Display Count of Low Severity CVEs

Track total number of low severity vulnerabilities

This is a query example for the Low Severity widget in the CrowdStrike Falcon Spotlight: Severity Details dashboard of the crowdstrike/spotlight package.

Query

flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2{{Aggregate}} result{{Result Set}} repo --> 1 1 --> 2 2 --> result
logscale
* cve.severity=LOW
| count()

Introduction

This widget is used to count the total number of vulnerabilities rated as low severity, helping security teams monitor lower-priority security issues.

In this widget, the count() function is used to count events with low severity CVEs.

Example incoming data might look like this:

@timestamp#error#repo#type@error@error_msg@error_msg[0]@event_parsed@id@ingesttimestamp@rawstring@timestamp.nanos@timezoneaidapp.product_name_versionapps[0].product_name_versionapps[0].remediation.ids[0]apps[0].sub_statuscidcreated_timestampcve.base_scorecve.exploit_statuscve.idcve.severityhost_info.hostnamehost_info.local_iphost_info.machine_domainhost_info.os_versionhost_info.ouhost_info.platformhost_info.site_namehost_info.system_manufactureridremediation.ids[0]statusupdated_timestamp
2026-02-09T16:23:49trueauto-dashboard-queriessiem-connectortrueNo field named metadata.eventCreationTime to use when parsing timestampNo field named metadata.eventCreationTime to use when parsing timestampfalserfVIA55U9jSH8zSzmRYJIeBx_15_0_17706542292026-02-09T16:23:49{ "aid" : "a1b2c3d4e5f6g7h8i9j0", "app" : { "product_name_version" : "S_PLATFORM_ID_S" }, "apps" : [ { "product_name_version" : "WindowsNT-10.0-19045", "remediation" : { "ids" : [ "T_MD5_T" ] }, "sub_status" : "open" } ], "cid" : "T_MD5_T", "created_timestamp" : "2026-02-09T16:23:49.123Z", "cve" : {"severity":"HIGH","exploit_status":1,"base_score":8.2,"id":"CVE-2023-34721"}, "host_info" : { "groups" : [], "hostname" : "PROD-WEB01", "local_ip" : "192.168.2.143", "machine_domain" : "malicious-domain.com", "os_version" : "S_OS_VERSION_S", "ou" : "Domain Controllers", "platform" : "Windows", "site_name" : "us-east-1", "system_manufacturer" : "Abc", "tags" : [] }, "id" : "b2c3d4e5f6g7h8i9j0k1", "remediation" : { "ids" : [ "c3d4e5f6g7h8i9j0k1l2" ] }, "status" : "open", "updated_timestamp" : "2026-02-09T16:23:49.123Z" } e5680b3e8ba36d8471252f0246d8b5fc0Za1b2c3d4e5f6g7h8i9j0S_PLATFORM_ID_SWindowsNT-10.0-19045T_MD5_TopenT_MD5_T2026-02-09T16:23:49.123Z8.21CVE-2023-34721HIGHPROD-WEB01192.168.2.143malicious-domain.comS_OS_VERSION_SDomain ControllersWindowsus-east-1Abcb2c3d4e5f6g7h8i9j0k1c3d4e5f6g7h8i9j0k1l2open2026-02-09T16:23:49.123Z
2026-02-09T16:23:50trueauto-dashboard-queriessiem-connectortrueNo field named metadata.eventCreationTime to use when parsing timestampNo field named metadata.eventCreationTime to use when parsing timestampfalserfVIA55U9jSH8zSzmRYJIeBx_15_1_17706542302026-02-09T16:23:50{ "aid" : "d4e5f6g7h8i9j0k1l2m3", "app" : { "product_name_version" : "S_PLATFORM_ID_S" }, "apps" : [ { "product_name_version" : "macOS-13.5.2", "remediation" : { "ids" : [ "T_MD5_T" ] }, "sub_status" : "closed" } ], "cid" : "T_MD5_T", "created_timestamp" : "2026-02-09T16:23:49.920Z", "cve" : {"id":"CVE-2024-12053","severity":"CRITICAL","base_score":9.6,"exploit_status":2}, "host_info" : { "groups" : [], "hostname" : "PROD-APP02", "local_ip" : "192.168.0.87", "machine_domain" : "evil-site.net", "os_version" : "S_OS_VERSION_S", "ou" : "Domain Controllers", "platform" : "Windows 10", "site_name" : "westeurope", "system_manufacturer" : "Dell Inc.", "tags" : [] }, "id" : "e5f6g7h8i9j0k1l2m3n4", "remediation" : { "ids" : [ "f6g7h8i9j0k1l2m3n4o5" ] }, "status" : "closed", "updated_timestamp" : "2026-02-09T16:23:49.920Z" } e5680b3e8ba36d8471252f0246d8b5fc0Zd4e5f6g7h8i9j0k1l2m3S_PLATFORM_ID_SmacOS-13.5.2T_MD5_TclosedT_MD5_T2026-02-09T16:23:49.920Z9.62CVE-2024-12053CRITICALPROD-APP02192.168.0.87evil-site.netS_OS_VERSION_SDomain ControllersWindows 10westeuropeDell Inc.e5f6g7h8i9j0k1l2m3n4f6g7h8i9j0k1l2m3n4o5closed2026-02-09T16:23:49.920Z
2026-02-09T16:23:51trueauto-dashboard-queriessiem-connectortrueNo field named metadata.eventCreationTime to use when parsing timestampNo field named metadata.eventCreationTime to use when parsing timestampfalserfVIA55U9jSH8zSzmRYJIeBx_15_2_17706542312026-02-09T16:23:51{ "aid" : "g7h8i9j0k1l2m3n4o5p6", "app" : { "product_name_version" : "S_PLATFORM_ID_S" }, "apps" : [ { "product_name_version" : "Linux-Ubuntu-22.04-5.15.0-83-generic", "remediation" : { "ids" : [ "T_MD5_T" ] }, "sub_status" : "open" } ], "cid" : "T_MD5_T", "created_timestamp" : "2026-02-09T16:23:50.699Z", "cve" : {"id":"CVE-2022-28976","base_score":5.4,"exploit_status":0,"severity":"MEDIUM"}, "host_info" : { "groups" : [], "hostname" : "PROD-DB01", "local_ip" : "192.168.3.211", "machine_domain" : "phishing-portal.org", "os_version" : "S_OS_VERSION_S", "ou" : "Domain Controllers", "platform" : "Windows 11", "site_name" : "asia-northeast1", "system_manufacturer" : "HP", "tags" : [] }, "id" : "h8i9j0k1l2m3n4o5p6q7", "remediation" : { "ids" : [ "i9j0k1l2m3n4o5p6q7r8" ] }, "status" : "closed", "updated_timestamp" : "2026-02-09T16:23:50.699Z" } e5680b3e8ba36d8471252f0246d8b5fc0Zg7h8i9j0k1l2m3n4o5p6S_PLATFORM_ID_SLinux-Ubuntu-22.04-5.15.0-83-genericT_MD5_TopenT_MD5_T2026-02-09T16:23:50.699Z5.40CVE-2022-28976MEDIUMPROD-DB01192.168.3.211phishing-portal.orgS_OS_VERSION_SDomain ControllersWindows 11asia-northeast1HPh8i9j0k1l2m3n4o5p6q7i9j0k1l2m3n4o5p6q7r8closed2026-02-09T16:23:50.699Z
2026-02-09T16:23:52trueauto-dashboard-queriessiem-connectortrueNo field named metadata.eventCreationTime to use when parsing timestampNo field named metadata.eventCreationTime to use when parsing timestampfalserfVIA55U9jSH8zSzmRYJIeBx_15_3_17706542322026-02-09T16:23:52{ "aid" : "j0k1l2m3n4o5p6q7r8s9", "app" : { "product_name_version" : "S_PLATFORM_ID_S" }, "apps" : [ { "product_name_version" : "WindowsServer-2022-20348.1787", "remediation" : { "ids" : [ "T_MD5_T" ] }, "sub_status" : "open" } ], "cid" : "T_MD5_T", "created_timestamp" : "2026-02-09T16:23:51.473Z", "cve" : {"id":"CVE-2023-41892","severity":"HIGH","exploit_status":1,"base_score":7.1}, "host_info" : { "groups" : [], "hostname" : "PROD-FILE01", "local_ip" : "192.168.1.54", "machine_domain" : "command-control.xyz", "os_version" : "S_OS_VERSION_S", "ou" : "Domain Controllers", "platform" : "Windows Server 2019", "site_name" : "sa-east-1", "system_manufacturer" : "Lenovo", "tags" : [] }, "id" : "k1l2m3n4o5p6q7r8s9t0", "remediation" : { "ids" : [ "l2m3n4o5p6q7r8s9t0u1" ] }, "status" : "closed", "updated_timestamp" : "2026-02-09T16:23:51.473Z" } e5680b3e8ba36d8471252f0246d8b5fc0Zj0k1l2m3n4o5p6q7r8s9S_PLATFORM_ID_SWindowsServer-2022-20348.1787T_MD5_TopenT_MD5_T2026-02-09T16:23:51.473Z7.11CVE-2023-41892HIGHPROD-FILE01192.168.1.54command-control.xyzS_OS_VERSION_SDomain ControllersWindows Server 2019sa-east-1Lenovok1l2m3n4o5p6q7r8s9t0l2m3n4o5p6q7r8s9t0u1closed2026-02-09T16:23:51.473Z
2026-02-09T16:23:52trueauto-dashboard-queriessiem-connectortrueNo field named metadata.eventCreationTime to use when parsing timestampNo field named metadata.eventCreationTime to use when parsing timestampfalserfVIA55U9jSH8zSzmRYJIeBx_15_4_17706542322026-02-09T16:23:52{ "aid" : "m3n4o5p6q7r8s9t0u1v2", "app" : { "product_name_version" : "S_PLATFORM_ID_S" }, "apps" : [ { "product_name_version" : "macOS-14.1.1", "remediation" : { "ids" : [ "T_MD5_T" ] }, "sub_status" : "open" } ], "cid" : "T_MD5_T", "created_timestamp" : "2026-02-09T16:23:52.252Z", "cve" : {"severity":"LOW","exploit_status":0,"base_score":3.2,"id":"CVE-2025-10437"}, "host_info" : { "groups" : [], "hostname" : "PROD-SQL01", "local_ip" : "192.168.4.198", "machine_domain" : "bad-actor-infra.io", "os_version" : "S_OS_VERSION_S", "ou" : "Domain Controllers", "platform" : "Windows Server 2022", "site_name" : "us-west-2", "system_manufacturer" : "Microsoft Corporation", "tags" : [] }, "id" : "n4o5p6q7r8s9t0u1v2w3", "remediation" : { "ids" : [ "o5p6q7r8s9t0u1v2w3x4" ] }, "status" : "open", "updated_timestamp" : "2026-02-09T16:23:52.252Z" } e5680b3e8ba36d8471252f0246d8b5fc0Zm3n4o5p6q7r8s9t0u1v2S_PLATFORM_ID_SmacOS-14.1.1T_MD5_TopenT_MD5_T2026-02-09T16:23:52.252Z3.20CVE-2025-10437LOWPROD-SQL01192.168.4.198bad-actor-infra.ioS_OS_VERSION_SDomain ControllersWindows Server 2022us-west-2Microsoft Corporationn4o5p6q7r8s9t0u1v2w3o5p6q7r8s9t0u1v2w3x4open2026-02-09T16:23:52.252Z

Step-by-Step

  1. Starting with the source repository events.

  2. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2{{Aggregate}} result{{Result Set}} repo --> 1 1 --> 2 2 --> result style 1 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    * cve.severity=LOW

    Filters events where the cve.severity field equals LOW. This filter identifies vulnerabilities that have been assessed as having minimal security impact, regardless of their status.

  3. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2{{Aggregate}} result{{Result Set}} repo --> 1 1 --> 2 2 --> result style 2 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    | count()

    Counts the total number of events matching the filter criteria, and returns the result in a _count field.

  4. Event Result set.

Summary and Results

The widget is used to monitor the total volume of low severity vulnerabilities in the environment.

This widget is useful to track the overall number of lower-priority security issues and monitor changes in their volume over time.

Sample output from the incoming example data:

_count
10

The output shows the total count of vulnerabilities with low severity rating.