turbot/prismacloud
steampipe plugin install prismacloud

Table: prismacloud_vulnerability_burndown - Query Prisma Cloud Vulnerability Burndown using SQL

The Prisma Cloud vulnerability burndown table in Steampipe provides a historical view of vulnerabilities and their remediation over time for various asset types. This table helps security engineers and cloud administrators to track the progress of vulnerability remediation and understand the trends in vulnerability management. The schema outlines various attributes related to the vulnerability burndown, including the type of asset, life cycle stage, severity, and the number of vulnerabilities recorded and remediated each day.

Table Usage Guide

The prismacloud_vulnerability_burndown table in Steampipe provides information about the historical trends of vulnerabilities in different asset types within Prisma Cloud. This table allows you to query details such as the number of vulnerabilities recorded and remediated each day, helping you to track and manage the progress of vulnerability remediation effectively.

Important Notes

  • To query this table you need vulnerabilityDashboard feature with View permission to access this endpoint. Verify if your permission group includes this feature using the Get Permission Group by ID endpoint. You can also check this in the Prisma Cloud console by ensuring that Dashboard > Vulnerability is enabled.
  • You must specify asset_type, life_cycle, and severities in where clause in order to use this table.

Examples

Basic info

Retrieve basic information about the vulnerability burndown, including the total number of vulnerabilities recorded each day and the number of vulnerabilities remediated each day.

select
asset_type,
day_num,
epoch_timestamp,
total_count,
remediated_count
from
prismacloud_vulnerability_burndown;
select
asset_type,
day_num,
epoch_timestamp,
total_count,
remediated_count
from
prismacloud_vulnerability_burndown;

Vulnerability burndown by asset type

Retrieve the burndown of vulnerabilities grouped by asset type. This helps in understanding the trends in vulnerability management for different types of assets.

select
asset_type,
sum(total_count) as total_vulnerabilities,
sum(remediated_count) as total_remediated
from
prismacloud_vulnerability_burndown
where
asset_type = 'host'
and life_cycle = 'run'
and severities = 'critical'
group by
asset_type;
select
asset_type,
sum(total_count) as total_vulnerabilities,
sum(remediated_count) as total_remediated
from
prismacloud_vulnerability_burndown
where
asset_type = 'host'
and life_cycle = 'run'
and severities = 'critical'
group by
asset_type;

Recent vulnerability burndown

Retrieve the vulnerability burndown data for the last 30 days. This helps in tracking the recent progress of vulnerability remediation.

select
asset_type,
day_num,
epoch_timestamp,
total_count,
remediated_count
from
prismacloud_vulnerability_burndown
where
asset_type = 'host'
and life_cycle = 'run'
and severities = 'critical'
and epoch_timestamp > now() - interval '30 days';
select
asset_type,
day_num,
epoch_timestamp,
total_count,
remediated_count
from
prismacloud_vulnerability_burndown
where
asset_type = 'host'
and life_cycle = 'run'
and severities = 'critical'
and epoch_timestamp > now() - interval '30 days';

Vulnerability burndown for critical severity

Retrieve the vulnerability burndown data grouped by severity levels. This helps in understanding the distribution of vulnerabilities by severity and tracking their remediation.

select
asset_type,
severities,
sum(total_count) as total_vulnerabilities,
sum(remediated_count) as total_remediated
from
prismacloud_vulnerability_burndown
where
asset_type = 'host'
and life_cycle = 'run'
and severities = 'critical'
group by
asset_type,
severities;
select
asset_type,
severities,
sum(total_count) as total_vulnerabilities,
sum(remediated_count) as total_remediated
from
prismacloud_vulnerability_burndown
where
asset_type = 'host'
and life_cycle = 'run'
and severities = 'critical'
group by
asset_type,
severities;

Vulnerability burndown life cycle stage run

Retrieve the vulnerability burndown data grouped by the life cycle stage of the asset. This helps in understanding the trends in vulnerability management at different stages of the asset's life cycle.

select
asset_type,
life_cycle,
sum(total_count) as total_vulnerabilities,
sum(remediated_count) as total_remediated
from
prismacloud_vulnerability_burndown
where
asset_type = 'host'
and life_cycle = 'run'
and severities = 'critical'
group by
asset_type,
life_cycle;
select
asset_type,
life_cycle,
sum(total_count) as total_vulnerabilities,
sum(remediated_count) as total_remediated
from
prismacloud_vulnerability_burndown
where
asset_type = 'host'
and life_cycle = 'run'
and severities = 'critical'
group by
asset_type,
life_cycle;

Schema for prismacloud_vulnerability_burndown

NameTypeOperatorsDescription
_ctxjsonbSteampipe context in JSON form.
asset_typetext=The type of asset. Possible values are: iac, package, deployedImage, serverlessFunction, host, registryImage, vmImage.
day_numbigintCount down of the day backwards from present day.
emailtext=, !=, ~~, ~~*, !~~, !~~*Email address of the current session user.
epoch_timestamptimestamp with time zoneTime up to which the entry was recorded.
life_cycletext=The life cycle stage of the asset. Possible values are: code, build, deploy, run.
remediated_countbigintNumber of vulnerabilities remediated for the given day.
severitiestext=The severities of the asset. Possible values are: low, medium, high, critical.
sp_connection_nametext=, !=, ~~, ~~*, !~~, !~~*Steampipe connection name.
sp_ctxjsonbSteampipe context in JSON form.
total_countbigintNumber of vulnerabilities in the given day.

Export

This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- prismacloud

You can pass the configuration to the command with the --config argument:

steampipe_export_prismacloud --config '<your_config>' prismacloud_vulnerability_burndown