Detection rules › Elastic
Multiple Vulnerabilities by Asset via Wiz
This alert identifies assets with an elevated number of vulnerabilities reported by Wiz, potentially indicating weak security posture, missed patching, or active exposure. The rule highlights assets with a high volume of distinct vulnerabilities, the presence of exploitable vulnerabilities, or a combination of multiple severities, helping prioritize assets that pose increased risk.
Rule body elastic
[metadata]
creation_date = "2026/01/22"
integration = ["wiz"]
maturity = "production"
updated_date = "2026/04/10"
[rule]
author = ["Elastic"]
description = """
This alert identifies assets with an elevated number of vulnerabilities reported by Wiz, potentially indicating weak security posture,
missed patching, or active exposure. The rule highlights assets with a high volume of distinct vulnerabilities, the presence of exploitable
vulnerabilities, or a combination of multiple severities, helping prioritize assets that pose increased risk.
"""
from = "now-24h"
interval = "5m"
language = "esql"
license = "Elastic License v2"
name = "Multiple Vulnerabilities by Asset via Wiz"
note = """## Triage and analysis
> **Disclaimer**:
> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
### Investigating Multiple Vulnerabilities by Asset via Wiz
This alert identifies assets with an elevated number of vulnerabilities reported by Wiz, potentially indicating weak security posture, missed patching, or active exposure. The rule highlights assets with a high volume of distinct vulnerabilities, the presence of exploitable vulnerabilities, or a combination of multiple severities, helping prioritize assets that pose increased risk.
### Possible investigation steps
- Review the affected asset details using `wiz.vulnerability.vulnerable_asset.name` and `wiz.vulnerability.vulnerable_asset.id` to confirm asset ownership, criticality, and exposure (e.g., internet-facing, production).
- Examine the list of detected vulnerabilities using `Esql.vuln_id_values` to identify known high-risk or widely exploited CVEs.
- Assess vulnerability severity distribution via `Esql.vuln_severity_values`, focusing on assets with multiple severity levels or repeated high/critical findings.
- Determine whether any vulnerabilities have known exploits by validating `wiz.vulnerability.has_exploit`, prioritizing those assets for immediate remediation.
- Cross-check recent patching, configuration changes, or deployment activity on the asset to identify potential gaps or misconfigurations.
### False positive analysis
- Assets undergoing initial onboarding, scanning expansion, or configuration changes may temporarily report a high volume of findings.
- Vulnerability aggregation may include informational or low-impact findings that inflate counts without representing immediate risk.
- Duplicate or closely related vulnerabilities affecting shared packages or libraries may appear as multiple findings for the same root cause.
- Test, lab, or non-production assets may legitimately tolerate higher vulnerability counts depending on risk acceptance.
### Response and remediation
- Prioritize remediation for assets with exploitable vulnerabilities or multiple high/critical severity findings.
- Apply missing patches, updates, or configuration fixes according to asset criticality and exposure.
- Implement compensating controls (e.g., network segmentation, access restrictions) if immediate patching is not feasible.
- Validate remediation by re-scanning the asset in Wiz to confirm vulnerability reduction.
- Review vulnerability management processes to prevent recurrence, including patch SLAs, asset ownership, and exposure monitoring."""
risk_score = 99
rule_id = "6fcb4fe4-ac74-449d-855b-2bbd5c51c476"
severity = "critical"
tags = ["Use Case: Vulnerability", "Rule Type: Higher-Order Rule", "Resources: Investigation Guide", "Data Source: Wiz"]
timestamp_override = "event.ingested"
type = "esql"
query = '''
FROM logs-wiz.vulnerability-*
| WHERE data_stream.dataset == "wiz.vulnerability" and event.category == "vulnerability" and
wiz.vulnerability.vulnerable_asset.name is not null and
wiz.vulnerability.vulnerable_asset.id is not null
| stats Esql.count_distinct_vuln_id = COUNT_DISTINCT(wiz.vulnerability.id),
Esql.count_distinct_vuln_severity = COUNT_DISTINCT(wiz.vulnerability.cvss_severity),
Esql.count_has_exploit = COUNT(wiz.vulnerability.has_exploit),
Esql.vuln_id_values = VALUES(wiz.vulnerability.id),
Esql.vuln_severity_values = VALUES(wiz.vulnerability.cvss_severity) by wiz.vulnerability.vulnerable_asset.name, wiz.vulnerability.vulnerable_asset.id
| eval concat_vuln_severity_values = MV_CONCAT(Esql.vuln_severity_values, ",")
| where Esql.count_distinct_vuln_id >= 10 or
(Esql.count_has_exploit >= 1 and Esql.count_distinct_vuln_id >= 3) or
(concat_vuln_severity_values like "*High*" and Esql.count_distinct_vuln_id >= 3) or
(concat_vuln_severity_values like "*Critical*" and Esql.count_distinct_vuln_id >= 3)
| Keep wiz.vulnerability.vulnerable_asset.name, wiz.vulnerability.vulnerable_asset.id, Esql.*
'''
references = ["https://www.elastic.co/docs/reference/integrations/wiz#vulnerability"]
Stages and Predicates
Stage 1: from
FROM logs-wiz.vulnerability-*
Stage 2: where
| WHERE data_stream.dataset == "wiz.vulnerability" and event.category == "vulnerability" and
wiz.vulnerability.vulnerable_asset.name is not null and
wiz.vulnerability.vulnerable_asset.id is not null
Stage 3: stats
| stats Esql.count_distinct_vuln_id = COUNT_DISTINCT(wiz.vulnerability.id),
Esql.count_distinct_vuln_severity = COUNT_DISTINCT(wiz.vulnerability.cvss_severity),
Esql.count_has_exploit = COUNT(wiz.vulnerability.has_exploit),
Esql.vuln_id_values = VALUES(wiz.vulnerability.id),
Esql.vuln_severity_values = VALUES(wiz.vulnerability.cvss_severity) by wiz.vulnerability.vulnerable_asset.name, wiz.vulnerability.vulnerable_asset.id
Stage 4: eval
| eval concat_vuln_severity_values = MV_CONCAT(Esql.vuln_severity_values, ",")
Stage 5: where
| where Esql.count_distinct_vuln_id >= 10 or
(Esql.count_has_exploit >= 1 and Esql.count_distinct_vuln_id >= 3) or
(concat_vuln_severity_values like "*High*" and Esql.count_distinct_vuln_id >= 3) or
(concat_vuln_severity_values like "*Critical*" and Esql.count_distinct_vuln_id >= 3)
Stage 6: keep
| Keep wiz.vulnerability.vulnerable_asset.name, wiz.vulnerability.vulnerable_asset.id, Esql.*
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
Esql.count_distinct_vuln_id | ge |
|
Esql.count_has_exploit | ge |
|
concat_vuln_severity_values | wildcard |
|
data_stream.dataset | eq |
|
event.category | eq |
|
wiz.vulnerability.vulnerable_asset.id | is_not_null | |
wiz.vulnerability.vulnerable_asset.name | is_not_null |
Output fields
Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.
| Field | Source |
|---|---|
wiz.vulnerability.vulnerable_asset.name | KEEP wiz.vulnerability.vulnerable_asset.name |
wiz.vulnerability.vulnerable_asset.id | KEEP wiz.vulnerability.vulnerable_asset.id |
Esql.* | KEEP Esql.* |