Security Posture Dashboard
A dashboard for tracking vulnerabilities, attack attempts, and security coverage across your environment.
Tile 1: Open Vulnerabilities (Single Value)
fetch security.events, from:now()-30d
| filter event.type == "VULNERABILITY_STATE_REPORT_EVENT" AND event.level == "ENTITY"
| dedup {vulnerability.display_id, affected_entity.id}, sort:{timestamp desc}
| filter vulnerability.resolution.status == "OPEN"
| summarize total_open = count()
Tile 2: Vulnerabilities by Risk Level (Pie Chart)
fetch security.events, from:now()-30d
| filter event.type == "VULNERABILITY_STATE_REPORT_EVENT" AND event.level == "ENTITY"
| dedup {vulnerability.display_id, affected_entity.id}, sort:{timestamp desc}
| filter vulnerability.resolution.status == "OPEN"
| summarize count=count(), by:{vulnerability.risk.level}
Tile 3: Most Vulnerable Entities (Table)
fetch security.events, from:now()-30d
| filter event.type == "VULNERABILITY_STATE_REPORT_EVENT" AND event.level == "ENTITY"
| dedup {vulnerability.display_id, affected_entity.id}, sort:{timestamp desc}
| filter vulnerability.resolution.status == "OPEN"
| summarize high=countIf(vulnerability.risk.level == "HIGH"),
critical=countIf(vulnerability.risk.level == "CRITICAL"),
total=count(), by:{affected_entity.name}
| sort total desc | limit 10
Tile 4: Attack Attempts Timeline (Area Chart)
fetch security.events, from:now()-7d
| filter event.type == "ATTACK_EVENT"
| makeTimeseries attacks=count(), interval:1h
Tile 5: Attack Types (Bar Chart)
fetch security.events, from:now()-7d
| filter event.type == "ATTACK_EVENT"
| summarize count=count(), by:{attack.type}
| sort count desc
๐ก Set thresholds on the "Open Vulnerabilities" single value: green โค5, yellow โค20, red >20. Use colors: #2f6862 (green), #eea53c (yellow), #c62239 (red).
โถ Knowledge Check
Q: Which bucket stores vulnerability state reports with 3-year retention?
- โ default_events
- โ default_securityevents_builtin
- โ default_security_events