The Cisco Vulnerability Management platform is a risk-based vulnerability management (RBVM) solution that at its core, provides organization with proven threat intelligence and prioritization for vulnerabilities within their environment. It also has a lot of functionality contained that help vulnerability management programs at all levels of maturity. One of these capabilities is the reporting that users of the platform get right out of the box.
While the reporting is robust, organizations may require additional flexibility in reporting, or would want to connect with existing visualization platforms for more central reporting, even for teams outside the VM program.
This article is written to provide a starting point for organizations that may be looking for such type of reporting but are not quite sure of where to start. We’ll be using the PowerBi from Microsoft for the visualization in this article. Disclaimer: this author is not an expert in PowerBi!
If you would like to skip the details and start seeing your data, a PowerBi template has been provided which you can start using as soon as you ingest the JSON exports from the Cisco VM platform. The exports should be:
- An all Asset export (name the file assets_export.json)
- An all Vulnerabilities export (name the file vulnerabilities_export.json) and
- Fixes exports (name the file fixes_export.json)
Details with screenshots are provided within the article.
At a glance, we’ll be covering the following in the main article:
- Exporting relevant Data from the Cisco vulnerability management platform
- Ingesting the data into PowerBi
- Transformation of the Data
- Some underlying structures
- A review of the reports in the Visual
- Conclusion
- Resources
Exporting Data from the Cisco VM platform
To be able to get the relevant information out of the platform, we’ll be doing an export of the asset, vulnerability, and fixes data from the platform. This data can be exported from the platform either via the User Interface (UI) from the relevant sections as CSV files or using the Data exports API endpoint and obtaining the relevant export as a JSON file. This article goes into more detail on how each can be done, while this video goes into more detail around the API exports. We’ll be using the APIs for the data exports in this article.
Create a vulnerabilities, assets and fixes export using the API endpoint. You can use the examples shown below. Note that only the body of the API request for requesting each of the data exports are provided here.
Asset exports (all assets)
{
"status": [
"inactive",
"active"
],
"exclude_child_filter" : [
"include all assets"
],
"export_settings" : {
"format": "json",
"model": "asset"
}
}
Vulnerabilities export (all vulnerabilities)
{
"asset":{
"status":[
"active",
"inactive"
]
},
"status" : [
"open",
"closed",
"risk accepted",
"false positive"
],
"export_settings" : {
"format": "json",
"model": "vulnerability"
}
}
Fixes export (all fixes)
{
"export_settings" : {
"format": "json",
"model": "fix"
}
}
It is recommended to use the following naming convention to ease the process of regular updates to the Power Bi visuals.
- An all Asset export (name the file assets_export.json)
- An all Vulnerabilities export (name the file vulnerabilities_export.json) and
- Fixes exports (name the file fixes_export.json)
Ingesting the Data into Power Bi
Power BI offers multiple ways to ingest your data, but since we would be starting from the template file provided, you would need to open the file and change the data source settings to point to your downloaded exports.
To do this, click on ‘File’, then ‘Options and Settings’ and finally click on ‘Data source settings’.
For each of the files listed, select them, and click on ‘Change Source…’ to get the option of navigating to the location of your file for each type of export. Screenshots of the steps are provided below.
Note that while we are using JSON files here for the ingest, CSV files can be used as well using the UI export options in the Cisco VM platform. Some companies may have these exports in data lakes or other storage sources, and do the ingest via other Power Bi connectors e.g., SQL Servers.
Transforming the Data within Power Bi
The transformation is mainly around un-nesting some of the JSON objects from the various exports. For brevity, as well as because organizations may want to handle this differently, we do not discuss this in detail, however, please refer to the transformations in the provided PowerBi template to review this. With the template provided, you do not have to visit transformations.
Some underlying structures
This section is to touch on a few of the created tables and calculated columns used. Arguably one of the more important tables created are the Calendar tables for important dates like
- Date vulnerabilities were closed (vulnerabilities.closed_at)
- Date vulnerabilities were created (vulnerabilities.created_at)
- Found dates for vulnerabilities (vulnerabilities.first_found_on)
and so on.
Auto calendars are used to populate all unique dates from such fields, and then additional columns like Month, Month number, Week number, etc. are created from these unique dates. Having each of these columns provides the needed flexibility to visualize these graphs in months, weeks, and years, while maintaining chronological order.
In the Data Model view, the relevant relationships have also been set up like creating the relationship between the Vulns Created Calendar date to vulnerabilities.created_at field in your vulnerabilities export. Please review the attached template after ingestion for details.
Some other measures are created which help to determine if an asset has high scoring vulnerabilities or not. Please refer to the template for details. The template has been prepared in such a way that these will work as is; they are mentioned here in case the user may like to add additional measure and relationships for additional visuals.
A review of the reports in the Visual
An asset, and a vulnerabilities dashboard were created in the Power Bi visuals as a starting point for organizations. The charts included here are:
Assets Dashboard
The reports included in this dashboard are:
- Active assets and the count of high-scoring vulnerabilities on them.
- Total number of high-scoring assets.
- Total number of active assets with high-scoring vulnerabilities.
- Ratio of assets that have high-scoring vulnerabilities to those that don’t.
- A bar-graph of assets and the number of high-scoring vulnerabilities on them.
Below is a visual of the assets’ dashboard.
Vulnerabilities Dashboard
The reports included in this dashboard are:
- Count of all open vulnerabilities.
- Vulnerability counts by vulnerability statuses
- Age of oldest vulnerability
- % of high vulnerabilities to an age threshold
- All vulnerabilities by their status and the year they were created
- All vulnerabilities created in the last 6 months by week number
- Vulnerabilities closed by Year
- Vulnerabilities closed in the last 2 years by Week number
Below is a snapshot of the vulnerabilities dashboard.
Conclusion
The hope is that this article was able to show how external reporting is possible with data from the Cisco VM platform and some organizations may look to have this type of reporting for added flexibility of reporting. A template has been provided to aid organizations in setting up similar reporting very quickly for their environment.
Resources
Exporting data from the Cisco Vulnerability Management platform