Display Count of Open Vulnerabilities

Track total number of open vulnerability status

This is a query example for the Total Status: Open widget in the CrowdStrike Falcon Spotlight: Overview dashboard of the crowdstrike/spotlight package.

Query

flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2{{Aggregate}} result{{Result Set}} repo --> 1 1 --> 2 2 --> result
logscale
* status=open
| count()

Introduction

This widget is used to count the total number of vulnerabilities with an open status, helping security teams monitor unresolved security issues.

In this widget, the count() function is used to count all events where vulnerabilities remain in an open state.

Example incoming data might look like this:

@timestamp#error#repo#type@error@error_msg@error_msg[0]@event_parsed@id@ingesttimestamp@rawstring@timestamp.nanos@timezoneaidapp.product_name_versionapps[0].product_name_versionapps[0].remediation.ids[0]apps[0].sub_statuscidcreated_timestampcve.base_scorecve.exploit_statuscve.idcve.severityhost_info.hostnamehost_info.local_iphost_info.machine_domainhost_info.os_versionhost_info.ouhost_info.platformhost_info.site_namehost_info.system_manufactureridremediation.ids[0]statusupdated_timestamp
2026-02-09T16:23:49trueauto-dashboard-queriessiem-connectortrueNo field named metadata.eventCreationTime to use when parsing timestampNo field named metadata.eventCreationTime to use when parsing timestampfalserfVIA55U9jSH8zSzmRYJIeBx_15_0_17706542292026-02-09T16:23:49{ "aid" : "a1b2c3d4e5f6g7h8i9j0", "app" : { "product_name_version" : "S_PLATFORM_ID_S" }, "apps" : [ { "product_name_version" : "WindowsNT-10.0-19045", "remediation" : { "ids" : [ "T_MD5_T" ] }, "sub_status" : "open" } ], "cid" : "T_MD5_T", "created_timestamp" : "2026-02-09T16:23:49.123Z", "cve" : {"severity":"HIGH","exploit_status":1,"base_score":8.2,"id":"CVE-2023-34721"}, "host_info" : { "groups" : [], "hostname" : "PROD-WEB01", "local_ip" : "192.168.2.143", "machine_domain" : "malicious-domain.com", "os_version" : "S_OS_VERSION_S", "ou" : "Domain Controllers", "platform" : "Windows", "site_name" : "us-east-1", "system_manufacturer" : "Abc", "tags" : [] }, "id" : "b2c3d4e5f6g7h8i9j0k1", "remediation" : { "ids" : [ "c3d4e5f6g7h8i9j0k1l2" ] }, "status" : "open", "updated_timestamp" : "2026-02-09T16:23:49.123Z" } e5680b3e8ba36d8471252f0246d8b5fc0Za1b2c3d4e5f6g7h8i9j0S_PLATFORM_ID_SWindowsNT-10.0-19045T_MD5_TopenT_MD5_T2026-02-09T16:23:49.123Z8.21CVE-2023-34721HIGHPROD-WEB01192.168.2.143malicious-domain.comS_OS_VERSION_SDomain ControllersWindowsus-east-1Abcb2c3d4e5f6g7h8i9j0k1c3d4e5f6g7h8i9j0k1l2open2026-02-09T16:23:49.123Z
2026-02-09T16:23:50trueauto-dashboard-queriessiem-connectortrueNo field named metadata.eventCreationTime to use when parsing timestampNo field named metadata.eventCreationTime to use when parsing timestampfalserfVIA55U9jSH8zSzmRYJIeBx_15_1_17706542302026-02-09T16:23:50{ "aid" : "d4e5f6g7h8i9j0k1l2m3", "app" : { "product_name_version" : "S_PLATFORM_ID_S" }, "apps" : [ { "product_name_version" : "macOS-13.5.2", "remediation" : { "ids" : [ "T_MD5_T" ] }, "sub_status" : "closed" } ], "cid" : "T_MD5_T", "created_timestamp" : "2026-02-09T16:23:49.920Z", "cve" : {"id":"CVE-2024-12053","severity":"CRITICAL","base_score":9.6,"exploit_status":2}, "host_info" : { "groups" : [], "hostname" : "PROD-APP02", "local_ip" : "192.168.0.87", "machine_domain" : "evil-site.net", "os_version" : "S_OS_VERSION_S", "ou" : "Domain Controllers", "platform" : "Windows 10", "site_name" : "westeurope", "system_manufacturer" : "Dell Inc.", "tags" : [] }, "id" : "e5f6g7h8i9j0k1l2m3n4", "remediation" : { "ids" : [ "f6g7h8i9j0k1l2m3n4o5" ] }, "status" : "closed", "updated_timestamp" : "2026-02-09T16:23:49.920Z" } e5680b3e8ba36d8471252f0246d8b5fc0Zd4e5f6g7h8i9j0k1l2m3S_PLATFORM_ID_SmacOS-13.5.2T_MD5_TclosedT_MD5_T2026-02-09T16:23:49.920Z9.62CVE-2024-12053CRITICALPROD-APP02192.168.0.87evil-site.netS_OS_VERSION_SDomain ControllersWindows 10westeuropeDell Inc.e5f6g7h8i9j0k1l2m3n4f6g7h8i9j0k1l2m3n4o5closed2026-02-09T16:23:49.920Z
2026-02-09T16:23:51trueauto-dashboard-queriessiem-connectortrueNo field named metadata.eventCreationTime to use when parsing timestampNo field named metadata.eventCreationTime to use when parsing timestampfalserfVIA55U9jSH8zSzmRYJIeBx_15_2_17706542312026-02-09T16:23:51{ "aid" : "g7h8i9j0k1l2m3n4o5p6", "app" : { "product_name_version" : "S_PLATFORM_ID_S" }, "apps" : [ { "product_name_version" : "Linux-Ubuntu-22.04-5.15.0-83-generic", "remediation" : { "ids" : [ "T_MD5_T" ] }, "sub_status" : "open" } ], "cid" : "T_MD5_T", "created_timestamp" : "2026-02-09T16:23:50.699Z", "cve" : {"id":"CVE-2022-28976","base_score":5.4,"exploit_status":0,"severity":"MEDIUM"}, "host_info" : { "groups" : [], "hostname" : "PROD-DB01", "local_ip" : "192.168.3.211", "machine_domain" : "phishing-portal.org", "os_version" : "S_OS_VERSION_S", "ou" : "Domain Controllers", "platform" : "Windows 11", "site_name" : "asia-northeast1", "system_manufacturer" : "HP", "tags" : [] }, "id" : "h8i9j0k1l2m3n4o5p6q7", "remediation" : { "ids" : [ "i9j0k1l2m3n4o5p6q7r8" ] }, "status" : "closed", "updated_timestamp" : "2026-02-09T16:23:50.699Z" } e5680b3e8ba36d8471252f0246d8b5fc0Zg7h8i9j0k1l2m3n4o5p6S_PLATFORM_ID_SLinux-Ubuntu-22.04-5.15.0-83-genericT_MD5_TopenT_MD5_T2026-02-09T16:23:50.699Z5.40CVE-2022-28976MEDIUMPROD-DB01192.168.3.211phishing-portal.orgS_OS_VERSION_SDomain ControllersWindows 11asia-northeast1HPh8i9j0k1l2m3n4o5p6q7i9j0k1l2m3n4o5p6q7r8closed2026-02-09T16:23:50.699Z
2026-02-09T16:23:52trueauto-dashboard-queriessiem-connectortrueNo field named metadata.eventCreationTime to use when parsing timestampNo field named metadata.eventCreationTime to use when parsing timestampfalserfVIA55U9jSH8zSzmRYJIeBx_15_3_17706542322026-02-09T16:23:52{ "aid" : "j0k1l2m3n4o5p6q7r8s9", "app" : { "product_name_version" : "S_PLATFORM_ID_S" }, "apps" : [ { "product_name_version" : "WindowsServer-2022-20348.1787", "remediation" : { "ids" : [ "T_MD5_T" ] }, "sub_status" : "open" } ], "cid" : "T_MD5_T", "created_timestamp" : "2026-02-09T16:23:51.473Z", "cve" : {"id":"CVE-2023-41892","severity":"HIGH","exploit_status":1,"base_score":7.1}, "host_info" : { "groups" : [], "hostname" : "PROD-FILE01", "local_ip" : "192.168.1.54", "machine_domain" : "command-control.xyz", "os_version" : "S_OS_VERSION_S", "ou" : "Domain Controllers", "platform" : "Windows Server 2019", "site_name" : "sa-east-1", "system_manufacturer" : "Lenovo", "tags" : [] }, "id" : "k1l2m3n4o5p6q7r8s9t0", "remediation" : { "ids" : [ "l2m3n4o5p6q7r8s9t0u1" ] }, "status" : "closed", "updated_timestamp" : "2026-02-09T16:23:51.473Z" } e5680b3e8ba36d8471252f0246d8b5fc0Zj0k1l2m3n4o5p6q7r8s9S_PLATFORM_ID_SWindowsServer-2022-20348.1787T_MD5_TopenT_MD5_T2026-02-09T16:23:51.473Z7.11CVE-2023-41892HIGHPROD-FILE01192.168.1.54command-control.xyzS_OS_VERSION_SDomain ControllersWindows Server 2019sa-east-1Lenovok1l2m3n4o5p6q7r8s9t0l2m3n4o5p6q7r8s9t0u1closed2026-02-09T16:23:51.473Z
2026-02-09T16:23:52trueauto-dashboard-queriessiem-connectortrueNo field named metadata.eventCreationTime to use when parsing timestampNo field named metadata.eventCreationTime to use when parsing timestampfalserfVIA55U9jSH8zSzmRYJIeBx_15_4_17706542322026-02-09T16:23:52{ "aid" : "m3n4o5p6q7r8s9t0u1v2", "app" : { "product_name_version" : "S_PLATFORM_ID_S" }, "apps" : [ { "product_name_version" : "macOS-14.1.1", "remediation" : { "ids" : [ "T_MD5_T" ] }, "sub_status" : "open" } ], "cid" : "T_MD5_T", "created_timestamp" : "2026-02-09T16:23:52.252Z", "cve" : {"severity":"LOW","exploit_status":0,"base_score":3.2,"id":"CVE-2025-10437"}, "host_info" : { "groups" : [], "hostname" : "PROD-SQL01", "local_ip" : "192.168.4.198", "machine_domain" : "bad-actor-infra.io", "os_version" : "S_OS_VERSION_S", "ou" : "Domain Controllers", "platform" : "Windows Server 2022", "site_name" : "us-west-2", "system_manufacturer" : "Microsoft Corporation", "tags" : [] }, "id" : "n4o5p6q7r8s9t0u1v2w3", "remediation" : { "ids" : [ "o5p6q7r8s9t0u1v2w3x4" ] }, "status" : "open", "updated_timestamp" : "2026-02-09T16:23:52.252Z" } e5680b3e8ba36d8471252f0246d8b5fc0Zm3n4o5p6q7r8s9t0u1v2S_PLATFORM_ID_SmacOS-14.1.1T_MD5_TopenT_MD5_T2026-02-09T16:23:52.252Z3.20CVE-2025-10437LOWPROD-SQL01192.168.4.198bad-actor-infra.ioS_OS_VERSION_SDomain ControllersWindows Server 2022us-west-2Microsoft Corporationn4o5p6q7r8s9t0u1v2w3o5p6q7r8s9t0u1v2w3x4open2026-02-09T16:23:52.252Z

Step-by-Step

  1. Starting with the source repository events.

  2. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2{{Aggregate}} result{{Result Set}} repo --> 1 1 --> 2 2 --> result style 1 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    * status=open

    Filters events where the status field equals open. This filter identifies vulnerabilities that have been detected but not yet remediated, requiring attention from security teams. Open status indicates that the vulnerability is active and potentially exploitable, representing a current security risk that needs to be addressed.

  3. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2{{Aggregate}} result{{Result Set}} repo --> 1 1 --> 2 2 --> result style 2 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    | count()

    Counts the total number of events matching the filter criteria, and returns the result in a _count field.

  4. Event Result set.

Summary and Results

The widget is used to monitor the total volume of open vulnerabilities requiring remediation.

This widget is useful to track the current vulnerability backlog and measure remediation progress over time.

Sample output from the incoming example data:

_count
25

The output shows the total count of vulnerabilities currently in an open state.