Cyber Vulnerabilities

Purpose

The Cyber Vulnerabilities CDP contains up-to-date information on all ongoing vulnerabilities and can be joined to OCSF event tables for historical trend analysis.

Understanding the Table

The Cyber Vulnerability CDP is ideal for answering questions about the status of all ongoing vulnerabilities. This includes understanding which applications are in use, their versions, and the vendors supplying them.  

Cyber Vulnerabilities is mostly a Type 1 table. This means all columns are updated directly when new information is ingested.  

A row is a unique combination of the following attributes: Vulnerability Finding UID, CVE UID, and CVSS Version.

Joining to CDPs and OCSF

The cyber_vulnerability.uid column should be used for all joins back to OCSF. This ensures consistency and accuracy when merging data from different sources. Furthermore, the user_id, device_id, and software_application_id columns can be used to join back to their respective CDPs.

To determine if a cyber vulnerability is currently active, you should use the last_seen_time in combination with a specified time range. Additionally, you need to check the active flag to confirm the status. By utilizing both the last_seen_time and the active flag within the given time range, you can accurately assess the presence and activity of the cyber vulnerability.

Schema

Example Queries

How to join back to OCSF

SELECT * FROM CDP.cyber_vulnerabilities LEFT JOIN OCSF.vulnerability_finding ON CDP.cyber_vulnerabilities.uid = OCSF.vulnerability_finding.finding_info:uid;