Multiple Vulnerabilities by Asset via Wiz

Last updated 12 days ago on 2026-01-22

Created 12 days ago on 2026-01-22

About

This alert identifies assets with an elevated number of vulnerabilities reported by Wiz, potentially indicating weak security posture, missed patching, or active exposure. The rule highlights assets with a high volume of distinct vulnerabilities, the presence of exploitable vulnerabilities, or a combination of multiple severities, helping prioritize assets that pose increased risk.

Tags: Use Case: VulnerabilityRule Type: Higher-Order RuleData Source: WizLanguage: esql
Severity: critical
Risk Score: 99
License: Elastic License v2(external, opens in a new tab or window)

Definition

Integration Pack: Prebuilt Security Detection Rules
Related Integrations: wiz(external, opens in a new tab or window)
Query

✄𐘗text code block:
✄𐘗FROM logs-wiz.vulnerability-*

| WHERE event.dataset == "wiz.vulnerability" and event.category == "vulnerability" and
        wiz.vulnerability.vulnerable_asset.name is not null and
        wiz.vulnerability.vulnerable_asset.id is not null
| stats Esql.count_distinct_vuln_id = COUNT_DISTINCT(wiz.vulnerability.id),
        Esql.count_distinct_vuln_severity = COUNT_DISTINCT(wiz.vulnerability.cvss_severity),
        Esql.count_has_exploit = COUNT(wiz.vulnerability.has_exploit),
        Esql.vuln_id_values = VALUES(wiz.vulnerability.id),
        Esql.vuln_severity_values = VALUES(wiz.vulnerability.cvss_severity) by wiz.vulnerability.vulnerable_asset.name, wiz.vulnerability.vulnerable_asset.id
| eval concat_vuln_severity_values = MV_CONCAT(Esql.vuln_severity_values, ",")
| where Esql.count_distinct_vuln_id >= 10 or
        (Esql.count_has_exploit >= 1 and Esql.count_distinct_vuln_id >= 3) or
        (concat_vuln_severity_values like "*High*" and Esql.count_distinct_vuln_id >= 3) or
        (concat_vuln_severity_values like "*Critical*" and Esql.count_distinct_vuln_id >= 3)
| Keep wiz.vulnerability.vulnerable_asset.name, wiz.vulnerability.vulnerable_asset.id, Esql.*

Install detection rules in Elastic Security

Detect Multiple Vulnerabilities by Asset via Wiz in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).