Speaking in regards to Windows Servers in my environment. I’m looking for a report listed by CVE with the associated KB and machine name the vulnerability was found on. I currently have a report that will list by Fixlet and each CVE is grouped within the Fixlet. Is it possible to modify this report to break it out by CVE? I tried removing the “Content - Type is Fixlet” but that didn’t seem to do much.
Content - Visibility is Visible
Site is Patches for Windows or Updates for Windows Applications or Updates for Windows Applications Extended
Content - CVE does not contain unspecified
Content - CVE does not contain
Content - Progress is not No Applicable Computers
Content - Progress is not Not Activated
Content - Progress less than 100
Content - Type is Fixlet
Content - name does not contain (Superseded)
The “Explore Content” view won’t allow splitting the CVE field; it’s not a “plural result” field that we can expand with the “+” symbol, the CVE ID List field is just a simple String value that already has semicolons embedded in it. You could do some post-processing on an exported CSV result in Excel or a scripting language, but there are some considerations to keep in mind…
If a single patch resolves 20 CVEs on a single computer, do you want that split into twenty separate rows? That could generate a huge report, very quickly.
Out-of-the-box, we would only report on the latest version of a patch; CVEs resolved by an earlier patch are not included on the latest. Keep in mind our reporting is based on patch applicability, not outstanding CVE listings. To enable continued reporting on (some) older CVEs, you’d have to enable Superseded Content Evaluation, which can slow reporting on the clients, and is often not useful if the older patches can no longer be downloaded anyway.
Another approach we’re taking now to support specific checklists (like the CISA KEV Content Pack) involve publishing a separate set of audit-only Fixlets to continue reporting on older CVEs - but only within a set of CVEs of interest like the CISA KEV list.
CVE-based reporting has its use-cases, but I’m not sure it’s the best approach to general reporting. I think the search-based reports in the CyberFocus Site are a good approach to find specific CVEs or specific lists of CVEs such as the CISA KEV list.
Thank you for your response Jason! I’ll have to check on CyberFocus. Valid point about breaking the CVEs up. I’ve been tinkering with a csv export to see if I can give the business what they’re looking for in an excel chart.