Help with a SWQL Query. I want to get a list of nodes with at least one High or Critical CVE. I don't need to see all the CVE's associated with a node, just one that has a Score of 6.9 or higher.

I've tried this, which I guess works in SQL but doesn't work in SWQL:

SELECT NodeId, CveId, Id, max(Score) as maxscore, Severity, Description
FROM Orion.SecObs.Vulnerabilities.LastMatching.Result
GROUP by NodeId

I get the following error:

SolarWinds.Data.Query.Processor.SemanticChecker - SWQL Studio (null) Column CveId is invalid in the select list because it is not contained in either an aggregate function or the GROUP BY clause. Query: SELECT [NodeId], [CveId], [Id], max([Score]) AS maxscore, [Severity], [Description], [State], [FirstMatchTime], [LastMatchTime], [StateChange], [Comment], [IsVulnerableState], [CveLink], [DisplayName], [InstanceType], [Uri], [InstanceSiteId]
FROM [Orion.SecObs.Vulnerabilities.LastMatching].[Result]
GROUP BY [NodeId]
RETURN XML Raw

I see a similar error for every column i'm interested in seeing

What is wrong?

  • Hi, with a Group BY you need to mention each column not in an aggregation function, like MAX, MIN, AVG etc. 
    So your Group by row should look like this: GROUP by NodeId, CveId, Id, Severity, Description

    But I doubt that will give you what you are after so I created this:

    SELECT 
        N.Caption AS [Node Name]
        ,Total.NrCVEs AS [Nr of CVEs]
        ,Count(R.ID) AS [Nr of High CVEs]
        ,MAX(R.Score) AS [Highest Score]
        ,CONCAT('/Orion/NetPerfMon/NodeDetails.aspx?NetObject=',R.NodeId) AS [_LinkFor_Node Name]
    FROM Orion.SecObs.Vulnerabilities.LastMatching.Result AS R
    INNER JOIN Orion.Nodes AS N ON R.NodeId=N.NodeID
    INNER JOIN (
        SELECT 
            R.NodeId AS NodeID
            ,Count(R.ID) AS [NrCVEs]
        FROM Orion.SecObs.Vulnerabilities.LastMatching.Result AS R
        GROUP BY R.NodeId
    ) AS Total ON R.NodeId=Total.NodeID
    WHERE
        R.Score>6.9
    GROUP BY N.Caption,R.NodeId,Total.NrCVEs
    ORDER BY [Highest Score] DESC, [Nr of High CVEs] DESC

    It will give you how many CVE's a node has in total, how many that are over 6,9 and what the highest score is. (The list only includes nodes that has at least one high CVE.)

    Add this to a "Custom query" widget and you will have get a link to the node page as well.

    Hope this is what you are after.

  • yes, you were right, adding the fields in my query to the "group by" did not do what I wanted it to do. However the query you created does EXACTLY what I want it to do. Thanks so much.