Displays Top 10 Hosts With Active Medium Severity CVEs

Identify hosts most affected by medium severity vulnerabilities

This is a query example for the Top 10 Hosts: Active Medium Severity widget in the CrowdStrike Falcon Spotlight: Severity Details dashboard of the crowdstrike/spotlight package.

Query

flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2[\Add Field/] 3{{Aggregate}} result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> result
logscale
* status=open cve.severity=MEDIUM
| eval("Hostname" = host_info.hostname)
| top(field="Hostname", limit=10, as="Number of Vulerabilities")

Introduction

This widget is used to identify and rank hosts based on their number of open medium severity vulnerabilities, helping security teams understand the distribution of moderate-risk issues.

In this widget, the eval() and top() functions are used to process and rank hosts based on their medium severity vulnerability counts.

Example incoming data might look like this:

@timestamp#error#repo#type@error@error_msg@error_msg[0]@event_parsed@id@ingesttimestamp@rawstring@timestamp.nanos@timezoneaidapp.product_name_versionapps[0].product_name_versionapps[0].remediation.ids[0]apps[0].sub_statuscidcreated_timestampcve.base_scorecve.exploit_statuscve.idcve.severityhost_info.hostnamehost_info.local_iphost_info.machine_domainhost_info.os_versionhost_info.ouhost_info.platformhost_info.site_namehost_info.system_manufactureridremediation.ids[0]statusupdated_timestamp
2026-02-09T16:23:49trueauto-dashboard-queriessiem-connectortrueNo field named metadata.eventCreationTime to use when parsing timestampNo field named metadata.eventCreationTime to use when parsing timestampfalserfVIA55U9jSH8zSzmRYJIeBx_15_0_17706542292026-02-09T16:23:49{ "aid" : "a1b2c3d4e5f6g7h8i9j0", "app" : { "product_name_version" : "S_PLATFORM_ID_S" }, "apps" : [ { "product_name_version" : "WindowsNT-10.0-19045", "remediation" : { "ids" : [ "T_MD5_T" ] }, "sub_status" : "open" } ], "cid" : "T_MD5_T", "created_timestamp" : "2026-02-09T16:23:49.123Z", "cve" : {"severity":"HIGH","exploit_status":1,"base_score":8.2,"id":"CVE-2023-34721"}, "host_info" : { "groups" : [], "hostname" : "PROD-WEB01", "local_ip" : "192.168.2.143", "machine_domain" : "malicious-domain.com", "os_version" : "S_OS_VERSION_S", "ou" : "Domain Controllers", "platform" : "Windows", "site_name" : "us-east-1", "system_manufacturer" : "Abc", "tags" : [] }, "id" : "b2c3d4e5f6g7h8i9j0k1", "remediation" : { "ids" : [ "c3d4e5f6g7h8i9j0k1l2" ] }, "status" : "open", "updated_timestamp" : "2026-02-09T16:23:49.123Z" } e5680b3e8ba36d8471252f0246d8b5fc0Za1b2c3d4e5f6g7h8i9j0S_PLATFORM_ID_SWindowsNT-10.0-19045T_MD5_TopenT_MD5_T2026-02-09T16:23:49.123Z8.21CVE-2023-34721HIGHPROD-WEB01192.168.2.143malicious-domain.comS_OS_VERSION_SDomain ControllersWindowsus-east-1Abcb2c3d4e5f6g7h8i9j0k1c3d4e5f6g7h8i9j0k1l2open2026-02-09T16:23:49.123Z
2026-02-09T16:23:50trueauto-dashboard-queriessiem-connectortrueNo field named metadata.eventCreationTime to use when parsing timestampNo field named metadata.eventCreationTime to use when parsing timestampfalserfVIA55U9jSH8zSzmRYJIeBx_15_1_17706542302026-02-09T16:23:50{ "aid" : "d4e5f6g7h8i9j0k1l2m3", "app" : { "product_name_version" : "S_PLATFORM_ID_S" }, "apps" : [ { "product_name_version" : "macOS-13.5.2", "remediation" : { "ids" : [ "T_MD5_T" ] }, "sub_status" : "closed" } ], "cid" : "T_MD5_T", "created_timestamp" : "2026-02-09T16:23:49.920Z", "cve" : {"id":"CVE-2024-12053","severity":"CRITICAL","base_score":9.6,"exploit_status":2}, "host_info" : { "groups" : [], "hostname" : "PROD-APP02", "local_ip" : "192.168.0.87", "machine_domain" : "evil-site.net", "os_version" : "S_OS_VERSION_S", "ou" : "Domain Controllers", "platform" : "Windows 10", "site_name" : "westeurope", "system_manufacturer" : "Dell Inc.", "tags" : [] }, "id" : "e5f6g7h8i9j0k1l2m3n4", "remediation" : { "ids" : [ "f6g7h8i9j0k1l2m3n4o5" ] }, "status" : "closed", "updated_timestamp" : "2026-02-09T16:23:49.920Z" } e5680b3e8ba36d8471252f0246d8b5fc0Zd4e5f6g7h8i9j0k1l2m3S_PLATFORM_ID_SmacOS-13.5.2T_MD5_TclosedT_MD5_T2026-02-09T16:23:49.920Z9.62CVE-2024-12053CRITICALPROD-APP02192.168.0.87evil-site.netS_OS_VERSION_SDomain ControllersWindows 10westeuropeDell Inc.e5f6g7h8i9j0k1l2m3n4f6g7h8i9j0k1l2m3n4o5closed2026-02-09T16:23:49.920Z
2026-02-09T16:23:51trueauto-dashboard-queriessiem-connectortrueNo field named metadata.eventCreationTime to use when parsing timestampNo field named metadata.eventCreationTime to use when parsing timestampfalserfVIA55U9jSH8zSzmRYJIeBx_15_2_17706542312026-02-09T16:23:51{ "aid" : "g7h8i9j0k1l2m3n4o5p6", "app" : { "product_name_version" : "S_PLATFORM_ID_S" }, "apps" : [ { "product_name_version" : "Linux-Ubuntu-22.04-5.15.0-83-generic", "remediation" : { "ids" : [ "T_MD5_T" ] }, "sub_status" : "open" } ], "cid" : "T_MD5_T", "created_timestamp" : "2026-02-09T16:23:50.699Z", "cve" : {"id":"CVE-2022-28976","base_score":5.4,"exploit_status":0,"severity":"MEDIUM"}, "host_info" : { "groups" : [], "hostname" : "PROD-DB01", "local_ip" : "192.168.3.211", "machine_domain" : "phishing-portal.org", "os_version" : "S_OS_VERSION_S", "ou" : "Domain Controllers", "platform" : "Windows 11", "site_name" : "asia-northeast1", "system_manufacturer" : "HP", "tags" : [] }, "id" : "h8i9j0k1l2m3n4o5p6q7", "remediation" : { "ids" : [ "i9j0k1l2m3n4o5p6q7r8" ] }, "status" : "closed", "updated_timestamp" : "2026-02-09T16:23:50.699Z" } e5680b3e8ba36d8471252f0246d8b5fc0Zg7h8i9j0k1l2m3n4o5p6S_PLATFORM_ID_SLinux-Ubuntu-22.04-5.15.0-83-genericT_MD5_TopenT_MD5_T2026-02-09T16:23:50.699Z5.40CVE-2022-28976MEDIUMPROD-DB01192.168.3.211phishing-portal.orgS_OS_VERSION_SDomain ControllersWindows 11asia-northeast1HPh8i9j0k1l2m3n4o5p6q7i9j0k1l2m3n4o5p6q7r8closed2026-02-09T16:23:50.699Z
2026-02-09T16:23:52trueauto-dashboard-queriessiem-connectortrueNo field named metadata.eventCreationTime to use when parsing timestampNo field named metadata.eventCreationTime to use when parsing timestampfalserfVIA55U9jSH8zSzmRYJIeBx_15_3_17706542322026-02-09T16:23:52{ "aid" : "j0k1l2m3n4o5p6q7r8s9", "app" : { "product_name_version" : "S_PLATFORM_ID_S" }, "apps" : [ { "product_name_version" : "WindowsServer-2022-20348.1787", "remediation" : { "ids" : [ "T_MD5_T" ] }, "sub_status" : "open" } ], "cid" : "T_MD5_T", "created_timestamp" : "2026-02-09T16:23:51.473Z", "cve" : {"id":"CVE-2023-41892","severity":"HIGH","exploit_status":1,"base_score":7.1}, "host_info" : { "groups" : [], "hostname" : "PROD-FILE01", "local_ip" : "192.168.1.54", "machine_domain" : "command-control.xyz", "os_version" : "S_OS_VERSION_S", "ou" : "Domain Controllers", "platform" : "Windows Server 2019", "site_name" : "sa-east-1", "system_manufacturer" : "Lenovo", "tags" : [] }, "id" : "k1l2m3n4o5p6q7r8s9t0", "remediation" : { "ids" : [ "l2m3n4o5p6q7r8s9t0u1" ] }, "status" : "closed", "updated_timestamp" : "2026-02-09T16:23:51.473Z" } e5680b3e8ba36d8471252f0246d8b5fc0Zj0k1l2m3n4o5p6q7r8s9S_PLATFORM_ID_SWindowsServer-2022-20348.1787T_MD5_TopenT_MD5_T2026-02-09T16:23:51.473Z7.11CVE-2023-41892HIGHPROD-FILE01192.168.1.54command-control.xyzS_OS_VERSION_SDomain ControllersWindows Server 2019sa-east-1Lenovok1l2m3n4o5p6q7r8s9t0l2m3n4o5p6q7r8s9t0u1closed2026-02-09T16:23:51.473Z
2026-02-09T16:23:52trueauto-dashboard-queriessiem-connectortrueNo field named metadata.eventCreationTime to use when parsing timestampNo field named metadata.eventCreationTime to use when parsing timestampfalserfVIA55U9jSH8zSzmRYJIeBx_15_4_17706542322026-02-09T16:23:52{ "aid" : "m3n4o5p6q7r8s9t0u1v2", "app" : { "product_name_version" : "S_PLATFORM_ID_S" }, "apps" : [ { "product_name_version" : "macOS-14.1.1", "remediation" : { "ids" : [ "T_MD5_T" ] }, "sub_status" : "open" } ], "cid" : "T_MD5_T", "created_timestamp" : "2026-02-09T16:23:52.252Z", "cve" : {"severity":"LOW","exploit_status":0,"base_score":3.2,"id":"CVE-2025-10437"}, "host_info" : { "groups" : [], "hostname" : "PROD-SQL01", "local_ip" : "192.168.4.198", "machine_domain" : "bad-actor-infra.io", "os_version" : "S_OS_VERSION_S", "ou" : "Domain Controllers", "platform" : "Windows Server 2022", "site_name" : "us-west-2", "system_manufacturer" : "Microsoft Corporation", "tags" : [] }, "id" : "n4o5p6q7r8s9t0u1v2w3", "remediation" : { "ids" : [ "o5p6q7r8s9t0u1v2w3x4" ] }, "status" : "open", "updated_timestamp" : "2026-02-09T16:23:52.252Z" } e5680b3e8ba36d8471252f0246d8b5fc0Zm3n4o5p6q7r8s9t0u1v2S_PLATFORM_ID_SmacOS-14.1.1T_MD5_TopenT_MD5_T2026-02-09T16:23:52.252Z3.20CVE-2025-10437LOWPROD-SQL01192.168.4.198bad-actor-infra.ioS_OS_VERSION_SDomain ControllersWindows Server 2022us-west-2Microsoft Corporationn4o5p6q7r8s9t0u1v2w3o5p6q7r8s9t0u1v2w3x4open2026-02-09T16:23:52.252Z

Step-by-Step

  1. Starting with the source repository events.

  2. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2[\Add Field/] 3{{Aggregate}} result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> result style 1 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    * status=open cve.severity=MEDIUM

    Filters events where the status field equals open and the cve.severity field equals MEDIUM. This filter identifies active vulnerabilities that have been assessed as having moderate security impact.

  3. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2[\Add Field/] 3{{Aggregate}} result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> result style 2 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    | eval("Hostname" = host_info.hostname)

    Creates a new field Hostname with values from host_info.hostname, keeping the original field.

  4. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2[\Add Field/] 3{{Aggregate}} result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> result style 3 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    | top(field="Hostname", limit=10, as="Number of Vulerabilities")

    Finds the most frequent values in the Hostname field, limited to 10 results, and names the count field Number of Vulerabilities. As no rest parameter is specified, any additional hosts beyond the limit are excluded from the results.

  5. Event Result set.

Summary and Results

The widget is used to identify which hosts have the most open medium severity vulnerabilities.

This widget is useful to understand the distribution of moderate-risk issues across the infrastructure and prioritize systems for remediation.

Sample output from the incoming example data:

HostnameNumber of Vulerabilities
TYO-SRV011
PROD-WEB011
DEV-APP011
LON-SRV011
PROD-FILE011

The output shows hosts ranked by their number of open medium severity vulnerabilities.