Table: wiz_vulnerability_finding - Query Wiz Vulnerability Findings using SQL
Wiz Vulnerability Findings is a resource within Wiz that allows you to identify and monitor vulnerabilities in your environment. It provides detailed information about each vulnerability, including its severity, status, and the resources it affects. Wiz Vulnerability Findings helps you stay informed about the security health of your resources and take appropriate actions when vulnerabilities are detected.
Table Usage Guide
The wiz_vulnerability_finding
table provides insights into vulnerabilities within Wiz. As a security analyst, explore vulnerability-specific details through this table, including severity, status, and affected resources. Utilize it to uncover information about vulnerabilities, such as those with high severity, the status of vulnerabilities, and the verification of affected resources.
Important Notes
- The table can return a large dataset; which can increase the query execution time. It is recommended that queries to this table should include (usually in the
where
clause) at least one of these columns:detection_method
has_cisa_kev_exploit
has_exploit
severity
status
vulnerability_external_id
Examples
Basic info
Gain insights into the severity and details of vulnerabilities in your digital assets, including whether they have been exploited and how they can be fixed. This query is useful for maintaining security and managing risk in your digital environment.
select vulnerable_asset ->> 'name' as resource_name, name as vulnerability, detailed_name, severity, fixed_version, detection_method, has_exploit, vulnerable_asset ->> 'subscriptionId' as subscriptionfrom wiz_vulnerability_finding;
select json_extract(vulnerable_asset, '$.name') as resource_name, name as vulnerability, detailed_name, severity, fixed_version, detection_method, has_exploit, json_extract(vulnerable_asset, '$.subscriptionId') as subscriptionfrom wiz_vulnerability_finding;
List resources with high-severity known public exploit vulnerabilities
Explore which resources have high-severity vulnerabilities that are publicly exploited. This is essential in identifying and addressing potential security risks promptly.
select vulnerable_asset ->> 'name' as resource_name, name as vulnerability, detailed_name, severity, fixed_version, detection_method, has_exploit, vulnerable_asset ->> 'subscriptionId' as subscriptionfrom wiz_vulnerability_findingwhere has_exploit and severity = 'HIGH';
select json_extract(vulnerable_asset, '$.name') as resource_name, name as vulnerability, detailed_name, severity, fixed_version, detection_method, has_exploit, json_extract(vulnerable_asset, '$.subscriptionId') as subscriptionfrom wiz_vulnerability_findingwhere has_exploit and severity = 'HIGH';
List high severity findings that are not fixed
Identify instances where high severity vulnerabilities are detected but remain unresolved. This is useful in prioritizing security efforts and mitigating risks promptly.
select vulnerable_asset ->> 'name' as resource_name, name as vulnerability, detailed_name, severity, fixed_version, detection_method, has_exploit, vulnerable_asset ->> 'subscriptionId' as subscriptionfrom wiz_vulnerability_findingwhere severity = 'HIGH' and fixed_version is null;
select json_extract(vulnerable_asset, '$.name') as resource_name, name as vulnerability, detailed_name, severity, fixed_version, detection_method, has_exploit, json_extract(vulnerable_asset, '$.subscriptionId') as subscriptionfrom wiz_vulnerability_findingwhere severity = 'HIGH' and fixed_version is null;
List high severity findings which are not resolved
Discover high-risk security vulnerabilities that are yet to be resolved. This query is particularly useful for prioritizing and addressing threats that have known exploits, thereby enhancing your system's security.
select f.vulnerable_asset ->> 'name' as resource_name, f.name as vulnerability, f.detailed_name, f.severity, f.fixed_version, f.detection_method, f.has_exploit, s.name as subscriptionfrom wiz_vulnerability_finding as f left join wiz_subscription as s on s.id = vulnerable_asset ->> 'subscriptionId'where f.severity = 'HIGH' and f.status = 'UNRESOLVED' and f.has_exploit and f.has_cisa_kev_exploit;
select json_extract(f.vulnerable_asset, '$.name') as resource_name, f.name as vulnerability, f.detailed_name, f.severity, f.fixed_version, f.detection_method, f.has_exploit, s.name as subscriptionfrom wiz_vulnerability_finding as f left join wiz_subscription as s on s.id = json_extract(f.vulnerable_asset, '$.subscriptionId')where f.severity = 'HIGH' and f.status = 'UNRESOLVED' and f.has_exploit and f.has_cisa_kev_exploit;
Schema for wiz_vulnerability_finding
Name | Type | Operators | Description |
---|---|---|---|
_ctx | jsonb | Steampipe context in JSON form, e.g. connection_name. | |
cve_description | text | The vulnerability description from NVD. | |
cvss_severity | text | The calculated CVSS 3.x severity from NVD. | |
description | text | The wiz verbose description of how the vulnerability finding was detected, with library/package, detection method, affected versions, severity and remediation suggestion. | |
detailed_name | text | The library/package name where the vulnerability was detected. | |
detection_method | text | = | The detection method for this vulnerability finding. Possible values are: PACKAGE, DEFAULT_PACKAGE, LIBRARY, CONFIG_FILE, OPEN_PORT, STARTUP_SERVICE, CONFIGURATION, CLONED_REPOSITORY, OS, ARTIFACTS_ON_DISK, WINDOWS_REGISTRY, INSTALLED_PROGRAM, WINDOWS_SERVICE, INSTALLED_PROGRAM_BY_SERVICE, FILE_PATH, UNKNOWN. |
exploitability_score | double precision | The CVSS 3.x exploitability score from NVD. | |
first_detected_at | timestamp with time zone | The first time this vulnerability finding was detected on this resource. | |
fixed_version | text | = | The initial version of the library/package where the vulnerability was fixed. |
has_cisa_kev_exploit | boolean | !=, = | True, if the vulnerability has an exploit in the CISA KEV published catalog. |
has_exploit | boolean | !=, = | True, if the vulnerability has a known public exploit. |
id | text | = | The wiz identifier for the vulnerability. |
impact_score | double precision | The CVSS 3.x impact score from NVD. | |
last_detected_at | timestamp with time zone | The last time this vulnerability finding was seen on this resource. | |
link | text | The link to the vendor vulnerability advisory. | |
location_path | text | The local path to the package/library/file where the vulnerability was detected. | |
name | text | The name of the vulnerability. | |
portal_url | text | The wiz URL for the vulnerability finding of a specific CVE on a specific resource. | |
remediation | text | The suggested command/method for remediating the vulnerability finding. | |
resolution_reason | text | The status resolution reason. | |
resolved_at | timestamp with time zone | The time this vulnerability finding was resolved. | |
score | double precision | The CVSS 3.x score from NVD. | |
severity | text | = | The calculated CVSS 3.x severity from the vendor. Possible values are: NONE, LOW, MEDIUM, HIGH, CRITICAL. |
status | text | = | The resolution status of the finding. Possible values are: UNRESOLVED, RESOLVED, PASSED, IGNORED. |
version | text | The version of the library/package where the vulnerability was detected. | |
vulnerability_external_id | text | = | The vulnerability identifier. |
vulnerable_asset | jsonb | The details of the asset where the vulnerability was detected. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh
script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- wiz
You can pass the configuration to the command with the --config
argument:
steampipe_export_wiz --config '<your_config>' wiz_vulnerability_finding