InsightVM/Nexpose Patch Tuesday Reporting

Many of our customers wish to report specifically on Microsoft patch related vulnerabilities. This often includes specific vulnerabilities that are patched in Patch Tuesday updates. This post will show you the various ways that you can create reports for each of these.

Remediation Projects

Remediation Projects are a feature included in InsightVM that allow you to get a live view of the state of assets in your environment (please note that this feature requires that you have opted into the Insight Platform). Using Remediation Projects you can build dynamic projects that track vulnerabilities related to Microsoft patches as they are identified in your environment. To set up a dynamic project for Microsoft Patch related vulnerabilities, follow the steps below:

Go to 'Projects' in the InsightVM menu and click 'CREATE A PROJECT'

You will see a new overlay appear which provides options to configure for the project. Under the 'Project Content' section, you can configure 'Vulnerability Filters'. For reporting on all Microsoft Patch vulnerabilities, you can configure the following filter:

_vulnerability.categories IN [“Microsoft Patch”] _

For reporting on specific vulnerabilities, you can use a filter similar to this, changing the vulnerability titles to the ones for which you are interesting in creating a project:

vulnerability.title CONTAINS ‘Microsoft CVE-2017-0175’ || vulnerability.title CONTAINS ‘Microsoft CVE-2017-0148’

As new vulnerabilities that meet the project criteria are identified, they will be added to the project.

Using Vulnerability Filters

Vulnerability filters allow you to filter on vulnerability , severity, and categories. These can be applied in the scope section of any report that you are generating, making this option very flexible.

Within the Vulnerability Filter selection window, we can select the ‘MICROSOFT PATCH’ category.

This allows for reporting on vulnerabilities that are specific to Microsoft patches for any report template, built-in or custom. The caveat to this method is that it will return all vulnerabilities in the MICROSOFT PATCH category. If you want to report on specific vulnerabilities fixed in Patch Tuesday updates, you can use the ‘SQL Query Export’ export template to facilitate this.

SQL Query Export

When reporting using the SQL Query Export template, it is important to know that Microsoft recently changed the naming scheme for security bulletins that it publishes. Prior to February 14th, 2017 Microsoft issued security bulletins using a this format: msft-cve-yyyy-nnnn. From February 14th, 2017 on, Microsoft will be using a CVE based format. You can read more about these changes here: A Reminder About Upcoming Microsoft Vulnerability Content Changes. What this means is that you may need to use both formats when using the SQL Query Export template, so keep in mind the format of the bulletin on which you want to report.

Below you will find a simple query that identifies hosts with specific vulnerabilities, as well as one that also includes remediation information.

Patch Tuesday

SELECT

da.ip_address AS ip_address,

da.host_name AS hostname,

dv.title AS vulnerability,

dv.riskscore as vulnerability_riskscore,

dv.date_published AS vulnerability_date_published,

proofAsText(dv.description) AS vulnerability_description

FROM fact_asset_vulnerability_finding favf

JOIN dim_asset da USING (asset_id)

JOIN dim_vulnerability dv USING (vulnerability_id)

WHERE dv.title ~* ‘(Microsoft CVE-2017-0175|Microsoft CVE-2017-0148)’

ORDER BY round(dv.riskscore) DESC;

Note the ‘|’ delimiter between the vulnerability titles in the WHERE clause. This allows you to add as many patterns as necessary. The ‘~*’ in the WHERE clause is a case-insensitive regex match operator.

Patch Tuesday with Remediations

SELECT

da.ip_address AS ip_address,

da.host_name AS hostname,

dv.title AS vulnerability,

round(dv.riskscore) as vulnerability_riskscore,

dv.date_published AS vulnerability_date_published,

ds.summary AS solution_summary,

proofAsText(ds.fix) AS fix

FROM dim_asset_vulnerability_best_solution

JOIN dim_vulnerability dv USING (vulnerability_id)

JOIN dim_asset da USING (asset_id)

JOIN dim_solution ds USING (solution_id)

WHERE dv.title ~* ‘(Microsoft CVE-2017-0175|Microsoft CVE-2017-0148)’

ORDER BY round(dv.riskscore) DESC;

This query is similar to the previous query but also includes the solutions for vulnerabilities identified on a host. To learn more about using the InsightVM/Nexpose Data Model for reporting, check out the documentation here: https://help.rapid7.com/insightvm/en-us/#Files/Creating_reports_based_on_SQL_que ries.html