Dispaly Top 10 Hosts With Active Critical Severity CVEs

Identify hosts most affected by critical severity vulnerabilities

This is a query example for the Top 10 Hosts: Active Critical Severity widget in the CrowdStrike Falcon Spotlight: Severity Details dashboard of the crowdstrike/spotlight package.

Query

flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2[/Filter/] 3[\Add Field/] 4{{Aggregate}} result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> 4 4 --> result
logscale
* status=open
| cve.severity=CRITICAL
| eval("Hostname" = host_info.hostname)
| top(field="Hostname", limit=10, as="Number of Vulerabilities")

Introduction

This widget is used to identify and rank hosts based on their number of open critical severity vulnerabilities, helping security teams prioritize the most urgent security issues.

In this widget, the eval() and top() functions are used to process and rank hosts based on their critical severity vulnerability counts.

Example incoming data might look like this:

@timestamp#error#repo#type@error@error_msg@error_msg[0]@event_parsed@id@ingesttimestamp@rawstring@timestamp.nanos@timezoneaidapp.product_name_versionapps[0].product_name_versionapps[0].remediation.ids[0]apps[0].sub_statuscidcreated_timestampcve.base_scorecve.exploit_statuscve.idcve.severityhost_info.hostnamehost_info.local_iphost_info.machine_domainhost_info.os_versionhost_info.ouhost_info.platformhost_info.site_namehost_info.system_manufactureridremediation.ids[0]statusupdated_timestamp
2026-02-09T16:23:49trueauto-dashboard-queriessiem-connectortrueNo field named metadata.eventCreationTime to use when parsing timestampNo field named metadata.eventCreationTime to use when parsing timestampfalserfVIA55U9jSH8zSzmRYJIeBx_15_0_17706542292026-02-09T16:23:49{ "aid" : "a1b2c3d4e5f6g7h8i9j0", "app" : { "product_name_version" : "S_PLATFORM_ID_S" }, "apps" : [ { "product_name_version" : "WindowsNT-10.0-19045", "remediation" : { "ids" : [ "T_MD5_T" ] }, "sub_status" : "open" } ], "cid" : "T_MD5_T", "created_timestamp" : "2026-02-09T16:23:49.123Z", "cve" : {"severity":"HIGH","exploit_status":1,"base_score":8.2,"id":"CVE-2023-34721"}, "host_info" : { "groups" : [], "hostname" : "PROD-WEB01", "local_ip" : "192.168.2.143", "machine_domain" : "malicious-domain.com", "os_version" : "S_OS_VERSION_S", "ou" : "Domain Controllers", "platform" : "Windows", "site_name" : "us-east-1", "system_manufacturer" : "Abc", "tags" : [] }, "id" : "b2c3d4e5f6g7h8i9j0k1", "remediation" : { "ids" : [ "c3d4e5f6g7h8i9j0k1l2" ] }, "status" : "open", "updated_timestamp" : "2026-02-09T16:23:49.123Z" } e5680b3e8ba36d8471252f0246d8b5fc0Za1b2c3d4e5f6g7h8i9j0S_PLATFORM_ID_SWindowsNT-10.0-19045T_MD5_TopenT_MD5_T2026-02-09T16:23:49.123Z8.21CVE-2023-34721HIGHPROD-WEB01192.168.2.143malicious-domain.comS_OS_VERSION_SDomain ControllersWindowsus-east-1Abcb2c3d4e5f6g7h8i9j0k1c3d4e5f6g7h8i9j0k1l2open2026-02-09T16:23:49.123Z
2026-02-09T16:23:50trueauto-dashboard-queriessiem-connectortrueNo field named metadata.eventCreationTime to use when parsing timestampNo field named metadata.eventCreationTime to use when parsing timestampfalserfVIA55U9jSH8zSzmRYJIeBx_15_1_17706542302026-02-09T16:23:50{ "aid" : "d4e5f6g7h8i9j0k1l2m3", "app" : { "product_name_version" : "S_PLATFORM_ID_S" }, "apps" : [ { "product_name_version" : "macOS-13.5.2", "remediation" : { "ids" : [ "T_MD5_T" ] }, "sub_status" : "closed" } ], "cid" : "T_MD5_T", "created_timestamp" : "2026-02-09T16:23:49.920Z", "cve" : {"id":"CVE-2024-12053","severity":"CRITICAL","base_score":9.6,"exploit_status":2}, "host_info" : { "groups" : [], "hostname" : "PROD-APP02", "local_ip" : "192.168.0.87", "machine_domain" : "evil-site.net", "os_version" : "S_OS_VERSION_S", "ou" : "Domain Controllers", "platform" : "Windows 10", "site_name" : "westeurope", "system_manufacturer" : "Dell Inc.", "tags" : [] }, "id" : "e5f6g7h8i9j0k1l2m3n4", "remediation" : { "ids" : [ "f6g7h8i9j0k1l2m3n4o5" ] }, "status" : "closed", "updated_timestamp" : "2026-02-09T16:23:49.920Z" } e5680b3e8ba36d8471252f0246d8b5fc0Zd4e5f6g7h8i9j0k1l2m3S_PLATFORM_ID_SmacOS-13.5.2T_MD5_TclosedT_MD5_T2026-02-09T16:23:49.920Z9.62CVE-2024-12053CRITICALPROD-APP02192.168.0.87evil-site.netS_OS_VERSION_SDomain ControllersWindows 10westeuropeDell Inc.e5f6g7h8i9j0k1l2m3n4f6g7h8i9j0k1l2m3n4o5closed2026-02-09T16:23:49.920Z
2026-02-09T16:23:51trueauto-dashboard-queriessiem-connectortrueNo field named metadata.eventCreationTime to use when parsing timestampNo field named metadata.eventCreationTime to use when parsing timestampfalserfVIA55U9jSH8zSzmRYJIeBx_15_2_17706542312026-02-09T16:23:51{ "aid" : "g7h8i9j0k1l2m3n4o5p6", "app" : { "product_name_version" : "S_PLATFORM_ID_S" }, "apps" : [ { "product_name_version" : "Linux-Ubuntu-22.04-5.15.0-83-generic", "remediation" : { "ids" : [ "T_MD5_T" ] }, "sub_status" : "open" } ], "cid" : "T_MD5_T", "created_timestamp" : "2026-02-09T16:23:50.699Z", "cve" : {"id":"CVE-2022-28976","base_score":5.4,"exploit_status":0,"severity":"MEDIUM"}, "host_info" : { "groups" : [], "hostname" : "PROD-DB01", "local_ip" : "192.168.3.211", "machine_domain" : "phishing-portal.org", "os_version" : "S_OS_VERSION_S", "ou" : "Domain Controllers", "platform" : "Windows 11", "site_name" : "asia-northeast1", "system_manufacturer" : "HP", "tags" : [] }, "id" : "h8i9j0k1l2m3n4o5p6q7", "remediation" : { "ids" : [ "i9j0k1l2m3n4o5p6q7r8" ] }, "status" : "closed", "updated_timestamp" : "2026-02-09T16:23:50.699Z" } e5680b3e8ba36d8471252f0246d8b5fc0Zg7h8i9j0k1l2m3n4o5p6S_PLATFORM_ID_SLinux-Ubuntu-22.04-5.15.0-83-genericT_MD5_TopenT_MD5_T2026-02-09T16:23:50.699Z5.40CVE-2022-28976MEDIUMPROD-DB01192.168.3.211phishing-portal.orgS_OS_VERSION_SDomain ControllersWindows 11asia-northeast1HPh8i9j0k1l2m3n4o5p6q7i9j0k1l2m3n4o5p6q7r8closed2026-02-09T16:23:50.699Z
2026-02-09T16:23:52trueauto-dashboard-queriessiem-connectortrueNo field named metadata.eventCreationTime to use when parsing timestampNo field named metadata.eventCreationTime to use when parsing timestampfalserfVIA55U9jSH8zSzmRYJIeBx_15_3_17706542322026-02-09T16:23:52{ "aid" : "j0k1l2m3n4o5p6q7r8s9", "app" : { "product_name_version" : "S_PLATFORM_ID_S" }, "apps" : [ { "product_name_version" : "WindowsServer-2022-20348.1787", "remediation" : { "ids" : [ "T_MD5_T" ] }, "sub_status" : "open" } ], "cid" : "T_MD5_T", "created_timestamp" : "2026-02-09T16:23:51.473Z", "cve" : {"id":"CVE-2023-41892","severity":"HIGH","exploit_status":1,"base_score":7.1}, "host_info" : { "groups" : [], "hostname" : "PROD-FILE01", "local_ip" : "192.168.1.54", "machine_domain" : "command-control.xyz", "os_version" : "S_OS_VERSION_S", "ou" : "Domain Controllers", "platform" : "Windows Server 2019", "site_name" : "sa-east-1", "system_manufacturer" : "Lenovo", "tags" : [] }, "id" : "k1l2m3n4o5p6q7r8s9t0", "remediation" : { "ids" : [ "l2m3n4o5p6q7r8s9t0u1" ] }, "status" : "closed", "updated_timestamp" : "2026-02-09T16:23:51.473Z" } e5680b3e8ba36d8471252f0246d8b5fc0Zj0k1l2m3n4o5p6q7r8s9S_PLATFORM_ID_SWindowsServer-2022-20348.1787T_MD5_TopenT_MD5_T2026-02-09T16:23:51.473Z7.11CVE-2023-41892HIGHPROD-FILE01192.168.1.54command-control.xyzS_OS_VERSION_SDomain ControllersWindows Server 2019sa-east-1Lenovok1l2m3n4o5p6q7r8s9t0l2m3n4o5p6q7r8s9t0u1closed2026-02-09T16:23:51.473Z
2026-02-09T16:23:52trueauto-dashboard-queriessiem-connectortrueNo field named metadata.eventCreationTime to use when parsing timestampNo field named metadata.eventCreationTime to use when parsing timestampfalserfVIA55U9jSH8zSzmRYJIeBx_15_4_17706542322026-02-09T16:23:52{ "aid" : "m3n4o5p6q7r8s9t0u1v2", "app" : { "product_name_version" : "S_PLATFORM_ID_S" }, "apps" : [ { "product_name_version" : "macOS-14.1.1", "remediation" : { "ids" : [ "T_MD5_T" ] }, "sub_status" : "open" } ], "cid" : "T_MD5_T", "created_timestamp" : "2026-02-09T16:23:52.252Z", "cve" : {"severity":"LOW","exploit_status":0,"base_score":3.2,"id":"CVE-2025-10437"}, "host_info" : { "groups" : [], "hostname" : "PROD-SQL01", "local_ip" : "192.168.4.198", "machine_domain" : "bad-actor-infra.io", "os_version" : "S_OS_VERSION_S", "ou" : "Domain Controllers", "platform" : "Windows Server 2022", "site_name" : "us-west-2", "system_manufacturer" : "Microsoft Corporation", "tags" : [] }, "id" : "n4o5p6q7r8s9t0u1v2w3", "remediation" : { "ids" : [ "o5p6q7r8s9t0u1v2w3x4" ] }, "status" : "open", "updated_timestamp" : "2026-02-09T16:23:52.252Z" } e5680b3e8ba36d8471252f0246d8b5fc0Zm3n4o5p6q7r8s9t0u1v2S_PLATFORM_ID_SmacOS-14.1.1T_MD5_TopenT_MD5_T2026-02-09T16:23:52.252Z3.20CVE-2025-10437LOWPROD-SQL01192.168.4.198bad-actor-infra.ioS_OS_VERSION_SDomain ControllersWindows Server 2022us-west-2Microsoft Corporationn4o5p6q7r8s9t0u1v2w3o5p6q7r8s9t0u1v2w3x4open2026-02-09T16:23:52.252Z

Step-by-Step

  1. Starting with the source repository events.

  2. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2[/Filter/] 3[\Add Field/] 4{{Aggregate}} result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> 4 4 --> result style 1 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    * status=open

    Filters events where the status field equals open, identifying currently active vulnerabilities that require remediation.

  3. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2[/Filter/] 3[\Add Field/] 4{{Aggregate}} result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> 4 4 --> result style 2 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    | cve.severity=CRITICAL

    Filters events where the cve.severity field equals CRITICAL. This filter identifies vulnerabilities that have been assessed as having the highest security impact, requiring immediate remediation.

  4. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2[/Filter/] 3[\Add Field/] 4{{Aggregate}} result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> 4 4 --> result style 3 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    | eval("Hostname" = host_info.hostname)

    Creates a new field Hostname with values from host_info.hostname, keeping the original field.

  5. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2[/Filter/] 3[\Add Field/] 4{{Aggregate}} result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> 4 4 --> result style 4 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    | top(field="Hostname", limit=10, as="Number of Vulerabilities")

    Finds the most frequent values in the Hostname field, limited to 10 results, and names the count field Number of Vulerabilities. As no rest parameter is specified, any additional hosts beyond the limit are excluded from the results.

  6. Event Result set.

Summary and Results

The widget is used to identify which hosts have the most open critical severity vulnerabilities.

This widget is useful to prioritize immediate remediation efforts by focusing on systems with the most urgent security risks.

Sample output from the incoming example data:

HostnameNumber of Vulerabilities
NYC-SRV011
PROD-SQL011
DC011
MAIL011
DEV-DB011

The output shows hosts ranked by their number of open critical severity vulnerabilities.