Ejemplos de consulta de datos de seguridad

FROM Vulnerability
SELECT count(*) as 'Total Vulnerabilities'
WHERE state = 'OPEN'
FACET severity
SINCE 1 day ago

FROM Vulnerability
SELECT count(*) as 'Critical & High Vulnerabilities'
WHERE severity IN ('CRITICAL', 'HIGH')
AND state = 'OPEN'
TIMESERIES AUTO
SINCE 30 days ago

FROM Vulnerability
SELECT count(*) as 'Vulnerability Count'
WHERE state = 'OPEN'
FACET entity.name
LIMIT 20
SINCE 1 day ago

FROM Vulnerability
SELECT percentage(count(*), WHERE severity = 'CRITICAL') as 'Critical %',
       percentage(count(*), WHERE severity = 'HIGH') as 'High %',
       percentage(count(*), WHERE severity = 'MEDIUM') as 'Medium %',
       percentage(count(*), WHERE severity = 'LOW') as 'Low %'
WHERE state = 'OPEN'
SINCE 1 day ago

FROM Vulnerability
SELECT cveId, affectedPackage, affectedVersion, cvssScore, epssPercentile
WHERE epssPercentile > 90
AND state = 'OPEN'
ORDER BY epssPercentile DESC
LIMIT 50
SINCE 7 days ago

FROM Vulnerability
SELECT cveId, affectedPackage, cvssScore, entity.name
WHERE activeRansomware = true
AND state = 'OPEN'
FACET cveId, entity.name
SINCE 30 days ago

FROM Vulnerability
SELECT cveId, affectedPackage, affectedVersion, entity.name, detectedAt
WHERE severity = 'CRITICAL'
AND state = 'OPEN'
AND detectedAt > ago(24 hours)
ORDER BY detectedAt DESC

FROM Vulnerability
SELECT cveId, entity.name, affectedPackage, cvssScore, epssPercentile
WHERE (
  (severity = 'CRITICAL' AND epssPercentile > 85) OR
  (activeRansomware = true) OR
  (epssPercentile > 95)
)
AND state = 'OPEN'
FACET cveId, entity.name
SINCE 7 days ago

FROM Vulnerability
SELECT average((resolvedAt - detectedAt) / 86400) as 'Avg Days to Resolve'
WHERE state = 'CLOSED'
FACET severity
SINCE 90 days ago

FROM Vulnerability
SELECT cveId, entity.name, affectedPackage, detectedAt,
       (max(timestamp) - detectedAt) / 86400 as 'Days Open'
WHERE state = 'OPEN'
FACET cveId, entity.name
ORDER BY 'Days Open' DESC
LIMIT 20
SINCE 90 days ago

FROM NrAiIncidentTimeline
SELECT count(*) as 'Vulnerabilities Resolved'
WHERE event = 'STATUS_CHANGED'
AND newState = 'CLOSED'
FACET weekOf(timestamp)
SINCE 90 days ago
TIMESERIES 1 week

FROM Vulnerability
SELECT count(*) as 'Count'
WHERE state = 'OPEN'
FACET cases(
  WHERE (now() - detectedAt) / 86400 <= 7 as '0-7 days',
  WHERE (now() - detectedAt) / 86400 <= 30 as '8-30 days',
  WHERE (now() - detectedAt) / 86400 <= 90 as '31-90 days',
  WHERE (now() - detectedAt) / 86400 > 90 as '> 90 days'
)
SINCE 180 days ago

FROM Vulnerability
SELECT count(*) as 'Vulnerability Count'
WHERE state = 'OPEN'
FACET affectedPackage
ORDER BY count(*) DESC
LIMIT 10
SINCE 30 days ago

FROM Vulnerability
SELECT affectedPackage, affectedVersion, fixedVersion, count(*) as 'Vulnerable Entities'
WHERE state = 'OPEN'
AND fixedVersion IS NOT NULL
FACET affectedPackage, affectedVersion, fixedVersion
ORDER BY count(*) DESC
LIMIT 20
SINCE 7 days ago

FROM Vulnerability
SELECT count(*) as 'Detections'
FACET source
SINCE 30 days ago

FROM Vulnerability
SELECT count(*) as 'Vulnerabilities'
WHERE affectedPackage LIKE '%.jar'
OR affectedPackage LIKE '%maven%'
FACET affectedPackage, severity
SINCE 30 days ago

FROM Vulnerability
SELECT count(*) as 'Total',
       filter(count(*), WHERE severity = 'CRITICAL') as 'Critical',
       filter(count(*), WHERE severity = 'HIGH') as 'High',
       filter(count(*), WHERE severity = 'MEDIUM') as 'Medium',
       filter(count(*), WHERE severity = 'LOW') as 'Low'
WHERE entity.name = 'YOUR_APP_NAME'
AND state = 'OPEN'
SINCE 1 day ago

FROM Vulnerability
SELECT count(*) as 'Vulnerabilities'
WHERE entityType = 'HOST'
AND state = 'OPEN'
FACET entity.name, severity
LIMIT 50
SINCE 7 days ago

FROM Vulnerability
SELECT entity.name, max(timestamp) as 'Last Scan'
FACET entity.name
HAVING max(timestamp) < ago(7 days)
SINCE 30 days ago

FROM NrAiIncidentTimeline
SELECT incidentId, entity.name, reason, timestamp as 'Ignored At'
WHERE event = 'STATUS_CHANGED'
AND newState = 'IGNORED'
AND timestamp < ago(60 days)
FACET incidentId, entity.name
SINCE 90 days ago

FROM NrAiIncidentTimeline
SELECT timestamp, entity.name, previousState, newState, changedBy, reason
WHERE event = 'STATUS_CHANGED'
ORDER BY timestamp DESC
LIMIT 100
SINCE 30 days ago

FROM NrAiIncidentTimeline
SELECT filter(count(*), WHERE newState = 'IGNORED') as 'Ignored',
       filter(count(*), WHERE newState = 'AFFECTED') as 'Affected',
       percentage(filter(count(*), WHERE newState = 'IGNORED'), count(*)) as 'Ignore Rate %'
WHERE event = 'STATUS_CHANGED'
SINCE 90 days ago

FROM Vulnerability
SELECT count(*) as 'Overdue Vulnerabilities',
       entity.name,
       severity
WHERE state = 'OPEN'
AND detectedAt < ago(30 days)
FACET entity.name, severity
SINCE 180 days ago

FROM Vulnerability
SELECT percentile((resolvedAt - detectedAt) / 86400, 50, 75, 90, 95) as 'Days to Resolve'
WHERE severity = 'CRITICAL'
AND state = 'CLOSED'
SINCE 90 days ago

FROM Vulnerability
SELECT count(*) as 'Total Detected',
       uniqueCount(entity.guid) as 'Affected Entities',
       filter(count(*), WHERE severity IN ('CRITICAL', 'HIGH')) as 'High Risk'
FACET monthOf(detectedAt)
SINCE 180 days ago
TIMESERIES 1 month

FROM Vulnerability
SELECT cveId, count(entity.guid) as 'Affected Entities', max(cvssScore) as 'CVSS'
WHERE state = 'OPEN'
FACET cveId
HAVING count(entity.guid) > 5
ORDER BY count(entity.guid) DESC
LIMIT 20
SINCE 30 days ago

FROM Vulnerability
SELECT 100 - (
  filter(count(*), WHERE severity = 'CRITICAL') * 10 +
  filter(count(*), WHERE severity = 'HIGH') * 5 +
  filter(count(*), WHERE severity = 'MEDIUM') * 2 +
  filter(count(*), WHERE severity = 'LOW') * 0.5
) as 'Security Score'
WHERE state = 'OPEN'
FACET entity.name
SINCE 1 day ago

FROM Vulnerability
SELECT count(*) as 'Vulnerabilities'
WHERE state = 'OPEN'
FACET entityType
TIMESERIES AUTO
SINCE 30 days ago

FROM Vulnerability, Transaction
SELECT count(Vulnerability.cveId), average(Transaction.duration)
WHERE Vulnerability.entity.guid = Transaction.appId
AND Vulnerability.state = 'OPEN'
FACET Vulnerability.entity.name
SINCE 1 day ago