Table: wiz_vulnerability_finding - Query Wiz Vulnerability Findings using SQL

Wiz Vulnerability Findings is a resource within Wiz that allows you to identify and monitor vulnerabilities in your environment. It provides detailed information about each vulnerability, including its severity, status, and the resources it affects. Wiz Vulnerability Findings helps you stay informed about the security health of your resources and take appropriate actions when vulnerabilities are detected.

Table Usage Guide

The wiz_vulnerability_finding table provides insights into vulnerabilities within Wiz. As a security analyst, explore vulnerability-specific details through this table, including severity, status, and affected resources. Utilize it to uncover information about vulnerabilities, such as those with high severity, the status of vulnerabilities, and the verification of affected resources.

Important Notes

The table can return a large dataset; which can increase the query execution time. It is recommended that queries to this table should include (usually in the where clause) at least one of these columns:
- detection_method
- has_cisa_kev_exploit
- has_exploit
- severity
- status
- vulnerability_external_id

Examples

Basic info

Gain insights into the severity and details of vulnerabilities in your digital assets, including whether they have been exploited and how they can be fixed. This query is useful for maintaining security and managing risk in your digital environment.

select
  vulnerable_asset ->> 'name' as resource_name,
  name as vulnerability,
  detailed_name,
  severity,
  fixed_version,
  detection_method,
  has_exploit,
  vulnerable_asset ->> 'subscriptionId' as subscription
from
  wiz_vulnerability_finding;

select
  json_extract(vulnerable_asset, '$.name') as resource_name,
  name as vulnerability,
  detailed_name,
  severity,
  fixed_version,
  detection_method,
  has_exploit,
  json_extract(vulnerable_asset, '$.subscriptionId') as subscription
from
  wiz_vulnerability_finding;

List resources with high-severity known public exploit vulnerabilities

Explore which resources have high-severity vulnerabilities that are publicly exploited. This is essential in identifying and addressing potential security risks promptly.

select
  vulnerable_asset ->> 'name' as resource_name,
  name as vulnerability,
  detailed_name,
  severity,
  fixed_version,
  detection_method,
  has_exploit,
  vulnerable_asset ->> 'subscriptionId' as subscription
from
  wiz_vulnerability_finding
where
  has_exploit
  and severity = 'HIGH';

select
  json_extract(vulnerable_asset, '$.name') as resource_name,
  name as vulnerability,
  detailed_name,
  severity,
  fixed_version,
  detection_method,
  has_exploit,
  json_extract(vulnerable_asset, '$.subscriptionId') as subscription
from
  wiz_vulnerability_finding
where
  has_exploit
  and severity = 'HIGH';

List high severity findings that are not fixed

Identify instances where high severity vulnerabilities are detected but remain unresolved. This is useful in prioritizing security efforts and mitigating risks promptly.

select
  vulnerable_asset ->> 'name' as resource_name,
  name as vulnerability,
  detailed_name,
  severity,
  fixed_version,
  detection_method,
  has_exploit,
  vulnerable_asset ->> 'subscriptionId' as subscription
from
  wiz_vulnerability_finding
where
  severity = 'HIGH'
  and fixed_version is null;

select
  json_extract(vulnerable_asset, '$.name') as resource_name,
  name as vulnerability,
  detailed_name,
  severity,
  fixed_version,
  detection_method,
  has_exploit,
  json_extract(vulnerable_asset, '$.subscriptionId') as subscription
from
  wiz_vulnerability_finding
where
  severity = 'HIGH'
  and fixed_version is null;

List high severity findings which are not resolved

Discover high-risk security vulnerabilities that are yet to be resolved. This query is particularly useful for prioritizing and addressing threats that have known exploits, thereby enhancing your system's security.

select
  f.vulnerable_asset ->> 'name' as resource_name,
  f.name as vulnerability,
  f.detailed_name,
  f.severity,
  f.fixed_version,
  f.detection_method,
  f.has_exploit,
  s.name as subscription
from
  wiz_vulnerability_finding as f
  left join wiz_subscription as s on s.id = vulnerable_asset ->> 'subscriptionId'
where
  f.severity = 'HIGH'
  and f.status = 'UNRESOLVED'
  and f.has_exploit
  and f.has_cisa_kev_exploit;

select
  json_extract(f.vulnerable_asset, '$.name') as resource_name,
  f.name as vulnerability,
  f.detailed_name,
  f.severity,
  f.fixed_version,
  f.detection_method,
  f.has_exploit,
  s.name as subscription
from
  wiz_vulnerability_finding as f
  left join wiz_subscription as s on s.id = json_extract(f.vulnerable_asset, '$.subscriptionId')
where
  f.severity = 'HIGH'
  and f.status = 'UNRESOLVED'
  and f.has_exploit
  and f.has_cisa_kev_exploit;

Schema for wiz_vulnerability_finding

Name	Type	Operators	Description
_ctx	jsonb		Steampipe context in JSON form, e.g. connection_name.
cve_description	text		The vulnerability description from NVD.
cvss_severity	text		The calculated CVSS 3.x severity from NVD.
description	text		The wiz verbose description of how the vulnerability finding was detected, with library/package, detection method, affected versions, severity and remediation suggestion.
detailed_name	text		The library/package name where the vulnerability was detected.
detection_method	text	=	The detection method for this vulnerability finding. Possible values are: PACKAGE, DEFAULT_PACKAGE, LIBRARY, CONFIG_FILE, OPEN_PORT, STARTUP_SERVICE, CONFIGURATION, CLONED_REPOSITORY, OS, ARTIFACTS_ON_DISK, WINDOWS_REGISTRY, INSTALLED_PROGRAM, WINDOWS_SERVICE, INSTALLED_PROGRAM_BY_SERVICE, FILE_PATH, UNKNOWN.
exploitability_score	double precision		The CVSS 3.x exploitability score from NVD.
first_detected_at	timestamp with time zone		The first time this vulnerability finding was detected on this resource.
fixed_version	text	=	The initial version of the library/package where the vulnerability was fixed.
has_cisa_kev_exploit	boolean	!=, =	True, if the vulnerability has an exploit in the CISA KEV published catalog.
has_exploit	boolean	!=, =	True, if the vulnerability has a known public exploit.
id	text	=	The wiz identifier for the vulnerability.
impact_score	double precision		The CVSS 3.x impact score from NVD.
last_detected_at	timestamp with time zone		The last time this vulnerability finding was seen on this resource.
link	text		The link to the vendor vulnerability advisory.
location_path	text		The local path to the package/library/file where the vulnerability was detected.
name	text		The name of the vulnerability.
portal_url	text		The wiz URL for the vulnerability finding of a specific CVE on a specific resource.
remediation	text		The suggested command/method for remediating the vulnerability finding.
resolution_reason	text		The status resolution reason.
resolved_at	timestamp with time zone		The time this vulnerability finding was resolved.
score	double precision		The CVSS 3.x score from NVD.
severity	text	=	The calculated CVSS 3.x severity from the vendor. Possible values are: NONE, LOW, MEDIUM, HIGH, CRITICAL.
status	text	=	The resolution status of the finding. Possible values are: UNRESOLVED, RESOLVED, PASSED, IGNORED.
version	text		The version of the library/package where the vulnerability was detected.
vulnerability_external_id	text	=	The vulnerability identifier.
vulnerable_asset	jsonb		The details of the asset where the vulnerability was detected.

Export

This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- wiz

You can pass the configuration to the command with the --config argument:

steampipe_export_wiz --config '<your_config>' wiz_vulnerability_finding