_id = '27') then 'Group 12' 18 | END AS asset_group, 19 | da.asset_id, da.ip_address, da.host_name, da.mac_address, 20 | CASE 21 | WHEN (dta.tag_id = 1) THEN 'VH' 22 | WHEN (dta.tag_id = 2) THEN 'H' 23 | WHEN (dta.tag_id = 3) THEN 'M' 24 | WHEN (dta.tag_id = 4) THEN 'L' 25 | WHEN (dta.tag_id = 5) THEN 'VL' 26 | WHEN (dta.tag_id NOT IN (1,2,3,4,5) AND dta.tag_id = 90) THEN 'NO RATING' 27 | END AS asset_rating, 28 | 29 | to_char(favf.date, 'YYYY-mm-dd') AS asset_last_scan, 30 | 31 | dv.title AS vulnerability_title, dv.date_added AS vuln_first_scan, 32 | CASE 33 | WHEN (dta.tag_id = 1) then round(2*dv.riskscore::numeric, 0) 34 | WHEN (dta.tag_id = 2) then round(1.2*dv.riskscore::numeric, 0) 35 | WHEN (dta.tag_id = 3) then round(1.1*dv.riskscore::numeric, 0) 36 | WHEN (dta.tag_id = 4) then round(dv.riskscore::numeric, 0) 37 | WHEN (dta.tag_id = 5) then round(.75*dv.riskscore::numeric, 0) 38 | WHEN (dta.tag_id NOT IN (1,2,3,4,5) AND dta.tag_id = 90) then round(dv.riskscore::numeric, 0) 39 | END AS weighted_riskscore, 40 | 41 | CASE 42 | WHEN 43 | ( 44 | (dta.tag_id = 1 AND 2*dv.riskscore >= 1201 ) OR 45 | (dta.tag_id = 2 AND 1.2*dv.riskscore >= 1201 ) OR 46 | (dta.tag_id = 3 AND 1.1*dv.riskscore >= 1201 ) OR 47 | (dta.tag_id = 4 AND dv.riskscore >= 1201) OR 48 | (dta.tag_id = 5 AND .75*dv.riskscore >= 1201 ) OR 49 | (dta.tag_id NOT IN (1,2,3,4,5) AND dta.tag_id = 90 AND dv.riskscore >= 1201 ) 50 | ) 51 | then 'URGENT' 52 | WHEN 53 | ( 54 | (dta.tag_id = 1 AND 2*dv.riskscore >= 900 AND 2*dv.riskscore <= 1200) OR 55 | (dta.tag_id = 2 AND 1.2*dv.riskscore >= 900 AND 1.2*dv.riskscore <= 1200) OR 56 | (dta.tag_id = 3 AND 1.1*dv.riskscore >= 900 AND 1.1*dv.riskscore <= 1200) OR 57 | (dta.tag_id = 4 AND dv.riskscore >= 900 AND dv.riskscore <= 1200) OR 58 | (dta.tag_id = 5 AND .75*dv.riskscore >= 900 AND .75*dv.riskscore <= 1200) OR 59 | (dta.tag_id NOT IN (1,2,3,4,5) AND dta.tag_id = 90 AND dv.riskscore >= 900 AND dv.riskscore <= 1200) 60 | ) 61 | then 'CRITICAL' 62 | WHEN 63 | ( 64 | (dta.tag_id = 1 AND 2*dv.riskscore >= 600 AND 2*dv.riskscore <= 899) OR 65 | (dta.tag_id = 2 AND 1.2*dv.riskscore >= 600 AND 1.2*dv.riskscore <= 899) OR 66 | (dta.tag_id = 3 AND 1.1*dv.riskscore >= 600 AND 1.1*dv.riskscore <= 899) OR 67 | (dta.tag_id = 4 AND dv.riskscore >= 600 AND dv.riskscore <= 899) OR 68 | (dta.tag_id = 5 AND .75*dv.riskscore >= 600 AND .75*dv.riskscore <= 899) OR 69 | (dta.tag_id NOT IN (1,2,3,4,5) AND dta.tag_id = 90 AND dv.riskscore >= 600 AND dv.riskscore <= 899) 70 | ) 71 | then 'HIGH' 72 | WHEN 73 | ( 74 | (dta.tag_id = 1 AND 2*dv.riskscore >= 300 AND 2*dv.riskscore <= 599) OR 75 | (dta.tag_id = 2 AND 1.2*dv.riskscore >= 300 AND 1.2*dv.riskscore <= 599) OR 76 | (dta.tag_id = 3 AND 1.1*dv.riskscore >= 300 AND 1.1*dv.riskscore <= 599) OR 77 | (dta.tag_id = 4 AND dv.riskscore >= 300 AND dv.riskscore <= 599) OR 78 | (dta.tag_id = 5 AND .75*dv.riskscore >= 300 AND .75*dv.riskscore <= 599) OR 79 | (dta.tag_id NOT IN (1,2,3,4,5) AND dta.tag_id = 90 AND dv.riskscore >= 300 AND dv.riskscore <= 599) 80 | ) 81 | then 'MEDIUM' 82 | 83 | WHEN 84 | ( 85 | (dta.tag_id = 1 AND 2*dv.riskscore <= 299) OR 86 | (dta.tag_id = 2 AND 1.2*dv.riskscore <= 299) OR 87 | (dta.tag_id = 3 AND 1.1*dv.riskscore <= 299) OR 88 | (dta.tag_id = 4 AND dv.riskscore <= 299) OR 89 | (dta.tag_id = 5 AND .75*dv.riskscore <= 299) OR 90 | (dta.tag_id NOT IN (1,2,3,4,5) AND dta.tag_id = 90 AND dv.riskscore <= 299) 91 | ) 92 | then 'LOW' 93 | END AS vuln_severity, 94 | 95 | CASE 96 | WHEN (dv.riskscore >=0) then sum(2-1) 97 | END AS total_count, 98 | 99 | CASE 100 | WHEN (dv.riskscore >=0) then sum(1-1) 101 | END AS high_to_urgent_count 102 | 103 | FROM fact_asset_vulnerability_finding favf 104 | JOIN dim_asset da USING (asset_id) 105 | JOIN dim_operating_system dos USING (operating_system_id) 106 | JOIN dim_vulnerability dv USING (vulnerability_id) 107 | JOIN dim_asset_group_asset daga USING (asset_id) 108 | JOIN dim_tag_asset dta USING (asset_id) 109 | 110 | WHERE daga.asset_group_id IN (2,4,8,25,26,27,28,29,40,55,56,66) AND 111 | 112 | ( 113 | 114 | ( 115 | (dta.tag_id = 1 AND 2*dv.riskscore >= 1201 ) OR 116 | (dta.tag_id = 2 AND 1.2*dv.riskscore >= 1201 ) OR 117 | (dta.tag_id = 3 AND 1.1*dv.riskscore >= 1201 ) OR 118 | (dta.tag_id = 4 AND dv.riskscore >= 1201) OR 119 | (dta.tag_id = 5 AND .75*dv.riskscore >= 1201 ) OR 120 | (dta.tag_id NOT IN (1,2,3,4,5) AND dta.tag_id = 90 AND dv.riskscore >= 1201 ) 121 | ) 122 | 123 | 124 | OR 125 | 126 | 127 | ( 128 | (dta.tag_id = 1 AND 2*dv.riskscore >= 900 AND 2*dv.riskscore <= 1200) OR 129 | (dta.tag_id = 2 AND 1.2*dv.riskscore >= 900 AND 1.2*dv.riskscore <= 1200) OR 130 | (dta.tag_id = 3 AND 1.1*dv.riskscore >= 900 AND 1.1*dv.riskscore <= 1200) OR 131 | (dta.tag_id = 4 AND dv.riskscore >= 900 AND dv.riskscore <= 1200) OR 132 | (dta.tag_id = 5 AND .75*dv.riskscore >= 900 AND .75*dv.riskscore <= 1200) OR 133 | (dta.tag_id NOT IN (1,2,3,4,5) AND dta.tag_id = 90 AND dv.riskscore >= 900 AND dv.riskscore <= 1200) 134 | ) 135 | 136 | 137 | 138 | OR 139 | 140 | 141 | ( 142 | (dta.tag_id = 1 AND 2*dv.riskscore >= 600 AND 2*dv.riskscore <= 899) OR 143 | (dta.tag_id = 2 AND 1.2*dv.riskscore >= 600 AND 1.2*dv.riskscore <= 899) OR 144 | (dta.tag_id = 3 AND 1.1*dv.riskscore >= 600 AND 1.1*dv.riskscore <= 899) OR 145 | (dta.tag_id = 4 AND dv.riskscore >= 600 AND dv.riskscore <= 899) OR 146 | (dta.tag_id = 5 AND .75*dv.riskscore >= 600 AND .75*dv.riskscore <= 899) OR 147 | (dta.tag_id NOT IN (1,2,3,4,5) AND dta.tag_id = 90 AND dv.riskscore >= 600 AND dv.riskscore <= 899) 148 | ) 149 | 150 | 151 | 152 | 153 | OR 154 | 155 | ( 156 | (dta.tag_id = 1 AND 2*dv.riskscore >= 300 AND 2*dv.riskscore <= 599) OR 157 | (dta.tag_id = 2 AND 1.2*dv.riskscore >= 300 AND 1.2*dv.riskscore <= 599) OR 158 | (dta.tag_id = 3 AND 1.1*dv.riskscore >= 300 AND 1.1*dv.riskscore <= 599) OR 159 | (dta.tag_id = 4 AND dv.riskscore >= 300 AND dv.riskscore <= 599) OR 160 | (dta.tag_id = 5 AND .75*dv.riskscore >= 300 AND .75*dv.riskscore <= 599) OR 161 | (dta.tag_id NOT IN (1,2,3,4,5) AND dta.tag_id = 90 AND dv.riskscore >= 300 AND dv.riskscore <= 599) 162 | ) 163 | 164 | 165 | OR 166 | 167 | 168 | ( 169 | (dta.tag_id = 1 AND 2*dv.riskscore <= 299) OR 170 | (dta.tag_id = 2 AND 1.2*dv.riskscore <= 299) OR 171 | (dta.tag_id = 3 AND 1.1*dv.riskscore <= 299) OR 172 | (dta.tag_id = 4 AND dv.riskscore <= 299) OR 173 | (dta.tag_id = 5 AND .75*dv.riskscore <= 299) OR 174 | (dta.tag_id NOT IN (1,2,3,4,5) AND dta.tag_id = 90 AND dv.riskscore <= 299) 175 | ) 176 | 177 | 178 | ) 179 | 180 | GROUP BY da.asset_id, da.ip_address, da.host_name, da.mac_address, dv.title, dv.date_added, favf.date, dta.tag_id, dv.riskscore,asset_group_id 181 | 182 | 183 | 184 | 185 | 186 | 187 | union all 188 | 189 | 190 | 191 | 192 | 193 | SELECT 194 | CASE 195 | WHEN (daga.asset_group_id = '2') then 'Group 1' 196 | WHEN (daga.asset_group_id = '29') then 'Group 2' 197 | WHEN (daga.asset_group_id = '25') then 'Group 3' 198 | WHEN (daga.asset_group_id = '56') then 'Group 4' 199 | WHEN (daga.asset_group_id = '55') then 'Group 5' 200 | WHEN (daga.asset_group_id = '40') then 'Group 6' 201 | WHEN (daga.asset_group_id = '4') then 'Group 7' 202 | WHEN (daga.asset_group_id = '66') then 'Group 8' 203 | WHEN (daga.asset_group_id = '28') then 'Group 9' 204 | WHEN (daga.asset_group_id = '26') then 'Group 10' 205 | WHEN (daga.asset_group_id = '8') then 'Group 11' 206 | WHEN (daga.asset_group_id = '27') then 'Group 12' 207 | END AS asset_group, 208 | da.asset_id, da.ip_address, da.host_name, da.mac_address, 209 | CASE 210 | WHEN (dta.tag_id = 1) THEN 'VH' 211 | WHEN (dta.tag_id = 2) THEN 'H' 212 | WHEN (dta.tag_id = 3) THEN 'M' 213 | WHEN (dta.tag_id = 4) THEN 'L' 214 | WHEN (dta.tag_id = 5) THEN 'VL' 215 | WHEN (dta.tag_id NOT IN (1,2,3,4,5) AND dta.tag_id = 90) THEN 'NO RATING' 216 | END AS asset_rating, 217 | 218 | to_char(favf.date, 'YYYY-mm-dd') AS asset_last_scan, 219 | 220 | dv.title AS vulnerability_title, dv.date_added AS vuln_first_scan, 221 | CASE 222 | WHEN (dta.tag_id = 1) then round(2*dv.riskscore::numeric, 0) 223 | WHEN (dta.tag_id = 2) then round(1.2*dv.riskscore::numeric, 0) 224 | WHEN (dta.tag_id = 3) then round(1.1*dv.riskscore::numeric, 0) 225 | WHEN (dta.tag_id = 4) then round(dv.riskscore::numeric, 0) 226 | WHEN (dta.tag_id = 5) then round(.75*dv.riskscore::numeric, 0) 227 | WHEN (dta.tag_id NOT IN (1,2,3,4,5) AND dta.tag_id = 90) then round(dv.riskscore::numeric, 0) 228 | END AS weighted_riskscore, 229 | 230 | CASE 231 | 232 | WHEN 233 | ( 234 | (dta.tag_id = 1 AND 2*dv.riskscore >= 1201 ) OR 235 | (dta.tag_id = 2 AND 1.2*dv.riskscore >= 1201 ) OR 236 | (dta.tag_id = 3 AND 1.1*dv.riskscore >= 1201 ) OR 237 | (dta.tag_id = 4 AND dv.riskscore >= 1201) OR 238 | (dta.tag_id = 5 AND .75*dv.riskscore >= 1201 ) OR 239 | (dta.tag_id NOT IN (1,2,3,4,5) AND dta.tag_id = 90 AND dv.riskscore >= 1201 ) 240 | ) 241 | then 'URGENT' 242 | WHEN 243 | ( 244 | (dta.tag_id = 1 AND 2*dv.riskscore >= 900 AND 2*dv.riskscore <= 1200) OR 245 | (dta.tag_id = 2 AND 1.2*dv.riskscore >= 900 AND 1.2*dv.riskscore <= 1200) OR 246 | (dta.tag_id = 3 AND 1.1*dv.riskscore >= 900 AND 1.1*dv.riskscore <= 1200) OR 247 | (dta.tag_id = 4 AND dv.riskscore >= 900 AND dv.riskscore <= 1200) OR 248 | (dta.tag_id = 5 AND .75*dv.riskscore >= 900 AND .75*dv.riskscore <= 1200) OR 249 | (dta.tag_id NOT IN (1,2,3,4,5) AND dta.tag_id = 90 AND dv.riskscore >= 900 AND dv.riskscore <= 1200) 250 | ) 251 | then 'CRITICAL' 252 | WHEN 253 | ( 254 | (dta.tag_id = 1 AND 2*dv.riskscore >= 600 AND 2*dv.riskscore <= 899) OR 255 | (dta.tag_id = 2 AND 1.2*dv.riskscore >= 600 AND 1.2*dv.riskscore <= 899) OR 256 | (dta.tag_id = 3 AND 1.1*dv.riskscore >= 600 AND 1.1*dv.riskscore <= 899) OR 257 | (dta.tag_id = 4 AND dv.riskscore >= 600 AND dv.riskscore <= 899) OR 258 | (dta.tag_id = 5 AND .75*dv.riskscore >= 600 AND .75*dv.riskscore <= 899) OR 259 | (dta.tag_id NOT IN (1,2,3,4,5) AND dta.tag_id = 90 AND dv.riskscore >= 600 AND dv.riskscore <= 899) 260 | ) 261 | then 'HIGH' 262 | END AS vuln_severity, 263 | 264 | CASE 265 | WHEN (dv.riskscore >=0) then sum(1-1) 266 | END AS total_count, 267 | 268 | CASE 269 | WHEN (dv.riskscore >=0) then sum(2-1) 270 | END AS med_low_count 271 | 272 | 273 | 274 | FROM fact_asset_vulnerability_finding favf 275 | JOIN dim_asset da USING (asset_id) 276 | JOIN dim_operating_system dos USING (operating_system_id) 277 | JOIN dim_vulnerability dv USING (vulnerability_id) 278 | JOIN dim_asset_group_asset daga USING (asset_id) 279 | JOIN dim_tag_asset dta USING (asset_id) 280 | 281 | WHERE daga.asset_group_id IN (2,4,8,25,26,27,28,29,40,55,56,66) AND 282 | 283 | ( 284 | 285 | ( 286 | (dta.tag_id = 1 AND 2*dv.riskscore >= 1201 ) OR 287 | (dta.tag_id = 2 AND 1.2*dv.riskscore >= 1201 ) OR 288 | (dta.tag_id = 3 AND 1.1*dv.riskscore >= 1201 ) OR 289 | (dta.tag_id = 4 AND dv.riskscore >= 1201) OR 290 | (dta.tag_id = 5 AND .75*dv.riskscore >= 1201 ) OR 291 | (dta.tag_id NOT IN (1,2,3,4,5) AND dta.tag_id = 90 AND dv.riskscore >= 1201 ) 292 | ) 293 | 294 | 295 | OR 296 | 297 | 298 | ( 299 | (dta.tag_id = 1 AND 2*dv.riskscore >= 900 AND 2*dv.riskscore <= 1200) OR 300 | (dta.tag_id = 2 AND 1.2*dv.riskscore >= 900 AND 1.2*dv.riskscore <= 1200) OR 301 | (dta.tag_id = 3 AND 1.1*dv.riskscore >= 900 AND 1.1*dv.riskscore <= 1200) OR 302 | (dta.tag_id = 4 AND dv.riskscore >= 900 AND dv.riskscore <= 1200) OR 303 | (dta.tag_id = 5 AND .75*dv.riskscore >= 900 AND .75*dv.riskscore <= 1200) OR 304 | (dta.tag_id NOT IN (1,2,3,4,5) AND dta.tag_id = 90 AND dv.riskscore >= 900 AND dv.riskscore <= 1200) 305 | ) 306 | 307 | 308 | 309 | OR 310 | 311 | 312 | ( 313 | (dta.tag_id = 1 AND 2*dv.riskscore >= 600 AND 2*dv.riskscore <= 899) OR 314 | (dta.tag_id = 2 AND 1.2*dv.riskscore >= 600 AND 1.2*dv.riskscore <= 899) OR 315 | (dta.tag_id = 3 AND 1.1*dv.riskscore >= 600 AND 1.1*dv.riskscore <= 899) OR 316 | (dta.tag_id = 4 AND dv.riskscore >= 600 AND dv.riskscore <= 899) OR 317 | (dta.tag_id = 5 AND .75*dv.riskscore >= 600 AND .75*dv.riskscore <= 899) OR 318 | (dta.tag_id NOT IN (1,2,3,4,5) AND dta.tag_id = 90 AND dv.riskscore >= 600 AND dv.riskscore <= 899) 319 | ) 320 | 321 | 322 | ) 323 | 324 | GROUP BY da.asset_id, da.ip_address, da.host_name, da.mac_address, dv.title, dv.date_added, favf.date, dta.tag_id, dv.riskscore,asset_group_id 325 | 326 | ), 327 | 328 | STEP_2 AS ( 329 | SELECT DISTINCT ON (asset_id, total_count, high_to_urgent_count) 330 | * 331 | FROM CTE 332 | ) 333 | 334 | SELECT asset_group, SUM(total_count)as TOTAL_COUNT, SUM(total_count) - SUM(high_to_urgent_count) AS LOW_MED_ONLY_COUNT, round((SUM(total_count) - SUM(high_to_urgent_count)) / SUM(total_count),4) AS PERCENTAGE_ONLY_LOW_MED 335 | FROM STEP_2 336 | GROUP BY asset_group 337 | -------------------------------------------------------------------------------- /No High+ Vulns.sql: -------------------------------------------------------------------------------- 1 | WITH 2 | CTE AS ( 3 | 4 | SELECT da.asset_id, da.ip_address, da.host_name, da.mac_address, 5 | CASE 6 | WHEN (dta.tag_id = 1) THEN 'VH' 7 | WHEN (dta.tag_id = 2) THEN 'H' 8 | WHEN (dta.tag_id = 3) THEN 'M' 9 | WHEN (dta.tag_id = 4) THEN 'L' 10 | WHEN (dta.tag_id = 5) THEN 'VL' 11 | WHEN (dta.tag_id NOT IN (1,2,3,4,5) AND dta.tag_id = 90) THEN 'NO RATING' 12 | END AS asset_rating, 13 | 14 | to_char(favf.date, 'YYYY-mm-dd') AS asset_last_scan, 15 | 16 | dv.title AS vulnerability_title, dv.date_added AS vuln_first_scan, 17 | CASE 18 | WHEN (dta.tag_id = 1) then round(2*dv.riskscore::numeric, 0) 19 | WHEN (dta.tag_id = 2) then round(1.2*dv.riskscore::numeric, 0) 20 | WHEN (dta.tag_id = 3) then round(1.1*dv.riskscore::numeric, 0) 21 | WHEN (dta.tag_id = 4) then round(dv.riskscore::numeric, 0) 22 | WHEN (dta.tag_id = 5) then round(.75*dv.riskscore::numeric, 0) 23 | WHEN (dta.tag_id NOT IN (1,2,3,4,5) AND dta.tag_id = 90) then round(dv.riskscore::numeric, 0) 24 | END AS weighted_riskscore, 25 | 26 | CASE 27 | WHEN 28 | ( 29 | (dta.tag_id = 1 AND 2*dv.riskscore >= 1201 ) OR 30 | (dta.tag_id = 2 AND 1.2*dv.riskscore >= 1201 ) OR 31 | (dta.tag_id = 3 AND 1.1*dv.riskscore >= 1201 ) OR 32 | (dta.tag_id = 4 AND dv.riskscore >= 1201) OR 33 | (dta.tag_id = 5 AND .75*dv.riskscore >= 1201 ) OR 34 | (dta.tag_id NOT IN (1,2,3,4,5) AND dta.tag_id = 90 AND dv.riskscore >= 1201 ) 35 | ) 36 | then 'URGENT' 37 | WHEN 38 | ( 39 | (dta.tag_id = 1 AND 2*dv.riskscore >= 900 AND 2*dv.riskscore <= 1200) OR 40 | (dta.tag_id = 2 AND 1.2*dv.riskscore >= 900 AND 1.2*dv.riskscore <= 1200) OR 41 | (dta.tag_id = 3 AND 1.1*dv.riskscore >= 900 AND 1.1*dv.riskscore <= 1200) OR 42 | (dta.tag_id = 4 AND dv.riskscore >= 900 AND dv.riskscore <= 1200) OR 43 | (dta.tag_id = 5 AND .75*dv.riskscore >= 900 AND .75*dv.riskscore <= 1200) OR 44 | (dta.tag_id NOT IN (1,2,3,4,5) AND dta.tag_id = 90 AND dv.riskscore >= 900 AND dv.riskscore <= 1200) 45 | ) 46 | then 'CRITICAL' 47 | WHEN 48 | ( 49 | (dta.tag_id = 1 AND 2*dv.riskscore >= 600 AND 2*dv.riskscore <= 899) OR 50 | (dta.tag_id = 2 AND 1.2*dv.riskscore >= 600 AND 1.2*dv.riskscore <= 899) OR 51 | (dta.tag_id = 3 AND 1.1*dv.riskscore >= 600 AND 1.1*dv.riskscore <= 899) OR 52 | (dta.tag_id = 4 AND dv.riskscore >= 600 AND dv.riskscore <= 899) OR 53 | (dta.tag_id = 5 AND .75*dv.riskscore >= 600 AND .75*dv.riskscore <= 899) OR 54 | (dta.tag_id NOT IN (1,2,3,4,5) AND dta.tag_id = 90 AND dv.riskscore >= 600 AND dv.riskscore <= 899) 55 | ) 56 | then 'HIGH' 57 | WHEN 58 | ( 59 | (dta.tag_id = 1 AND 2*dv.riskscore >= 300 AND 2*dv.riskscore <= 599) OR 60 | (dta.tag_id = 2 AND 1.2*dv.riskscore >= 300 AND 1.2*dv.riskscore <= 599) OR 61 | (dta.tag_id = 3 AND 1.1*dv.riskscore >= 300 AND 1.1*dv.riskscore <= 599) OR 62 | (dta.tag_id = 4 AND dv.riskscore >= 300 AND dv.riskscore <= 599) OR 63 | (dta.tag_id = 5 AND .75*dv.riskscore >= 300 AND .75*dv.riskscore <= 599) OR 64 | (dta.tag_id NOT IN (1,2,3,4,5) AND dta.tag_id = 90 AND dv.riskscore >= 300 AND dv.riskscore <= 599) 65 | ) 66 | then 'MEDIUM' 67 | 68 | WHEN 69 | ( 70 | (dta.tag_id = 1 AND 2*dv.riskscore <= 299) OR 71 | (dta.tag_id = 2 AND 1.2*dv.riskscore <= 299) OR 72 | (dta.tag_id = 3 AND 1.1*dv.riskscore <= 299) OR 73 | (dta.tag_id = 4 AND dv.riskscore <= 299) OR 74 | (dta.tag_id = 5 AND .75*dv.riskscore <= 299) OR 75 | (dta.tag_id NOT IN (1,2,3,4,5) AND dta.tag_id = 90 AND dv.riskscore <= 299) 76 | ) 77 | then 'LOW' 78 | END AS vuln_severity, 79 | 80 | CASE 81 | WHEN (dv.riskscore >=0) then sum(2-1) 82 | END AS total_count, 83 | 84 | CASE 85 | WHEN (dv.riskscore >=0) then sum(1-1) 86 | END AS high_to_urgent_count 87 | 88 | FROM fact_asset_vulnerability_finding favf 89 | JOIN dim_asset da USING (asset_id) 90 | JOIN dim_operating_system dos USING (operating_system_id) 91 | JOIN dim_vulnerability dv USING (vulnerability_id) 92 | JOIN dim_asset_group_asset daga USING (asset_id) 93 | JOIN dim_tag_asset dta USING (asset_id) 94 | 95 | WHERE daga.asset_group_id IN (2,4,8,25,26,27,28,29,40,55,56,66) AND 96 | 97 | ( 98 | 99 | ( 100 | (dta.tag_id = 1 AND 2*dv.riskscore >= 1201 ) OR 101 | (dta.tag_id = 2 AND 1.2*dv.riskscore >= 1201 ) OR 102 | (dta.tag_id = 3 AND 1.1*dv.riskscore >= 1201 ) OR 103 | (dta.tag_id = 4 AND dv.riskscore >= 1201) OR 104 | (dta.tag_id = 5 AND .75*dv.riskscore >= 1201 ) OR 105 | (dta.tag_id NOT IN (1,2,3,4,5) AND dta.tag_id = 90 AND dv.riskscore >= 1201 ) 106 | ) 107 | 108 | 109 | OR 110 | 111 | 112 | ( 113 | (dta.tag_id = 1 AND 2*dv.riskscore >= 900 AND 2*dv.riskscore <= 1200) OR 114 | (dta.tag_id = 2 AND 1.2*dv.riskscore >= 900 AND 1.2*dv.riskscore <= 1200) OR 115 | (dta.tag_id = 3 AND 1.1*dv.riskscore >= 900 AND 1.1*dv.riskscore <= 1200) OR 116 | (dta.tag_id = 4 AND dv.riskscore >= 900 AND dv.riskscore <= 1200) OR 117 | (dta.tag_id = 5 AND .75*dv.riskscore >= 900 AND .75*dv.riskscore <= 1200) OR 118 | (dta.tag_id NOT IN (1,2,3,4,5) AND dta.tag_id = 90 AND dv.riskscore >= 900 AND dv.riskscore <= 1200) 119 | ) 120 | 121 | 122 | 123 | OR 124 | 125 | 126 | ( 127 | (dta.tag_id = 1 AND 2*dv.riskscore >= 600 AND 2*dv.riskscore <= 899) OR 128 | (dta.tag_id = 2 AND 1.2*dv.riskscore >= 600 AND 1.2*dv.riskscore <= 899) OR 129 | (dta.tag_id = 3 AND 1.1*dv.riskscore >= 600 AND 1.1*dv.riskscore <= 899) OR 130 | (dta.tag_id = 4 AND dv.riskscore >= 600 AND dv.riskscore <= 899) OR 131 | (dta.tag_id = 5 AND .75*dv.riskscore >= 600 AND .75*dv.riskscore <= 899) OR 132 | (dta.tag_id NOT IN (1,2,3,4,5) AND dta.tag_id = 90 AND dv.riskscore >= 600 AND dv.riskscore <= 899) 133 | ) 134 | 135 | 136 | 137 | 138 | OR 139 | 140 | ( 141 | (dta.tag_id = 1 AND 2*dv.riskscore >= 300 AND 2*dv.riskscore <= 599) OR 142 | (dta.tag_id = 2 AND 1.2*dv.riskscore >= 300 AND 1.2*dv.riskscore <= 599) OR 143 | (dta.tag_id = 3 AND 1.1*dv.riskscore >= 300 AND 1.1*dv.riskscore <= 599) OR 144 | (dta.tag_id = 4 AND dv.riskscore >= 300 AND dv.riskscore <= 599) OR 145 | (dta.tag_id = 5 AND .75*dv.riskscore >= 300 AND .75*dv.riskscore <= 599) OR 146 | (dta.tag_id NOT IN (1,2,3,4,5) AND dta.tag_id = 90 AND dv.riskscore >= 300 AND dv.riskscore <= 599) 147 | ) 148 | 149 | 150 | OR 151 | 152 | 153 | ( 154 | (dta.tag_id = 1 AND 2*dv.riskscore <= 299) OR 155 | (dta.tag_id = 2 AND 1.2*dv.riskscore <= 299) OR 156 | (dta.tag_id = 3 AND 1.1*dv.riskscore <= 299) OR 157 | (dta.tag_id = 4 AND dv.riskscore <= 299) OR 158 | (dta.tag_id = 5 AND .75*dv.riskscore <= 299) OR 159 | (dta.tag_id NOT IN (1,2,3,4,5) AND dta.tag_id = 90 AND dv.riskscore <= 299) 160 | ) 161 | 162 | 163 | ) 164 | 165 | GROUP BY da.asset_id, da.ip_address, da.host_name, da.mac_address, dv.title, dv.date_added, favf.date, dta.tag_id, dv.riskscore 166 | 167 | 168 | 169 | 170 | 171 | 172 | union all 173 | 174 | 175 | 176 | 177 | 178 | SELECT da.asset_id, da.ip_address, da.host_name, da.mac_address, 179 | CASE 180 | WHEN (dta.tag_id = 1) THEN 'VH' 181 | WHEN (dta.tag_id = 2) THEN 'H' 182 | WHEN (dta.tag_id = 3) THEN 'M' 183 | WHEN (dta.tag_id = 4) THEN 'L' 184 | WHEN (dta.tag_id = 5) THEN 'VL' 185 | WHEN (dta.tag_id NOT IN (1,2,3,4,5) AND dta.tag_id = 90) THEN 'NO RATING' 186 | END AS asset_rating, 187 | 188 | to_char(favf.date, 'YYYY-mm-dd') AS asset_last_scan, 189 | 190 | dv.title AS vulnerability_title, dv.date_added AS vuln_first_scan, 191 | CASE 192 | WHEN (dta.tag_id = 1) then round(2*dv.riskscore::numeric, 0) 193 | WHEN (dta.tag_id = 2) then round(1.2*dv.riskscore::numeric, 0) 194 | WHEN (dta.tag_id = 3) then round(1.1*dv.riskscore::numeric, 0) 195 | WHEN (dta.tag_id = 4) then round(dv.riskscore::numeric, 0) 196 | WHEN (dta.tag_id = 5) then round(.75*dv.riskscore::numeric, 0) 197 | WHEN (dta.tag_id NOT IN (1,2,3,4,5) AND dta.tag_id = 90) then round(dv.riskscore::numeric, 0) 198 | END AS weighted_riskscore, 199 | 200 | CASE 201 | 202 | WHEN 203 | ( 204 | (dta.tag_id = 1 AND 2*dv.riskscore >= 1201 ) OR 205 | (dta.tag_id = 2 AND 1.2*dv.riskscore >= 1201 ) OR 206 | (dta.tag_id = 3 AND 1.1*dv.riskscore >= 1201 ) OR 207 | (dta.tag_id = 4 AND dv.riskscore >= 1201) OR 208 | (dta.tag_id = 5 AND .75*dv.riskscore >= 1201 ) OR 209 | (dta.tag_id NOT IN (1,2,3,4,5) AND dta.tag_id = 90 AND dv.riskscore >= 1201 ) 210 | ) 211 | then 'URGENT' 212 | WHEN 213 | ( 214 | (dta.tag_id = 1 AND 2*dv.riskscore >= 900 AND 2*dv.riskscore <= 1200) OR 215 | (dta.tag_id = 2 AND 1.2*dv.riskscore >= 900 AND 1.2*dv.riskscore <= 1200) OR 216 | (dta.tag_id = 3 AND 1.1*dv.riskscore >= 900 AND 1.1*dv.riskscore <= 1200) OR 217 | (dta.tag_id = 4 AND dv.riskscore >= 900 AND dv.riskscore <= 1200) OR 218 | (dta.tag_id = 5 AND .75*dv.riskscore >= 900 AND .75*dv.riskscore <= 1200) OR 219 | (dta.tag_id NOT IN (1,2,3,4,5) AND dta.tag_id = 90 AND dv.riskscore >= 900 AND dv.riskscore <= 1200) 220 | ) 221 | then 'CRITICAL' 222 | WHEN 223 | ( 224 | (dta.tag_id = 1 AND 2*dv.riskscore >= 600 AND 2*dv.riskscore <= 899) OR 225 | (dta.tag_id = 2 AND 1.2*dv.riskscore >= 600 AND 1.2*dv.riskscore <= 899) OR 226 | (dta.tag_id = 3 AND 1.1*dv.riskscore >= 600 AND 1.1*dv.riskscore <= 899) OR 227 | (dta.tag_id = 4 AND dv.riskscore >= 600 AND dv.riskscore <= 899) OR 228 | (dta.tag_id = 5 AND .75*dv.riskscore >= 600 AND .75*dv.riskscore <= 899) OR 229 | (dta.tag_id NOT IN (1,2,3,4,5) AND dta.tag_id = 90 AND dv.riskscore >= 600 AND dv.riskscore <= 899) 230 | ) 231 | then 'HIGH' 232 | END AS vuln_severity, 233 | 234 | CASE 235 | WHEN (dv.riskscore >=0) then sum(1-1) 236 | END AS total_count, 237 | 238 | CASE 239 | WHEN (dv.riskscore >=0) then sum(2-1) 240 | END AS med_low_count 241 | 242 | 243 | 244 | FROM fact_asset_vulnerability_finding favf 245 | JOIN dim_asset da USING (asset_id) 246 | JOIN dim_operating_system dos USING (operating_system_id) 247 | JOIN dim_vulnerability dv USING (vulnerability_id) 248 | JOIN dim_asset_group_asset daga USING (asset_id) 249 | JOIN dim_tag_asset dta USING (asset_id) 250 | 251 | WHERE daga.asset_group_id IN (2,4,8,25,26,27,28,29,40,55,56,66) AND 252 | 253 | ( 254 | 255 | ( 256 | (dta.tag_id = 1 AND 2*dv.riskscore >= 1201 ) OR 257 | (dta.tag_id = 2 AND 1.2*dv.riskscore >= 1201 ) OR 258 | (dta.tag_id = 3 AND 1.1*dv.riskscore >= 1201 ) OR 259 | (dta.tag_id = 4 AND dv.riskscore >= 1201) OR 260 | (dta.tag_id = 5 AND .75*dv.riskscore >= 1201 ) OR 261 | (dta.tag_id NOT IN (1,2,3,4,5) AND dta.tag_id = 90 AND dv.riskscore >= 1201 ) 262 | ) 263 | 264 | 265 | OR 266 | 267 | 268 | ( 269 | (dta.tag_id = 1 AND 2*dv.riskscore >= 900 AND 2*dv.riskscore <= 1200) OR 270 | (dta.tag_id = 2 AND 1.2*dv.riskscore >= 900 AND 1.2*dv.riskscore <= 1200) OR 271 | (dta.tag_id = 3 AND 1.1*dv.riskscore >= 900 AND 1.1*dv.riskscore <= 1200) OR 272 | (dta.tag_id = 4 AND dv.riskscore >= 900 AND dv.riskscore <= 1200) OR 273 | (dta.tag_id = 5 AND .75*dv.riskscore >= 900 AND .75*dv.riskscore <= 1200) OR 274 | (dta.tag_id NOT IN (1,2,3,4,5) AND dta.tag_id = 90 AND dv.riskscore >= 900 AND dv.riskscore <= 1200) 275 | ) 276 | 277 | 278 | 279 | OR 280 | 281 | 282 | ( 283 | (dta.tag_id = 1 AND 2*dv.riskscore >= 600 AND 2*dv.riskscore <= 899) OR 284 | (dta.tag_id = 2 AND 1.2*dv.riskscore >= 600 AND 1.2*dv.riskscore <= 899) OR 285 | (dta.tag_id = 3 AND 1.1*dv.riskscore >= 600 AND 1.1*dv.riskscore <= 899) OR 286 | (dta.tag_id = 4 AND dv.riskscore >= 600 AND dv.riskscore <= 899) OR 287 | (dta.tag_id = 5 AND .75*dv.riskscore >= 600 AND .75*dv.riskscore <= 899) OR 288 | (dta.tag_id NOT IN (1,2,3,4,5) AND dta.tag_id = 90 AND dv.riskscore >= 600 AND dv.riskscore <= 899) 289 | ) 290 | 291 | 292 | ) 293 | 294 | GROUP BY da.asset_id, da.ip_address, da.host_name, da.mac_address, dv.title, dv.date_added, favf.date, dta.tag_id, dv.riskscore 295 | 296 | ), 297 | 298 | STEP_2 AS ( 299 | SELECT DISTINCT ON (asset_id, total_count, high_to_urgent_count) 300 | * 301 | FROM CTE 302 | ) 303 | 304 | SELECT SUM(total_count)as TOTAL_COUNT, SUM(total_count) - SUM(high_to_urgent_count) AS LOW_MED_ONLY_COUNT, round((SUM(total_count) - SUM(high_to_urgent_count)) / SUM(total_count),4) AS PERCENTAGE_ONLY_LOW_MED 305 | FROM STEP_2 306 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # nexpose-sql-queries 2 | A random collection of Nexpose SQL Export queries I've built for reporting vulnerability metrics. 3 | -------------------------------------------------------------------------------- /SMB-Share-Finder.sql: -------------------------------------------------------------------------------- 1 | select da.ip_address, da.host_name, dos.description, daf.type, daf.name, da.sites 2 | from dim_asset da 3 | JOIN dim_asset_file daf using (asset_id) 4 | JOIN dim_operating_system dos USING (operating_system_id) 5 | order by da.ip_address asc 6 | -------------------------------------------------------------------------------- /Weekly-New-Vulns.sql: -------------------------------------------------------------------------------- 1 | WITH 2 | today_date AS ( 3 | SELECT now() AS date 4 | ), 5 | asset_scans AS ( 6 | SELECT asset_id, scanAsOfDate(asset_id, now()::date) AS scan_today, scanAsOfDate(asset_id, ((SELECT date FROM today_date) - INTERVAL '1 week')::date) AS scan_week_ago 7 | FROM dim_asset 8 | ), 9 | asset_scan_results AS ( 10 | -- results from the scan on each asset for today's results 11 | SELECT fasvf.asset_id, fasvf.vulnerability_id, fasvf.scan_id, 2 AS state 12 | FROM fact_asset_scan_vulnerability_finding fasvf 13 | JOIN asset_scans a ON a.asset_id = fasvf.asset_id AND fasvf.scan_id = a.scan_today 14 | UNION ALL 15 | -- results from the scan on each asset for the results one week ago 16 | SELECT fasvf.asset_id, fasvf.vulnerability_id, fasvf.scan_id, 1 AS state 17 | FROM fact_asset_scan_vulnerability_finding fasvf 18 | JOIN asset_scans a ON a.asset_id = fasvf.asset_id AND fasvf.scan_id = a.scan_week_ago 19 | ), 20 | asset_scan_results_diff AS ( 21 | SELECT asset_id, vulnerability_id, baselineComparison(state, 2) AS diff 22 | FROM asset_scan_results 23 | GROUP BY asset_id, vulnerability_id 24 | ) 25 | SELECT da.ip_address, da.host_name, da.mac_address, asrd.diff, dv.title AS vulnerability_title, to_char(now(), 'YYYY-mm-dd') AS current_date 26 | FROM asset_scan_results_diff asrd 27 | JOIN dim_asset da USING (asset_id) 28 | JOIN dim_vulnerability dv USING (vulnerability_id) 29 | WHERE asrd.diff = 'New' 30 | ORDER BY da.ip_address, asrd.diff, dv.title 31 | -------------------------------------------------------------------------------- /Weekly-Remediated-Vulns.sql: -------------------------------------------------------------------------------- 1 | WITH 2 | today_date AS ( 3 | SELECT now() AS date 4 | ), 5 | asset_scans AS ( 6 | SELECT asset_id, scanAsOfDate(asset_id, now()::date) AS scan_today, scanAsOfDate(asset_id, ((SELECT date FROM today_date) - INTERVAL '1 week')::date) AS scan_week_ago 7 | FROM dim_asset 8 | ), 9 | asset_scan_results AS ( 10 | -- results from the scan on each asset for today's results 11 | SELECT fasvf.asset_id, fasvf.vulnerability_id, fasvf.scan_id, 2 AS state 12 | FROM fact_asset_scan_vulnerability_finding fasvf 13 | JOIN asset_scans a ON a.asset_id = fasvf.asset_id AND fasvf.scan_id = a.scan_today 14 | UNION ALL 15 | -- results from the scan on each asset for the results one week ago 16 | SELECT fasvf.asset_id, fasvf.vulnerability_id, fasvf.scan_id, 1 AS state 17 | FROM fact_asset_scan_vulnerability_finding fasvf 18 | JOIN asset_scans a ON a.asset_id = fasvf.asset_id AND fasvf.scan_id = a.scan_week_ago 19 | ), 20 | asset_scan_results_diff AS ( 21 | SELECT asset_id, vulnerability_id, baselineComparison(state, 2) AS diff 22 | FROM asset_scan_results 23 | GROUP BY asset_id, vulnerability_id 24 | ) 25 | SELECT da.ip_address, da.host_name, da.mac_address, asrd.diff, dv.title AS vulnerability_title, to_char(now(), 'YYYY-mm-dd') AS current_date 26 | FROM asset_scan_results_diff asrd 27 | JOIN dim_asset da USING (asset_id) 28 | JOIN dim_vulnerability dv USING (vulnerability_id) 29 | WHERE asrd.diff = 'Old' 30 | ORDER BY da.ip_address, asrd.diff, dv.title 31 | -------------------------------------------------------------------------------- /_config.yml: -------------------------------------------------------------------------------- 1 | theme: jekyll-theme-tactile -------------------------------------------------------------------------------- /detailed-vulns.sql: -------------------------------------------------------------------------------- 1 | WITH 2 | vuln_urls AS ( 3 | SELECT vulnerability_id, array_to_string(array_agg(reference), ' , ') AS references 4 | FROM dim_vulnerability_reference 5 | GROUP BY vulnerability_id 6 | ) 7 | 8 | 9 | select da.ip_address, da.host_name, dos.description as operating_system, dv.title as vuln_title, round(dv.riskscore::numeric,0) as vuln_riskscore, 10 | CASE 11 | WHEN (dv.riskscore >= 800) then 'Very High' 12 | WHEN (dv.riskscore >= 600 AND dv.riskscore <= 799) then 'High' 13 | WHEN (dv.riskscore >= 400 AND dv.riskscore <= 599) then 'Medium' 14 | WHEN (dv.riskscore >= 200 AND dv.riskscore <= 399) then 'Low' 15 | WHEN (dv.riskscore <= 199) then 'Very Low' 16 | END AS vuln_severity, 17 | proofastext(dv.description) as vuln_description, 18 | proofastext(favi.proof) as vuln_proof, vu.references, favi.port as "port# (-1 = n/a)", dv.date_added as vuln_date_into_nexpose, 19 | to_char(favi.date, 'YYYY-mm-dd') as asset_last_scan 20 | 21 | FROM fact_asset_vulnerability_instance favi 22 | JOIN dim_vulnerability dv USING (vulnerability_id) 23 | JOIN dim_asset da USING (asset_id) 24 | JOIN dim_operating_system dos USING (operating_system_id) 25 | JOIN dim_vulnerability_reference dvr USING (vulnerability_id) 26 | JOIN vuln_urls vu USING (vulnerability_id) 27 | 28 | ORDER BY dv.riskscore DESC 29 | -------------------------------------------------------------------------------- /fingerprint-check.sql: -------------------------------------------------------------------------------- 1 | SELECT DISTINCT ON (ip_address) 2 | da.ip_address, da.host_name, dos.description AS operating_system, 3 | fa.scan_finished AS last_scanned, aos.certainty, fa.vulnerabilities, fa.riskscore 4 | FROM fact_asset AS fa 5 | JOIN dim_asset da USING (asset_id) 6 | JOIN dim_operating_system dos USING (operating_system_id) 7 | JOIN dim_asset_operating_system aos USING (asset_id) 8 | ORDER BY da.ip_address, certainty DESC 9 | -------------------------------------------------------------------------------- /new-asset-report-daily.sql: -------------------------------------------------------------------------------- 1 | WITH 2 | open_ports AS ( 3 | SELECT asset_id, array_to_string(array_agg(dp.name || ':' || port ORDER BY port), ' , ') AS open_ports 4 | FROM dim_asset_service 5 | JOIN dim_protocol dp USING (protocol_id) 6 | GROUP BY asset_id 7 | ) 8 | 9 | SELECT ip_address, mac_address, host_name , dos.description AS "operating_system", open_ports, 10 | to_char(first_discovered, 'YYYY-mm-dd') as first_discovered, to_char(last_discovered, 'YYYY-mm-dd') as last_discovered, sites 11 | FROM fact_asset_discovery 12 | JOIN dim_asset USING (asset_id) 13 | JOIN dim_operating_system dos USING (operating_system_id) 14 | JOIN open_ports USING (asset_id) 15 | WHERE now() - first_discovered <= INTERVAL '1 days' 16 | ORDER BY ip_address ASC 17 | -------------------------------------------------------------------------------- /vuln-count-by-severity.sql: -------------------------------------------------------------------------------- 1 | WITH 2 | CTE AS ( 3 | 4 | 5 | SELECT 6 | CASE 7 | WHEN (daga.asset_group_id = '2') then 'Group 1' 8 | WHEN (daga.asset_group_id = '29') then 'Group 2' 9 | WHEN (daga.asset_group_id = '25') then 'Group 3' 10 | WHEN (daga.asset_group_id = '56') then 'Group 4' 11 | WHEN (daga.asset_group_id = '55') then 'Group 5' 12 | WHEN (daga.asset_group_id = '40') then 'Group 6' 13 | WHEN (daga.asset_group_id = '4') then 'Group 7' 14 | WHEN (daga.asset_group_id = '66') then 'Group 8' 15 | WHEN (daga.asset_group_id = '28') then 'Group 9' 16 | WHEN (daga.asset_group_id = '26') then 'Group 10' 17 | WHEN (daga.asset_group_id = '8') then 'Group 11' 18 | WHEN (daga.asset_group_id = '27') then 'Group 12' 19 | END AS asset_group, 20 | 21 | 22 | count (favf.vulnerability_instances) AS Urgent_beyond_SLA, 23 | 24 | 25 | CASE 26 | WHEN (1=1) then sum(1-1) 27 | END AS Critical_beyond_SLA, 28 | 29 | 30 | CASE 31 | WHEN (1=1) then sum(1-1) 32 | END AS High_beyond_SLA, 33 | 34 | 35 | CASE 36 | WHEN (1=1) then sum(1-1) 37 | END AS Medium_beyond_SLA, 38 | 39 | 40 | CASE 41 | WHEN (1=1) then sum(1-1) 42 | END AS Low_beyond_SLA 43 | 44 | 45 | 46 | 47 | FROM fact_asset_vulnerability_finding favf 48 | JOIN dim_vulnerability dv USING (vulnerability_id) 49 | JOIN dim_asset_group_asset daga USING (asset_id) 50 | JOIN dim_tag_asset dta USING (asset_id) 51 | WHERE daga.asset_group_id IN (2,4,8,25,26,27,28,29,40,55,56,66) AND 52 | ( 53 | (dta.tag_id = 1 AND 2*dv.riskscore >= 1201 ) OR 54 | (dta.tag_id = 2 AND 1.2*dv.riskscore >= 1201 ) OR 55 | (dta.tag_id = 3 AND 1.1*dv.riskscore >= 1201 ) OR 56 | (dta.tag_id = 4 AND dv.riskscore >= 1201) OR 57 | (dta.tag_id = 5 AND .75*dv.riskscore >= 1201 ) OR 58 | (dta.tag_id NOT IN (1,2,3,4,5) AND dta.tag_id = 90 AND dv.riskscore >= 1201 ) 59 | ) 60 | GROUP BY daga.asset_group_id 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | union all 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | SELECT 79 | CASE 80 | WHEN (daga.asset_group_id = '2') then 'Group 1' 81 | WHEN (daga.asset_group_id = '29') then 'Group 2' 82 | WHEN (daga.asset_group_id = '25') then 'Group 3' 83 | WHEN (daga.asset_group_id = '56') then 'Group 4' 84 | WHEN (daga.asset_group_id = '55') then 'Group 5' 85 | WHEN (daga.asset_group_id = '40') then 'Group 6' 86 | WHEN (daga.asset_group_id = '4') then 'Group 7' 87 | WHEN (daga.asset_group_id = '66') then 'Group 8' 88 | WHEN (daga.asset_group_id = '28') then 'Group 9' 89 | WHEN (daga.asset_group_id = '26') then 'Group 10' 90 | WHEN (daga.asset_group_id = '8') then 'Group 11' 91 | WHEN (daga.asset_group_id = '27') then 'Group 12' 92 | END AS asset_group, 93 | 94 | 95 | CASE 96 | WHEN (1=1) then sum(1-1) 97 | END AS Urgent_beyond_SLA, 98 | 99 | 100 | count (favf.vulnerability_instances) AS Critical_beyond_SLA, 101 | 102 | 103 | CASE 104 | WHEN (1=1) then sum(1-1) 105 | END AS High_beyond_SLA, 106 | 107 | 108 | CASE 109 | WHEN (1=1) then sum(1-1) 110 | END AS Medium_beyond_SLA, 111 | 112 | 113 | CASE 114 | WHEN (1=1) then sum(1-1) 115 | END AS Low_beyond_SLA 116 | 117 | 118 | 119 | 120 | FROM fact_asset_vulnerability_finding favf 121 | JOIN dim_vulnerability dv USING (vulnerability_id) 122 | JOIN dim_asset_group_asset daga USING (asset_id) 123 | JOIN dim_tag_asset dta USING (asset_id) 124 | 125 | WHERE daga.asset_group_id IN (2,4,8,25,26,27,28,29,40,55,56,66) AND 126 | ( 127 | (dta.tag_id = 1 AND 2*dv.riskscore >= 900 AND 2*dv.riskscore <= 1200) OR 128 | (dta.tag_id = 2 AND 1.2*dv.riskscore >= 900 AND 1.2*dv.riskscore <= 1200) OR 129 | (dta.tag_id = 3 AND 1.1*dv.riskscore >= 900 AND 1.1*dv.riskscore <= 1200) OR 130 | (dta.tag_id = 4 AND dv.riskscore >= 900 AND dv.riskscore <= 1200) OR 131 | (dta.tag_id = 5 AND .75*dv.riskscore >= 900 AND .75*dv.riskscore <= 1200) OR 132 | (dta.tag_id NOT IN (1,2,3,4,5) AND dta.tag_id = 90 AND dv.riskscore >= 900 AND dv.riskscore <= 1200) 133 | ) 134 | 135 | 136 | GROUP BY daga.asset_group_id 137 | 138 | 139 | 140 | 141 | 142 | 143 | 144 | 145 | 146 | 147 | union all 148 | 149 | 150 | 151 | 152 | 153 | 154 | 155 | 156 | SELECT 157 | CASE 158 | WHEN (daga.asset_group_id = '2') then 'Group 1' 159 | WHEN (daga.asset_group_id = '29') then 'Group 2' 160 | WHEN (daga.asset_group_id = '25') then 'Group 3' 161 | WHEN (daga.asset_group_id = '56') then 'Group 4' 162 | WHEN (daga.asset_group_id = '55') then 'Group 5' 163 | WHEN (daga.asset_group_id = '40') then 'Group 6' 164 | WHEN (daga.asset_group_id = '4') then 'Group 7' 165 | WHEN (daga.asset_group_id = '66') then 'Group 8' 166 | WHEN (daga.asset_group_id = '28') then 'Group 9' 167 | WHEN (daga.asset_group_id = '26') then 'Group 10' 168 | WHEN (daga.asset_group_id = '8') then 'Group 11' 169 | WHEN (daga.asset_group_id = '27') then 'Group 12' 170 | END AS asset_group, 171 | 172 | 173 | CASE 174 | WHEN (1=1) then sum(1-1) 175 | END AS Urgent_beyond_SLA, 176 | 177 | 178 | CASE 179 | WHEN (1=1) then sum(1-1) 180 | END AS Critical_beyond_SLA, 181 | 182 | 183 | count (favf.vulnerability_instances) AS High_beyond_SLA, 184 | 185 | 186 | CASE 187 | WHEN (1=1) then sum(1-1) 188 | END AS Medium_beyond_SLA, 189 | 190 | 191 | CASE 192 | WHEN (1=1) then sum(1-1) 193 | END AS Low_beyond_SLA 194 | 195 | 196 | 197 | 198 | FROM fact_asset_vulnerability_finding favf 199 | JOIN dim_vulnerability dv USING (vulnerability_id) 200 | JOIN dim_asset_group_asset daga USING (asset_id) 201 | JOIN dim_tag_asset dta USING (asset_id) 202 | 203 | 204 | WHERE daga.asset_group_id IN (2,4,8,25,26,27,28,29,40,55,56,66) AND 205 | ( 206 | (dta.tag_id = 1 AND 2*dv.riskscore >= 600 AND 2*dv.riskscore <= 899) OR 207 | (dta.tag_id = 2 AND 1.2*dv.riskscore >= 600 AND 1.2*dv.riskscore <= 899) OR 208 | (dta.tag_id = 3 AND 1.1*dv.riskscore >= 600 AND 1.1*dv.riskscore <= 899) OR 209 | (dta.tag_id = 4 AND dv.riskscore >= 600 AND dv.riskscore <= 899) OR 210 | (dta.tag_id = 5 AND .75*dv.riskscore >= 600 AND .75*dv.riskscore <= 899) OR 211 | (dta.tag_id NOT IN (1,2,3,4,5) AND dta.tag_id = 90 AND dv.riskscore >= 600 AND dv.riskscore <= 899) 212 | ) 213 | GROUP BY daga.asset_group_id 214 | 215 | 216 | 217 | 218 | 219 | 220 | 221 | 222 | 223 | 224 | 225 | 226 | union all 227 | 228 | 229 | 230 | 231 | 232 | 233 | 234 | 235 | 236 | 237 | SELECT 238 | CASE 239 | WHEN (daga.asset_group_id = '2') then 'Group 1' 240 | WHEN (daga.asset_group_id = '29') then 'Group 2' 241 | WHEN (daga.asset_group_id = '25') then 'Group 3' 242 | WHEN (daga.asset_group_id = '56') then 'Group 4' 243 | WHEN (daga.asset_group_id = '55') then 'Group 5' 244 | WHEN (daga.asset_group_id = '40') then 'Group 6' 245 | WHEN (daga.asset_group_id = '4') then 'Group 7' 246 | WHEN (daga.asset_group_id = '66') then 'Group 8' 247 | WHEN (daga.asset_group_id = '28') then 'Group 9' 248 | WHEN (daga.asset_group_id = '26') then 'Group 10' 249 | WHEN (daga.asset_group_id = '8') then 'Group 11' 250 | WHEN (daga.asset_group_id = '27') then 'Group 12' 251 | END AS asset_group, 252 | 253 | 254 | CASE 255 | WHEN (1=1) then sum(1-1) 256 | END AS Urgent_beyond_SLA, 257 | 258 | 259 | CASE 260 | WHEN (1=1) then sum(1-1) 261 | END AS Critical_beyond_SLA, 262 | 263 | 264 | CASE 265 | WHEN (1=1) then sum(1-1) 266 | END AS High_beyond_SLA, 267 | 268 | 269 | count (favf.vulnerability_instances) AS Medium_beyond_SLA, 270 | 271 | 272 | CASE 273 | WHEN (1=1) then sum(1-1) 274 | END AS Low_beyond_SLA 275 | 276 | 277 | 278 | 279 | FROM fact_asset_vulnerability_finding favf 280 | JOIN dim_vulnerability dv USING (vulnerability_id) 281 | JOIN dim_asset_group_asset daga USING (asset_id) 282 | JOIN dim_tag_asset dta USING (asset_id) 283 | 284 | WHERE daga.asset_group_id IN (2,4,8,25,26,27,28,29,40,55,56,66) AND 285 | ( 286 | (dta.tag_id = 1 AND 2*dv.riskscore >= 300 AND 2*dv.riskscore <= 599) OR 287 | (dta.tag_id = 2 AND 1.2*dv.riskscore >= 300 AND 1.2*dv.riskscore <= 599) OR 288 | (dta.tag_id = 3 AND 1.1*dv.riskscore >= 300 AND 1.1*dv.riskscore <= 599) OR 289 | (dta.tag_id = 4 AND dv.riskscore >= 300 AND dv.riskscore <= 599) OR 290 | (dta.tag_id = 5 AND .75*dv.riskscore >= 300 AND .75*dv.riskscore <= 599) OR 291 | (dta.tag_id NOT IN (1,2,3,4,5) AND dta.tag_id = 90 AND dv.riskscore >= 300 AND dv.riskscore <= 599) 292 | ) 293 | 294 | 295 | GROUP BY daga.asset_group_id 296 | 297 | 298 | 299 | 300 | 301 | 302 | 303 | 304 | 305 | 306 | union all 307 | 308 | 309 | 310 | 311 | 312 | 313 | 314 | 315 | SELECT 316 | CASE 317 | WHEN (daga.asset_group_id = '2') then 'Group 1' 318 | WHEN (daga.asset_group_id = '29') then 'Group 2' 319 | WHEN (daga.asset_group_id = '25') then 'Group 3' 320 | WHEN (daga.asset_group_id = '56') then 'Group 4' 321 | WHEN (daga.asset_group_id = '55') then 'Group 5' 322 | WHEN (daga.asset_group_id = '40') then 'Group 6' 323 | WHEN (daga.asset_group_id = '4') then 'Group 7' 324 | WHEN (daga.asset_group_id = '66') then 'Group 8' 325 | WHEN (daga.asset_group_id = '28') then 'Group 9' 326 | WHEN (daga.asset_group_id = '26') then 'Group 10' 327 | WHEN (daga.asset_group_id = '8') then 'Group 11' 328 | WHEN (daga.asset_group_id = '27') then 'Group 12' 329 | END AS asset_group, 330 | 331 | 332 | CASE 333 | WHEN (1=1) then sum(1-1) 334 | END AS Urgent_beyond_SLA, 335 | 336 | 337 | CASE 338 | WHEN (1=1) then sum(1-1) 339 | END AS Critical_beyond_SLA, 340 | 341 | 342 | CASE 343 | WHEN (1=1) then sum(1-1) 344 | END AS High_beyond_SLA, 345 | 346 | 347 | CASE 348 | WHEN (1=1) then sum(1-1) 349 | END AS Medium_beyond_SLA, 350 | 351 | 352 | count (favf.vulnerability_instances) AS Low_beyond_SLA 353 | 354 | 355 | 356 | 357 | FROM fact_asset_vulnerability_finding favf 358 | JOIN dim_vulnerability dv USING (vulnerability_id) 359 | JOIN dim_asset_group_asset daga USING (asset_id) 360 | JOIN dim_tag_asset dta USING (asset_id) 361 | 362 | 363 | WHERE daga.asset_group_id IN (2,4,8,25,26,27,28,29,40,55,56,66) AND 364 | ( 365 | (dta.tag_id = 1 AND 2*dv.riskscore <= 299) OR 366 | (dta.tag_id = 2 AND 1.2*dv.riskscore <= 299) OR 367 | (dta.tag_id = 3 AND 1.1*dv.riskscore <= 299) OR 368 | (dta.tag_id = 4 AND dv.riskscore <= 299) OR 369 | (dta.tag_id = 5 AND .75*dv.riskscore <= 299) OR 370 | (dta.tag_id NOT IN (1,2,3,4,5) AND dta.tag_id = 90 AND dv.riskscore <= 299) 371 | ) 372 | 373 | 374 | GROUP BY daga.asset_group_id 375 | 376 | 377 | ) 378 | 379 | 380 | 381 | 382 | SELECT asset_group, SUM(urgent_beyond_sla) AS urgent_beyond_sla, SUM(critical_beyond_sla) AS critical_beyond_sla, SUM(high_beyond_sla) AS high_beyond_sla, 383 | SUM(medium_beyond_sla) AS medium_beyond_sla, SUM(low_beyond_sla) AS low_beyond_sla 384 | FROM CTE 385 | GROUP BY asset_group 386 | -------------------------------------------------------------------------------- /vulns-beyond-sla-detailed.sql: -------------------------------------------------------------------------------- 1 | SELECT da.ip_address, da.host_name, da.mac_address, 2 | CASE 3 | WHEN (dta.tag_id = 1) THEN 'VH' 4 | WHEN (dta.tag_id = 2) THEN 'H' 5 | WHEN (dta.tag_id = 3) THEN 'M' 6 | WHEN (dta.tag_id = 4) THEN 'L' 7 | WHEN (dta.tag_id = 5) THEN 'VL' 8 | WHEN (dta.tag_id NOT IN (1,2,3,4,5) AND dta.tag_id = 90) THEN 'NO RATING' 9 | END AS asset_rating, 10 | 11 | to_char(favf.date, 'YYYY-mm-dd') AS asset_last_scan, 12 | 13 | dv.title AS vulnerability_title, dv.date_added AS vuln_first_scan, 14 | CASE 15 | WHEN (dta.tag_id = 1) then round(2*dv.riskscore::numeric, 0) 16 | WHEN (dta.tag_id = 2) then round(1.2*dv.riskscore::numeric, 0) 17 | WHEN (dta.tag_id = 3) then round(1.1*dv.riskscore::numeric, 0) 18 | WHEN (dta.tag_id = 4) then round(dv.riskscore::numeric, 0) 19 | WHEN (dta.tag_id = 5) then round(.75*dv.riskscore::numeric, 0) 20 | WHEN (dta.tag_id NOT IN (1,2,3,4,5) AND dta.tag_id = 90) then round(dv.riskscore::numeric, 0) 21 | END AS weighted_riskscore, 22 | 23 | CASE 24 | WHEN (now() - dv.date_added > INTERVAL '1 days' AND 25 | ( 26 | (dta.tag_id = 1 AND 2*dv.riskscore >= 1201 ) OR 27 | (dta.tag_id = 2 AND 1.2*dv.riskscore >= 1201 ) OR 28 | (dta.tag_id = 3 AND 1.1*dv.riskscore >= 1201 ) OR 29 | (dta.tag_id = 4 AND dv.riskscore >= 1201) OR 30 | (dta.tag_id = 5 AND .75*dv.riskscore >= 1201 ) OR 31 | (dta.tag_id NOT IN (1,2,3,4,5) AND dta.tag_id = 90 AND dv.riskscore >= 1201 ) 32 | ) 33 | ) then 'URGENT' 34 | WHEN (now() - dv.date_added > INTERVAL '7 days' AND 35 | ( 36 | (dta.tag_id = 1 AND 2*dv.riskscore >= 900 AND 2*dv.riskscore <= 1200) OR 37 | (dta.tag_id = 2 AND 1.2*dv.riskscore >= 900 AND 1.2*dv.riskscore <= 1200) OR 38 | (dta.tag_id = 3 AND 1.1*dv.riskscore >= 900 AND 1.1*dv.riskscore <= 1200) OR 39 | (dta.tag_id = 4 AND dv.riskscore >= 900 AND dv.riskscore <= 1200) OR 40 | (dta.tag_id = 5 AND .75*dv.riskscore >= 900 AND .75*dv.riskscore <= 1200) OR 41 | (dta.tag_id NOT IN (1,2,3,4,5) AND dta.tag_id = 90 AND dv.riskscore >= 900 AND dv.riskscore <= 1200) 42 | ) 43 | ) then 'CRITICAL' 44 | WHEN (now() - dv.date_added > INTERVAL '14 days' AND 45 | ( 46 | (dta.tag_id = 1 AND 2*dv.riskscore >= 600 AND 2*dv.riskscore <= 899) OR 47 | (dta.tag_id = 2 AND 1.2*dv.riskscore >= 600 AND 1.2*dv.riskscore <= 899) OR 48 | (dta.tag_id = 3 AND 1.1*dv.riskscore >= 600 AND 1.1*dv.riskscore <= 899) OR 49 | (dta.tag_id = 4 AND dv.riskscore >= 600 AND dv.riskscore <= 899) OR 50 | (dta.tag_id = 5 AND .75*dv.riskscore >= 600 AND .75*dv.riskscore <= 899) OR 51 | (dta.tag_id NOT IN (1,2,3,4,5) AND dta.tag_id = 90 AND dv.riskscore >= 600 AND dv.riskscore <= 899) 52 | ) 53 | ) then 'HIGH' 54 | WHEN (now() - dv.date_added > INTERVAL '30 days' AND 55 | ( 56 | (dta.tag_id = 1 AND 2*dv.riskscore >= 300 AND 2*dv.riskscore <= 599) OR 57 | (dta.tag_id = 2 AND 1.2*dv.riskscore >= 300 AND 1.2*dv.riskscore <= 599) OR 58 | (dta.tag_id = 3 AND 1.1*dv.riskscore >= 300 AND 1.1*dv.riskscore <= 599) OR 59 | (dta.tag_id = 4 AND dv.riskscore >= 300 AND dv.riskscore <= 599) OR 60 | (dta.tag_id = 5 AND .75*dv.riskscore >= 300 AND .75*dv.riskscore <= 599) OR 61 | (dta.tag_id NOT IN (1,2,3,4,5) AND dta.tag_id = 90 AND dv.riskscore >= 300 AND dv.riskscore <= 599) 62 | ) 63 | ) then 'MEDIUM' 64 | WHEN (now() - dv.date_added > INTERVAL '90 days' AND 65 | ( 66 | (dta.tag_id = 1 AND 2*dv.riskscore <= 299) OR 67 | (dta.tag_id = 2 AND 1.2*dv.riskscore <= 299) OR 68 | (dta.tag_id = 3 AND 1.1*dv.riskscore <= 299) OR 69 | (dta.tag_id = 4 AND dv.riskscore <= 299) OR 70 | (dta.tag_id = 5 AND .75*dv.riskscore <= 299) OR 71 | (dta.tag_id NOT IN (1,2,3,4,5) AND dta.tag_id = 90 AND dv.riskscore <= 299) 72 | ) 73 | ) then 'LOW' 74 | END AS vuln_severity 75 | 76 | FROM fact_asset_vulnerability_finding favf 77 | JOIN dim_asset da USING (asset_id) 78 | JOIN dim_operating_system dos USING (operating_system_id) 79 | JOIN dim_vulnerability dv USING (vulnerability_id) 80 | JOIN dim_asset_group_asset daga USING (asset_id) 81 | JOIN dim_tag_asset dta USING (asset_id) 82 | 83 | WHERE daga.asset_group_id IN (2,4,8,25,26,27,28,29,40,55,56,66) AND 84 | 85 | ( 86 | 87 | ( 88 | now() - dv.date_added > INTERVAL '1 days' AND 89 | ( 90 | (dta.tag_id = 1 AND 2*dv.riskscore >= 1201 ) OR 91 | (dta.tag_id = 2 AND 1.2*dv.riskscore >= 1201 ) OR 92 | (dta.tag_id = 3 AND 1.1*dv.riskscore >= 1201 ) OR 93 | (dta.tag_id = 4 AND dv.riskscore >= 1201) OR 94 | (dta.tag_id = 5 AND .75*dv.riskscore >= 1201 ) OR 95 | (dta.tag_id NOT IN (1,2,3,4,5) AND dta.tag_id = 90 AND dv.riskscore >= 1201 ) 96 | ) 97 | ) 98 | 99 | OR 100 | 101 | ( 102 | 103 | now() - dv.date_added > INTERVAL '7 days' AND 104 | ( 105 | (dta.tag_id = 1 AND 2*dv.riskscore >= 900 AND 2*dv.riskscore <= 1200) OR 106 | (dta.tag_id = 2 AND 1.2*dv.riskscore >= 900 AND 1.2*dv.riskscore <= 1200) OR 107 | (dta.tag_id = 3 AND 1.1*dv.riskscore >= 900 AND 1.1*dv.riskscore <= 1200) OR 108 | (dta.tag_id = 4 AND dv.riskscore >= 900 AND dv.riskscore <= 1200) OR 109 | (dta.tag_id = 5 AND .75*dv.riskscore >= 900 AND .75*dv.riskscore <= 1200) OR 110 | (dta.tag_id NOT IN (1,2,3,4,5) AND dta.tag_id = 90 AND dv.riskscore >= 900 AND dv.riskscore <= 1200) 111 | ) 112 | 113 | ) 114 | 115 | OR 116 | 117 | ( 118 | 119 | now() - dv.date_added > INTERVAL '14 days' AND 120 | ( 121 | (dta.tag_id = 1 AND 2*dv.riskscore >= 600 AND 2*dv.riskscore <= 899) OR 122 | (dta.tag_id = 2 AND 1.2*dv.riskscore >= 600 AND 1.2*dv.riskscore <= 899) OR 123 | (dta.tag_id = 3 AND 1.1*dv.riskscore >= 600 AND 1.1*dv.riskscore <= 899) OR 124 | (dta.tag_id = 4 AND dv.riskscore >= 600 AND dv.riskscore <= 899) OR 125 | (dta.tag_id = 5 AND .75*dv.riskscore >= 600 AND .75*dv.riskscore <= 899) OR 126 | (dta.tag_id NOT IN (1,2,3,4,5) AND dta.tag_id = 90 AND dv.riskscore >= 600 AND dv.riskscore <= 899) 127 | ) 128 | 129 | 130 | ) 131 | 132 | OR 133 | 134 | ( 135 | now() - dv.date_added > INTERVAL '30 days' AND 136 | ( 137 | (dta.tag_id = 1 AND 2*dv.riskscore >= 300 AND 2*dv.riskscore <= 599) OR 138 | (dta.tag_id = 2 AND 1.2*dv.riskscore >= 300 AND 1.2*dv.riskscore <= 599) OR 139 | (dta.tag_id = 3 AND 1.1*dv.riskscore >= 300 AND 1.1*dv.riskscore <= 599) OR 140 | (dta.tag_id = 4 AND dv.riskscore >= 300 AND dv.riskscore <= 599) OR 141 | (dta.tag_id = 5 AND .75*dv.riskscore >= 300 AND .75*dv.riskscore <= 599) OR 142 | (dta.tag_id NOT IN (1,2,3,4,5) AND dta.tag_id = 90 AND dv.riskscore >= 300 AND dv.riskscore <= 599) 143 | ) 144 | 145 | ) 146 | 147 | OR 148 | 149 | ( 150 | 151 | now() - dv.date_added > INTERVAL '90 days' AND 152 | ( 153 | (dta.tag_id = 1 AND 2*dv.riskscore <= 299) OR 154 | (dta.tag_id = 2 AND 1.2*dv.riskscore <= 299) OR 155 | (dta.tag_id = 3 AND 1.1*dv.riskscore <= 299) OR 156 | (dta.tag_id = 4 AND dv.riskscore <= 299) OR 157 | (dta.tag_id = 5 AND .75*dv.riskscore <= 299) OR 158 | (dta.tag_id NOT IN (1,2,3,4,5) AND dta.tag_id = 90 AND dv.riskscore <= 299) 159 | ) 160 | ) 161 | 162 | 163 | ) 164 | 165 | ORDER BY dv.riskscore DESC, da.ip_address ASC, dv.date_added DESC 166 | -------------------------------------------------------------------------------- /vulns-beyond-sla.sql: -------------------------------------------------------------------------------- 1 | WITH 2 | CTE AS ( 3 | 4 | 5 | SELECT 6 | CASE 7 | WHEN (daga.asset_group_id = '2') then 'Group 1' 8 | WHEN (daga.asset_group_id = '29') then 'Group 2' 9 | WHEN (daga.asset_group_id = '25') then 'Group 3' 10 | WHEN (daga.asset_group_id = '56') then 'Group 4' 11 | WHEN (daga.asset_group_id = '55') then 'Group 5' 12 | WHEN (daga.asset_group_id = '40') then 'Group 6' 13 | WHEN (daga.asset_group_id = '4') then 'Group 7' 14 | WHEN (daga.asset_group_id = '66') then 'Group 8' 15 | WHEN (daga.asset_group_id = '28') then 'Group 9' 16 | WHEN (daga.asset_group_id = '26') then 'Group 10' 17 | WHEN (daga.asset_group_id = '8') then 'Group 11' 18 | WHEN (daga.asset_group_id = '27') then 'Group 12' 19 | END AS asset_group, 20 | 21 | 22 | count (favf.vulnerability_instances) AS Urgent_beyond_SLA, 23 | 24 | 25 | CASE 26 | WHEN (1=1) then sum(1-1) 27 | END AS Critical_beyond_SLA, 28 | 29 | 30 | CASE 31 | WHEN (1=1) then sum(1-1) 32 | END AS High_beyond_SLA, 33 | 34 | 35 | CASE 36 | WHEN (1=1) then sum(1-1) 37 | END AS Medium_beyond_SLA, 38 | 39 | 40 | CASE 41 | WHEN (1=1) then sum(1-1) 42 | END AS Low_beyond_SLA 43 | 44 | 45 | 46 | 47 | FROM fact_asset_vulnerability_finding favf 48 | JOIN dim_vulnerability dv USING (vulnerability_id) 49 | JOIN dim_asset_group_asset daga USING (asset_id) 50 | JOIN dim_tag_asset dta USING (asset_id) 51 | WHERE daga.asset_group_id IN (2,4,8,25,26,27,28,29,40,55,56,66) AND now() - dv.date_added > INTERVAL '1 days' AND 52 | ( 53 | (dta.tag_id = 1 AND 2*dv.riskscore >= 1201 ) OR 54 | (dta.tag_id = 2 AND 1.2*dv.riskscore >= 1201 ) OR 55 | (dta.tag_id = 3 AND 1.1*dv.riskscore >= 1201 ) OR 56 | (dta.tag_id = 4 AND dv.riskscore >= 1201) OR 57 | (dta.tag_id = 5 AND .75*dv.riskscore >= 1201 ) OR 58 | (dta.tag_id NOT IN (1,2,3,4,5) AND dta.tag_id = 90 AND dv.riskscore >= 1201 ) 59 | ) 60 | GROUP BY daga.asset_group_id 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | union all 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | SELECT 79 | CASE 80 | WHEN (daga.asset_group_id = '2') then 'Group 1' 81 | WHEN (daga.asset_group_id = '29') then 'Group 2' 82 | WHEN (daga.asset_group_id = '25') then 'Group 3' 83 | WHEN (daga.asset_group_id = '56') then 'Group 4' 84 | WHEN (daga.asset_group_id = '55') then 'Group 5' 85 | WHEN (daga.asset_group_id = '40') then 'Group 6' 86 | WHEN (daga.asset_group_id = '4') then 'Group 7' 87 | WHEN (daga.asset_group_id = '66') then 'Group 8' 88 | WHEN (daga.asset_group_id = '28') then 'Group 9' 89 | WHEN (daga.asset_group_id = '26') then 'Group 10' 90 | WHEN (daga.asset_group_id = '8') then 'Group 11' 91 | WHEN (daga.asset_group_id = '27') then 'Group 12' 92 | END AS asset_group, 93 | 94 | 95 | CASE 96 | WHEN (1=1) then sum(1-1) 97 | END AS Urgent_beyond_SLA, 98 | 99 | 100 | count (favf.vulnerability_instances) AS Critical_beyond_SLA, 101 | 102 | 103 | CASE 104 | WHEN (1=1) then sum(1-1) 105 | END AS High_beyond_SLA, 106 | 107 | 108 | CASE 109 | WHEN (1=1) then sum(1-1) 110 | END AS Medium_beyond_SLA, 111 | 112 | 113 | CASE 114 | WHEN (1=1) then sum(1-1) 115 | END AS Low_beyond_SLA 116 | 117 | 118 | 119 | 120 | FROM fact_asset_vulnerability_finding favf 121 | JOIN dim_vulnerability dv USING (vulnerability_id) 122 | JOIN dim_asset_group_asset daga USING (asset_id) 123 | JOIN dim_tag_asset dta USING (asset_id) 124 | 125 | WHERE daga.asset_group_id IN (2,4,8,25,26,27,28,29,40,55,56,66) AND now() - dv.date_added > INTERVAL '7 days' AND 126 | ( 127 | (dta.tag_id = 1 AND 2*dv.riskscore >= 900 AND 2*dv.riskscore <= 1200) OR 128 | (dta.tag_id = 2 AND 1.2*dv.riskscore >= 900 AND 1.2*dv.riskscore <= 1200) OR 129 | (dta.tag_id = 3 AND 1.1*dv.riskscore >= 900 AND 1.1*dv.riskscore <= 1200) OR 130 | (dta.tag_id = 4 AND dv.riskscore >= 900 AND dv.riskscore <= 1200) OR 131 | (dta.tag_id = 5 AND .75*dv.riskscore >= 900 AND .75*dv.riskscore <= 1200) OR 132 | (dta.tag_id NOT IN (1,2,3,4,5) AND dta.tag_id = 90 AND dv.riskscore >= 900 AND dv.riskscore <= 1200) 133 | ) 134 | 135 | 136 | GROUP BY daga.asset_group_id 137 | 138 | 139 | 140 | 141 | 142 | 143 | 144 | 145 | 146 | 147 | union all 148 | 149 | 150 | 151 | 152 | 153 | 154 | 155 | 156 | SELECT 157 | CASE 158 | WHEN (daga.asset_group_id = '2') then 'Group 1' 159 | WHEN (daga.asset_group_id = '29') then 'Group 2' 160 | WHEN (daga.asset_group_id = '25') then 'Group 3' 161 | WHEN (daga.asset_group_id = '56') then 'Group 4' 162 | WHEN (daga.asset_group_id = '55') then 'Group 5' 163 | WHEN (daga.asset_group_id = '40') then 'Group 6' 164 | WHEN (daga.asset_group_id = '4') then 'Group 7' 165 | WHEN (daga.asset_group_id = '66') then 'Group 8' 166 | WHEN (daga.asset_group_id = '28') then 'Group 9' 167 | WHEN (daga.asset_group_id = '26') then 'Group 10' 168 | WHEN (daga.asset_group_id = '8') then 'Group 11' 169 | WHEN (daga.asset_group_id = '27') then 'Group 12' 170 | END AS asset_group, 171 | 172 | 173 | CASE 174 | WHEN (1=1) then sum(1-1) 175 | END AS Urgent_beyond_SLA, 176 | 177 | 178 | CASE 179 | WHEN (1=1) then sum(1-1) 180 | END AS Critical_beyond_SLA, 181 | 182 | 183 | count (favf.vulnerability_instances) AS High_beyond_SLA, 184 | 185 | 186 | CASE 187 | WHEN (1=1) then sum(1-1) 188 | END AS Medium_beyond_SLA, 189 | 190 | 191 | CASE 192 | WHEN (1=1) then sum(1-1) 193 | END AS Low_beyond_SLA 194 | 195 | 196 | 197 | 198 | FROM fact_asset_vulnerability_finding favf 199 | JOIN dim_vulnerability dv USING (vulnerability_id) 200 | JOIN dim_asset_group_asset daga USING (asset_id) 201 | JOIN dim_tag_asset dta USING (asset_id) 202 | 203 | 204 | WHERE daga.asset_group_id IN (2,4,8,25,26,27,28,29,40,55,56,66) AND now() - dv.date_added > INTERVAL '14 days' AND 205 | ( 206 | (dta.tag_id = 1 AND 2*dv.riskscore >= 600 AND 2*dv.riskscore <= 899) OR 207 | (dta.tag_id = 2 AND 1.2*dv.riskscore >= 600 AND 1.2*dv.riskscore <= 899) OR 208 | (dta.tag_id = 3 AND 1.1*dv.riskscore >= 600 AND 1.1*dv.riskscore <= 899) OR 209 | (dta.tag_id = 4 AND dv.riskscore >= 600 AND dv.riskscore <= 899) OR 210 | (dta.tag_id = 5 AND .75*dv.riskscore >= 600 AND .75*dv.riskscore <= 899) OR 211 | (dta.tag_id NOT IN (1,2,3,4,5) AND dta.tag_id = 90 AND dv.riskscore >= 600 AND dv.riskscore <= 899) 212 | ) 213 | GROUP BY daga.asset_group_id 214 | 215 | 216 | 217 | 218 | 219 | 220 | 221 | 222 | 223 | 224 | 225 | 226 | union all 227 | 228 | 229 | 230 | 231 | 232 | 233 | 234 | 235 | 236 | 237 | SELECT 238 | CASE 239 | WHEN (daga.asset_group_id = '2') then 'Group 1' 240 | WHEN (daga.asset_group_id = '29') then 'Group 2' 241 | WHEN (daga.asset_group_id = '25') then 'Group 3' 242 | WHEN (daga.asset_group_id = '56') then 'Group 4' 243 | WHEN (daga.asset_group_id = '55') then 'Group 5' 244 | WHEN (daga.asset_group_id = '40') then 'Group 6' 245 | WHEN (daga.asset_group_id = '4') then 'Group 7' 246 | WHEN (daga.asset_group_id = '66') then 'Group 8' 247 | WHEN (daga.asset_group_id = '28') then 'Group 9' 248 | WHEN (daga.asset_group_id = '26') then 'Group 10' 249 | WHEN (daga.asset_group_id = '8') then 'Group 11' 250 | WHEN (daga.asset_group_id = '27') then 'Group 12' 251 | END AS asset_group, 252 | 253 | 254 | CASE 255 | WHEN (1=1) then sum(1-1) 256 | END AS Urgent_beyond_SLA, 257 | 258 | 259 | CASE 260 | WHEN (1=1) then sum(1-1) 261 | END AS Critical_beyond_SLA, 262 | 263 | 264 | CASE 265 | WHEN (1=1) then sum(1-1) 266 | END AS High_beyond_SLA, 267 | 268 | 269 | count (favf.vulnerability_instances) AS Medium_beyond_SLA, 270 | 271 | 272 | CASE 273 | WHEN (1=1) then sum(1-1) 274 | END AS Low_beyond_SLA 275 | 276 | 277 | 278 | 279 | FROM fact_asset_vulnerability_finding favf 280 | JOIN dim_vulnerability dv USING (vulnerability_id) 281 | JOIN dim_asset_group_asset daga USING (asset_id) 282 | JOIN dim_tag_asset dta USING (asset_id) 283 | 284 | WHERE daga.asset_group_id IN (2,4,8,25,26,27,28,29,40,55,56,66) AND now() - dv.date_added > INTERVAL '30 days' AND 285 | ( 286 | (dta.tag_id = 1 AND 2*dv.riskscore >= 300 AND 2*dv.riskscore <= 599) OR 287 | (dta.tag_id = 2 AND 1.2*dv.riskscore >= 300 AND 1.2*dv.riskscore <= 599) OR 288 | (dta.tag_id = 3 AND 1.1*dv.riskscore >= 300 AND 1.1*dv.riskscore <= 599) OR 289 | (dta.tag_id = 4 AND dv.riskscore >= 300 AND dv.riskscore <= 599) OR 290 | (dta.tag_id = 5 AND .75*dv.riskscore >= 300 AND .75*dv.riskscore <= 599) OR 291 | (dta.tag_id NOT IN (1,2,3,4,5) AND dta.tag_id = 90 AND dv.riskscore >= 300 AND dv.riskscore <= 599) 292 | ) 293 | 294 | 295 | GROUP BY daga.asset_group_id 296 | 297 | 298 | 299 | 300 | 301 | 302 | 303 | 304 | 305 | 306 | union all 307 | 308 | 309 | 310 | 311 | 312 | 313 | 314 | 315 | SELECT 316 | CASE 317 | WHEN (daga.asset_group_id = '2') then 'Group 1' 318 | WHEN (daga.asset_group_id = '29') then 'Group 2' 319 | WHEN (daga.asset_group_id = '25') then 'Group 3' 320 | WHEN (daga.asset_group_id = '56') then 'Group 4' 321 | WHEN (daga.asset_group_id = '55') then 'Group 5' 322 | WHEN (daga.asset_group_id = '40') then 'Group 6' 323 | WHEN (daga.asset_group_id = '4') then 'Group 7' 324 | WHEN (daga.asset_group_id = '66') then 'Group 8' 325 | WHEN (daga.asset_group_id = '28') then 'Group 9' 326 | WHEN (daga.asset_group_id = '26') then 'Group 10' 327 | WHEN (daga.asset_group_id = '8') then 'Group 11' 328 | WHEN (daga.asset_group_id = '27') then 'Group 12' 329 | END AS asset_group, 330 | 331 | 332 | CASE 333 | WHEN (1=1) then sum(1-1) 334 | END AS Urgent_beyond_SLA, 335 | 336 | 337 | CASE 338 | WHEN (1=1) then sum(1-1) 339 | END AS Critical_beyond_SLA, 340 | 341 | 342 | CASE 343 | WHEN (1=1) then sum(1-1) 344 | END AS High_beyond_SLA, 345 | 346 | 347 | CASE 348 | WHEN (1=1) then sum(1-1) 349 | END AS Medium_beyond_SLA, 350 | 351 | 352 | count (favf.vulnerability_instances) AS Low_beyond_SLA 353 | 354 | 355 | 356 | 357 | FROM fact_asset_vulnerability_finding favf 358 | JOIN dim_vulnerability dv USING (vulnerability_id) 359 | JOIN dim_asset_group_asset daga USING (asset_id) 360 | JOIN dim_tag_asset dta USING (asset_id) 361 | 362 | 363 | WHERE daga.asset_group_id IN (2,4,8,25,26,27,28,29,40,55,56,66) AND now() - dv.date_added > INTERVAL '90 days' AND 364 | ( 365 | (dta.tag_id = 1 AND 2*dv.riskscore <= 299) OR 366 | (dta.tag_id = 2 AND 1.2*dv.riskscore <= 299) OR 367 | (dta.tag_id = 3 AND 1.1*dv.riskscore <= 299) OR 368 | (dta.tag_id = 4 AND dv.riskscore <= 299) OR 369 | (dta.tag_id = 5 AND .75*dv.riskscore <= 299) OR 370 | (dta.tag_id NOT IN (1,2,3,4,5) AND dta.tag_id = 90 AND dv.riskscore <= 299) 371 | ) 372 | 373 | 374 | GROUP BY daga.asset_group_id 375 | 376 | 377 | ) 378 | 379 | 380 | 381 | 382 | SELECT asset_group, SUM(urgent_beyond_sla) AS urgent_beyond_sla, SUM(critical_beyond_sla) AS critical_beyond_sla, SUM(high_beyond_sla) AS high_beyond_sla, 383 | SUM(medium_beyond_sla) AS medium_beyond_sla, SUM(low_beyond_sla) AS low_beyond_sla 384 | FROM CTE 385 | GROUP BY asset_group 386 | --------------------------------------------------------------------------------