Display Count of Closed Vulnerabilities

Track total number of resolved vulnerability events

This is a query example for the Total Status: Closed widget in the CrowdStrike Falcon Spotlight: Overview dashboard of the crowdstrike/spotlight package.

Query

flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2{{Aggregate}} result{{Result Set}} repo --> 1 1 --> 2 2 --> result
logscale
status=closed
| count()

Introduction

This widget is used to count the total number of vulnerabilities with a closed status, helping security teams monitor remediation progress.

In this widget, the count() function is used to count all events where vulnerabilities have been successfully remediated.

Example incoming data might look like this:

@timestamp#error#repo#type@error@error_msg@error_msg[0]@event_parsed@id@ingesttimestamp@rawstring@timestamp.nanos@timezoneaidapp.product_name_versionapps[0].product_name_versionapps[0].remediation.ids[0]apps[0].sub_statuscidcreated_timestampcve.base_scorecve.exploit_statuscve.idcve.severityhost_info.hostnamehost_info.local_iphost_info.machine_domainhost_info.os_versionhost_info.ouhost_info.platformhost_info.site_namehost_info.system_manufactureridremediation.ids[0]statusupdated_timestamp
2026-02-09T16:23:49trueauto-dashboard-queriessiem-connectortrueNo field named metadata.eventCreationTime to use when parsing timestampNo field named metadata.eventCreationTime to use when parsing timestampfalserfVIA55U9jSH8zSzmRYJIeBx_15_0_17706542292026-02-09T16:23:49{ "aid" : "a1b2c3d4e5f6g7h8i9j0", "app" : { "product_name_version" : "S_PLATFORM_ID_S" }, "apps" : [ { "product_name_version" : "WindowsNT-10.0-19045", "remediation" : { "ids" : [ "T_MD5_T" ] }, "sub_status" : "open" } ], "cid" : "T_MD5_T", "created_timestamp" : "2026-02-09T16:23:49.123Z", "cve" : {"severity":"HIGH","exploit_status":1,"base_score":8.2,"id":"CVE-2023-34721"}, "host_info" : { "groups" : [], "hostname" : "PROD-WEB01", "local_ip" : "192.168.2.143", "machine_domain" : "malicious-domain.com", "os_version" : "S_OS_VERSION_S", "ou" : "Domain Controllers", "platform" : "Windows", "site_name" : "us-east-1", "system_manufacturer" : "Abc", "tags" : [] }, "id" : "b2c3d4e5f6g7h8i9j0k1", "remediation" : { "ids" : [ "c3d4e5f6g7h8i9j0k1l2" ] }, "status" : "open", "updated_timestamp" : "2026-02-09T16:23:49.123Z" } e5680b3e8ba36d8471252f0246d8b5fc0Za1b2c3d4e5f6g7h8i9j0S_PLATFORM_ID_SWindowsNT-10.0-19045T_MD5_TopenT_MD5_T2026-02-09T16:23:49.123Z8.21CVE-2023-34721HIGHPROD-WEB01192.168.2.143malicious-domain.comS_OS_VERSION_SDomain ControllersWindowsus-east-1Abcb2c3d4e5f6g7h8i9j0k1c3d4e5f6g7h8i9j0k1l2open2026-02-09T16:23:49.123Z
2026-02-09T16:23:50trueauto-dashboard-queriessiem-connectortrueNo field named metadata.eventCreationTime to use when parsing timestampNo field named metadata.eventCreationTime to use when parsing timestampfalserfVIA55U9jSH8zSzmRYJIeBx_15_1_17706542302026-02-09T16:23:50{ "aid" : "d4e5f6g7h8i9j0k1l2m3", "app" : { "product_name_version" : "S_PLATFORM_ID_S" }, "apps" : [ { "product_name_version" : "macOS-13.5.2", "remediation" : { "ids" : [ "T_MD5_T" ] }, "sub_status" : "closed" } ], "cid" : "T_MD5_T", "created_timestamp" : "2026-02-09T16:23:49.920Z", "cve" : {"id":"CVE-2024-12053","severity":"CRITICAL","base_score":9.6,"exploit_status":2}, "host_info" : { "groups" : [], "hostname" : "PROD-APP02", "local_ip" : "192.168.0.87", "machine_domain" : "evil-site.net", "os_version" : "S_OS_VERSION_S", "ou" : "Domain Controllers", "platform" : "Windows 10", "site_name" : "westeurope", "system_manufacturer" : "Dell Inc.", "tags" : [] }, "id" : "e5f6g7h8i9j0k1l2m3n4", "remediation" : { "ids" : [ "f6g7h8i9j0k1l2m3n4o5" ] }, "status" : "closed", "updated_timestamp" : "2026-02-09T16:23:49.920Z" } e5680b3e8ba36d8471252f0246d8b5fc0Zd4e5f6g7h8i9j0k1l2m3S_PLATFORM_ID_SmacOS-13.5.2T_MD5_TclosedT_MD5_T2026-02-09T16:23:49.920Z9.62CVE-2024-12053CRITICALPROD-APP02192.168.0.87evil-site.netS_OS_VERSION_SDomain ControllersWindows 10westeuropeDell Inc.e5f6g7h8i9j0k1l2m3n4f6g7h8i9j0k1l2m3n4o5closed2026-02-09T16:23:49.920Z
2026-02-09T16:23:51trueauto-dashboard-queriessiem-connectortrueNo field named metadata.eventCreationTime to use when parsing timestampNo field named metadata.eventCreationTime to use when parsing timestampfalserfVIA55U9jSH8zSzmRYJIeBx_15_2_17706542312026-02-09T16:23:51{ "aid" : "g7h8i9j0k1l2m3n4o5p6", "app" : { "product_name_version" : "S_PLATFORM_ID_S" }, "apps" : [ { "product_name_version" : "Linux-Ubuntu-22.04-5.15.0-83-generic", "remediation" : { "ids" : [ "T_MD5_T" ] }, "sub_status" : "open" } ], "cid" : "T_MD5_T", "created_timestamp" : "2026-02-09T16:23:50.699Z", "cve" : {"id":"CVE-2022-28976","base_score":5.4,"exploit_status":0,"severity":"MEDIUM"}, "host_info" : { "groups" : [], "hostname" : "PROD-DB01", "local_ip" : "192.168.3.211", "machine_domain" : "phishing-portal.org", "os_version" : "S_OS_VERSION_S", "ou" : "Domain Controllers", "platform" : "Windows 11", "site_name" : "asia-northeast1", "system_manufacturer" : "HP", "tags" : [] }, "id" : "h8i9j0k1l2m3n4o5p6q7", "remediation" : { "ids" : [ "i9j0k1l2m3n4o5p6q7r8" ] }, "status" : "closed", "updated_timestamp" : "2026-02-09T16:23:50.699Z" } e5680b3e8ba36d8471252f0246d8b5fc0Zg7h8i9j0k1l2m3n4o5p6S_PLATFORM_ID_SLinux-Ubuntu-22.04-5.15.0-83-genericT_MD5_TopenT_MD5_T2026-02-09T16:23:50.699Z5.40CVE-2022-28976MEDIUMPROD-DB01192.168.3.211phishing-portal.orgS_OS_VERSION_SDomain ControllersWindows 11asia-northeast1HPh8i9j0k1l2m3n4o5p6q7i9j0k1l2m3n4o5p6q7r8closed2026-02-09T16:23:50.699Z
2026-02-09T16:23:52trueauto-dashboard-queriessiem-connectortrueNo field named metadata.eventCreationTime to use when parsing timestampNo field named metadata.eventCreationTime to use when parsing timestampfalserfVIA55U9jSH8zSzmRYJIeBx_15_3_17706542322026-02-09T16:23:52{ "aid" : "j0k1l2m3n4o5p6q7r8s9", "app" : { "product_name_version" : "S_PLATFORM_ID_S" }, "apps" : [ { "product_name_version" : "WindowsServer-2022-20348.1787", "remediation" : { "ids" : [ "T_MD5_T" ] }, "sub_status" : "open" } ], "cid" : "T_MD5_T", "created_timestamp" : "2026-02-09T16:23:51.473Z", "cve" : {"id":"CVE-2023-41892","severity":"HIGH","exploit_status":1,"base_score":7.1}, "host_info" : { "groups" : [], "hostname" : "PROD-FILE01", "local_ip" : "192.168.1.54", "machine_domain" : "command-control.xyz", "os_version" : "S_OS_VERSION_S", "ou" : "Domain Controllers", "platform" : "Windows Server 2019", "site_name" : "sa-east-1", "system_manufacturer" : "Lenovo", "tags" : [] }, "id" : "k1l2m3n4o5p6q7r8s9t0", "remediation" : { "ids" : [ "l2m3n4o5p6q7r8s9t0u1" ] }, "status" : "closed", "updated_timestamp" : "2026-02-09T16:23:51.473Z" } e5680b3e8ba36d8471252f0246d8b5fc0Zj0k1l2m3n4o5p6q7r8s9S_PLATFORM_ID_SWindowsServer-2022-20348.1787T_MD5_TopenT_MD5_T2026-02-09T16:23:51.473Z7.11CVE-2023-41892HIGHPROD-FILE01192.168.1.54command-control.xyzS_OS_VERSION_SDomain ControllersWindows Server 2019sa-east-1Lenovok1l2m3n4o5p6q7r8s9t0l2m3n4o5p6q7r8s9t0u1closed2026-02-09T16:23:51.473Z
2026-02-09T16:23:52trueauto-dashboard-queriessiem-connectortrueNo field named metadata.eventCreationTime to use when parsing timestampNo field named metadata.eventCreationTime to use when parsing timestampfalserfVIA55U9jSH8zSzmRYJIeBx_15_4_17706542322026-02-09T16:23:52{ "aid" : "m3n4o5p6q7r8s9t0u1v2", "app" : { "product_name_version" : "S_PLATFORM_ID_S" }, "apps" : [ { "product_name_version" : "macOS-14.1.1", "remediation" : { "ids" : [ "T_MD5_T" ] }, "sub_status" : "open" } ], "cid" : "T_MD5_T", "created_timestamp" : "2026-02-09T16:23:52.252Z", "cve" : {"severity":"LOW","exploit_status":0,"base_score":3.2,"id":"CVE-2025-10437"}, "host_info" : { "groups" : [], "hostname" : "PROD-SQL01", "local_ip" : "192.168.4.198", "machine_domain" : "bad-actor-infra.io", "os_version" : "S_OS_VERSION_S", "ou" : "Domain Controllers", "platform" : "Windows Server 2022", "site_name" : "us-west-2", "system_manufacturer" : "Microsoft Corporation", "tags" : [] }, "id" : "n4o5p6q7r8s9t0u1v2w3", "remediation" : { "ids" : [ "o5p6q7r8s9t0u1v2w3x4" ] }, "status" : "open", "updated_timestamp" : "2026-02-09T16:23:52.252Z" } e5680b3e8ba36d8471252f0246d8b5fc0Zm3n4o5p6q7r8s9t0u1v2S_PLATFORM_ID_SmacOS-14.1.1T_MD5_TopenT_MD5_T2026-02-09T16:23:52.252Z3.20CVE-2025-10437LOWPROD-SQL01192.168.4.198bad-actor-infra.ioS_OS_VERSION_SDomain ControllersWindows Server 2022us-west-2Microsoft Corporationn4o5p6q7r8s9t0u1v2w3o5p6q7r8s9t0u1v2w3x4open2026-02-09T16:23:52.252Z

Step-by-Step

  1. Starting with the source repository events.

  2. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2{{Aggregate}} result{{Result Set}} repo --> 1 1 --> 2 2 --> result style 1 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    status=closed

    Filters events where the status field equals closed. This filter identifies vulnerabilities that have been successfully remediated or otherwise resolved. Closed status indicates that the vulnerability no longer poses an active security risk, either through patching, mitigation, or other remediation actions.

  3. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2{{Aggregate}} result{{Result Set}} repo --> 1 1 --> 2 2 --> result style 2 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    | count()

    Counts the total number of events matching the filter criteria, and returns the result in a _count field.

  4. Event Result set.

Summary and Results

The widget is used to monitor the total volume of successfully remediated vulnerabilities.

This widget is useful to track remediation progress and validate the effectiveness of vulnerability management processes.

Sample output from the incoming example data:

_count
75

The output shows the total count of vulnerabilities that have been successfully closed.