steampipe plugin install wiz

Table: wiz_vulnerability_finding - Query Wiz Vulnerability Findings using SQL

Wiz Vulnerability Findings is a resource within Wiz that allows you to identify and monitor vulnerabilities in your environment. It provides detailed information about each vulnerability, including its severity, status, and the resources it affects. Wiz Vulnerability Findings helps you stay informed about the security health of your resources and take appropriate actions when vulnerabilities are detected.

Table Usage Guide

The wiz_vulnerability_finding table provides insights into vulnerabilities within Wiz. As a security analyst, explore vulnerability-specific details through this table, including severity, status, and affected resources. Utilize it to uncover information about vulnerabilities, such as those with high severity, the status of vulnerabilities, and the verification of affected resources.

Important Notes

  • The table can return a large dataset; which can increase the query execution time. It is recommended that queries to this table should include (usually in the where clause) at least one of these columns:
    • detection_method
    • has_cisa_kev_exploit
    • has_exploit
    • severity
    • status
    • vulnerability_external_id

Examples

Basic info

Gain insights into the severity and details of vulnerabilities in your digital assets, including whether they have been exploited and how they can be fixed. This query is useful for maintaining security and managing risk in your digital environment.

select
vulnerable_asset ->> 'name' as resource_name,
name as vulnerability,
detailed_name,
severity,
fixed_version,
detection_method,
has_exploit,
vulnerable_asset ->> 'subscriptionId' as subscription
from
wiz_vulnerability_finding;
select
json_extract(vulnerable_asset, '$.name') as resource_name,
name as vulnerability,
detailed_name,
severity,
fixed_version,
detection_method,
has_exploit,
json_extract(vulnerable_asset, '$.subscriptionId') as subscription
from
wiz_vulnerability_finding;

List resources with high-severity known public exploit vulnerabilities

Explore which resources have high-severity vulnerabilities that are publicly exploited. This is essential in identifying and addressing potential security risks promptly.

select
vulnerable_asset ->> 'name' as resource_name,
name as vulnerability,
detailed_name,
severity,
fixed_version,
detection_method,
has_exploit,
vulnerable_asset ->> 'subscriptionId' as subscription
from
wiz_vulnerability_finding
where
has_exploit
and severity = 'HIGH';
select
json_extract(vulnerable_asset, '$.name') as resource_name,
name as vulnerability,
detailed_name,
severity,
fixed_version,
detection_method,
has_exploit,
json_extract(vulnerable_asset, '$.subscriptionId') as subscription
from
wiz_vulnerability_finding
where
has_exploit
and severity = 'HIGH';

List high severity findings that are not fixed

Identify instances where high severity vulnerabilities are detected but remain unresolved. This is useful in prioritizing security efforts and mitigating risks promptly.

select
vulnerable_asset ->> 'name' as resource_name,
name as vulnerability,
detailed_name,
severity,
fixed_version,
detection_method,
has_exploit,
vulnerable_asset ->> 'subscriptionId' as subscription
from
wiz_vulnerability_finding
where
severity = 'HIGH'
and fixed_version is null;
select
json_extract(vulnerable_asset, '$.name') as resource_name,
name as vulnerability,
detailed_name,
severity,
fixed_version,
detection_method,
has_exploit,
json_extract(vulnerable_asset, '$.subscriptionId') as subscription
from
wiz_vulnerability_finding
where
severity = 'HIGH'
and fixed_version is null;

List high severity findings which are not resolved

Discover high-risk security vulnerabilities that are yet to be resolved. This query is particularly useful for prioritizing and addressing threats that have known exploits, thereby enhancing your system's security.

select
f.vulnerable_asset ->> 'name' as resource_name,
f.name as vulnerability,
f.detailed_name,
f.severity,
f.fixed_version,
f.detection_method,
f.has_exploit,
s.name as subscription
from
wiz_vulnerability_finding as f
left join wiz_subscription as s on s.id = vulnerable_asset ->> 'subscriptionId'
where
f.severity = 'HIGH'
and f.status = 'UNRESOLVED'
and f.has_exploit
and f.has_cisa_kev_exploit;
select
json_extract(f.vulnerable_asset, '$.name') as resource_name,
f.name as vulnerability,
f.detailed_name,
f.severity,
f.fixed_version,
f.detection_method,
f.has_exploit,
s.name as subscription
from
wiz_vulnerability_finding as f
left join wiz_subscription as s on s.id = json_extract(f.vulnerable_asset, '$.subscriptionId')
where
f.severity = 'HIGH'
and f.status = 'UNRESOLVED'
and f.has_exploit
and f.has_cisa_kev_exploit;

Schema for wiz_vulnerability_finding

NameTypeOperatorsDescription
_ctxjsonbSteampipe context in JSON form.
cve_descriptiontextThe vulnerability description from NVD.
cvss_severitytextThe calculated CVSS 3.x severity from NVD.
descriptiontextThe wiz verbose description of how the vulnerability finding was detected, with library/package, detection method, affected versions, severity and remediation suggestion.
detailed_nametextThe library/package name where the vulnerability was detected.
detection_methodtext=The detection method for this vulnerability finding. Possible values are: PACKAGE, DEFAULT_PACKAGE, LIBRARY, CONFIG_FILE, OPEN_PORT, STARTUP_SERVICE, CONFIGURATION, CLONED_REPOSITORY, OS, ARTIFACTS_ON_DISK, WINDOWS_REGISTRY, INSTALLED_PROGRAM, WINDOWS_SERVICE, INSTALLED_PROGRAM_BY_SERVICE, FILE_PATH, UNKNOWN.
exploitability_scoredouble precisionThe CVSS 3.x exploitability score from NVD.
first_detected_attimestamp with time zoneThe first time this vulnerability finding was detected on this resource.
fixed_versiontext=The initial version of the library/package where the vulnerability was fixed.
has_cisa_kev_exploitboolean!=, =True, if the vulnerability has an exploit in the CISA KEV published catalog.
has_exploitboolean!=, =True, if the vulnerability has a known public exploit.
idtext=The wiz identifier for the vulnerability.
impact_scoredouble precisionThe CVSS 3.x impact score from NVD.
last_detected_attimestamp with time zoneThe last time this vulnerability finding was seen on this resource.
linktextThe link to the vendor vulnerability advisory.
location_pathtextThe local path to the package/library/file where the vulnerability was detected.
nametextThe name of the vulnerability.
portal_urltextThe wiz URL for the vulnerability finding of a specific CVE on a specific resource.
remediationtextThe suggested command/method for remediating the vulnerability finding.
resolution_reasontextThe status resolution reason.
resolved_attimestamp with time zoneThe time this vulnerability finding was resolved.
scoredouble precisionThe CVSS 3.x score from NVD.
severitytext=The calculated CVSS 3.x severity from the vendor. Possible values are: NONE, LOW, MEDIUM, HIGH, CRITICAL.
sp_connection_nametext=, !=, ~~, ~~*, !~~, !~~*Steampipe connection name.
sp_ctxjsonbSteampipe context in JSON form.
statustext=The resolution status of the finding. Possible values are: UNRESOLVED, RESOLVED, PASSED, IGNORED.
versiontextThe version of the library/package where the vulnerability was detected.
vulnerability_external_idtext=The vulnerability identifier.
vulnerable_assetjsonbThe details of the asset where the vulnerability was detected.

Export

This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- wiz

You can pass the configuration to the command with the --config argument:

steampipe_export_wiz --config '<your_config>' wiz_vulnerability_finding