I have been putting together some dashboards to highlight the ways data can be sliced and diced for different audiences and I'm documenting my work here so others can replicate it and/or offer suggestions. As I update my dashboards I'll update this post.
This view consists of high-level views of assets by OS, tags and manufacturer. It also lists web services with sev 4 or 5 vulnerabilities, both public and internal. Finally it lists all End of Life operating systems (XP, Windows 2000 and Vista).
For the distinction between Public and Private assets I use a dynamic asset tag named 'Internal Assets'. I used the 'IP Address In Range(s)' rule with the addresses '192.168.0.0/16', '10.0.0.0/8' and '172.16.0.0/12' as defined in RFC1918.
|Dashboard Line||Widget Title||Query||Type||Show Legend|
Categories / Rows
Regroup by / Columns
|1||Vulnerable Assets by Operating System||(vulnerabilities.vulnerability.severity:4 or vulnerabilities.vulnerability.severity:5)||Pie||Y||operatingSystem|
|1||Vulnerable Assets in Policy Compliance Scope||(vulnerabilities.vulnerability.severity:4 or vulnerabilities.vulnerability.severity:5) and activatedForModules:PC||Pie||Y||operatingSystem|
|2||Vulnerable Assets by Tag||(vulnerabilities.vulnerability.severity:4 or vulnerabilities.vulnerability.severity:5)||Pie||Y||tags.Name|
|2||Vulnerable Assets by Manufacturer||(vulnerabilities.vulnerability.severity:4 or vulnerabilities.vulnerability.severity:5)||Pie||Y||system.Manufacturer|
|3||Public Web Services with Critical Vulnerabilities||(not tags.name:`Internal Assets`) and (openPorts.port:80 or openPorts.port:443) and (vulnerabilities.vulnerability.severity:4 or vulnerabilities.vulnerability.severity:5)||Table||interfaces.hostname|
|3||Private Web Services with Critical Vulnerabilities||tags.name:`Internal Assets` and (openPorts.port:80 or openPorts.port:443) and (vulnerabilities.vulnerability.severity:4 or vulnerabilities.vulnerability.severity:5)||Table||interfaces.hostname|
|4||End of Life Operating Systems||operatingSystem: XP or operatingSystem:`Windows 2000` or operatingSystem: Vista||Table||operatingSystem||interface.hostname|
This view consists of asset data as it relates to operational teams. It contains views of patchable assets, both in list and pie-chart form, and a list of servers pending reboot. I included a count of the servers pending reboot to make it clear when there is no data to report in the list to eliminate confusion when 'query returned no results' is displayed - this is the same error presented when the query times out and when the query succeeds but contains no data. Finally it lists assets with malicious software identified.
|Dashboard Line||Widget Title||Query||Type||Show Legend||Categories / Rows||Regroup by / Columns|
|1||Patchable Assets by OS||(vulnerabilities.vulnerability.severity:4 or vulnerabilities.vulnerability.severity:5) and vulnerabilities.vulnerability.patchAvailable:true||Pie||Y||operatingSystem|
|1||Patchable Assets||(vulnerabilities.vulnerability.severity:4 or vulnerabilities.vulnerability.severity:5) and vulnerabilities.vulnerability.patchAvailable:true||Table||interfaces.hostname||interfaces.address|
|2||Assets Pending Reboot Count||vulnerabilities.vulnerability.qid:90126||Count|
|2||Assets Pending Reboot||vulnerabilities.vulnerability.qid:90126||Table||interfaces.hostname||interfaces.address|
|3||Assets with Malicious Software||vulnerabilities.vulnerability.compliance.description: 'malicious software'||Table||interfaces.hostname||interfaces.address|
Control / Configure a Dashboard
If you have AssetView available to your subscription (visible in the module drop-down list as AssetView, not Asset Management) you can see the default dashboard named 'Asset Overview'. Additional dashboards can be created under the 'Actions' menu button just below the dashboard name and selecting "Create New Dashboard". Adding widgets to the dashboard is simply a case of clicking the 'Add Widget' button, next to the 'Actions' button.
The following screenshot shows both the Actions and Add Widget buttons in the AssetView module.
Paring Down the Query Results
You can use the boolean logic capability of AssetView to combine different 'not' queries to reduce the number of returned results and therefore more accurately define a particular category. For example with the Malicious Software widget, which uses a compliance category value, you can add another search to exclude all those with a category of "Security Policy".
... and (not vulnerabilities.vulnerability.category: "Security Policy")
For more a more fine-grained approach you can also exclude specific QIDs, of course, with
... and (not vulnerabilities.vulnerability.qid: 105103)