# Patch Filter Reference ## General Patch Information | Property | Description | Type | Example | | ----------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------- | ----------------------------------------------------------- | | General.Name | The user-readable name of this Object. This should be the same name that the vendor has specified so that customers can see the Adaptiva Objects having the same name that they are seeing on the Internet. Required. | String | `General.Name contains "microsoft"` | | General.ShortName | A shorthand name for this Object which follows a consistent format for each vendor's Objects. E.g. For Microsoft Objects this might be the KB number e.g. KB4474419. For Adobe it might be formatted as their Bulletin ID e.g. APSB21-85. For each third-party it should be whatever is appropriate but the format should be consistent across all Objects for that vendor. Required. | String | `General.ShortName == "KB5073457"` | | General.VendorName | The name of the vendor that published this Object. This name should be consistent for all Objects published by the same vendor. | String | `General.VendorName == "Microsoft"` | | General.VendorVersion | The version of the software as specified by the vendor. The format of this is non-standard and can't be relied upon for comparing version of one Object with another. For that comparison we should use the ReleaseDate property Objects with an earlier ReleaseDate will be a lower version than an Object with a later ReleaseDate. | String | `General.VendorVersion == "200"` | | General.ReleaseDate | The date and time the Object was first released. | DateTime: UNIX epoch time in milliseconds | `General.ReleaseDate == "1738112537743"` | | General.WhoAmI | Specifies the origin and business use of the metadata object. | String | General.WhoAmI == "123" | | General.MsiGuid | The MSI GUID of the application if it is an MSI which may be used for detection rules and uninstallation. | String (GUID) | `General.MsiGuid == "90140000-0011-0000-0000-0000000FF1CE"` | | General.ExpiredByVendor | Specifies that the software represented by this object has been expired by the vendor and should no longer be used. | Boolean (true or false) | `General.ExpiredByVendor == true` | ## Platform & Target Classification | Property | Description | Type | Example | | ------------------ | ---------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------- | ------------------------------ | | General.Platform | Specifies the platform this metadata is for. | Dropdown: Windows, macOS, Debian, Ubuntu, Redhat Enterprise Linux, CentOS Stream, Oracle Linux, Rocky Linux, AlmaLinux | `General.Platform == "Ubuntu"` | | General.TargetType | Specifies the type of software targeted by the Object using one of the built-in constants. Required. | Dropdown: Software, BIOS, Driver, OS | `General.TargetType == "BIOS"` | ## Update Classification | Property | Description | Type | Example | | ------------------------ | ---------------------------------------- | ----------------------- | ---------------------------------- | | General.IsSecurityUpdate | If this update contains security fixes. | Boolean (true or false) | `General.IsSecurityUpdate == true` | | General.IsUpdateRollup | If this update contains a rollup update. | Boolean (true or false) | `General.IsUpdateRollup == true` | | General.IsBugfix | General.IsBugfix | Boolean (true or false) | `General.IsBugfix == true` | | General.IsMinorFeature | General.IsMinorFeature | Boolean (true or false) | `General.IsMinorFeature == true` | | General.IsMajorFeature | General.IsMajorFeature | Boolean (true or false) | `General.IsMajorFeature == true` | | General.IsServicepack | General.IsServicepack | Boolean (true or false) | `General.IsServicepack == true` | ## Risk Assessment | Property | Description | Type | Example | | -------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------- | -------------------------------------- | | Risk.KnownExploitExists | Whether or not a known exploit exists for the vulnerability that this Object fixes. | Boolean (true or false) | `Risk.KnownExploitExists == true` | | Risk.SecurityExposure | Vendor's indication of how critical the security exposure for this Object is using one of the built-in constants. If a patch fixes multiple CVEs with different CVSS scores the highest of those scores should be reflected in this property. This always represents the literal equivalent of the value in Risk.SecurityExposureLevel. | Dropdown: Low, Medium, High, Critical | `Risk.SecurityExposure == "Critical"` | | Risk.SecurityExposureLevel | Vendor's indication of how critical the security exposure for this Object is using one of the built-in constants. If a patch fixes multiple CVEs with different CVSS scores the highest of those scores should be reflected in this property | Dropdown: None, Low, Medium, High, Critical | `Risk.SecurityExposureLevel == "High"` | ## Microsoft Defender | Property | Description | Type | Example | | -------------------------------- | ----------------------------------------------------------------- | ----------------------------------------------------------------------- | ------------------------------------------ | | Defender.ExploitabilityLevel | The exploitability level of this vulnerability | Dropdown: NoExploit, ExploitIsPublic, ExploitIsVerified, ExploitIsInKit | | | Defender.KnownExploitExists | True if the vulnerability is public, verified or in a kit | Boolean | `Defender.KnownExploitExists == true` | | Defender.SecurityUpdateAvailable | Indicates whether a security update is available for the software | Boolean | `Defender.SecurityUpdateAvailable == true` | | Defender.SeverityLevel | Defender severity level of vulnerability. | Dropdown: Low, Medium, High, Critical | `Defender.SeverityLevel == "Critical"` | ## CrowdStrike Falcon | Property | Description | Type | Example | | ------------------------- | ------------------------------------------------------------------------------------------------------------------------------ | -------------------------------------------------------------------------------- | ---------------------------------------- | | Falcon.ExPRT | The highest ExPRT rating of all the CVEs referenced by the metadata object in Risk.CveIds and all of its superseded objects. | Dropdown: Low, Medium, High, Critical | `Falcon.ExPRT == "High"` | | Falcon.ExploitStatus | The highest exploit status of all the CVEs referenced by the metadata object in Risk.CveIds and all of its superseded objects. | String: "Unknown", "Unproven", "Available", "Easily Accessible", "Actively Used" | `Falcon.KnownExploitExists == "Unknown"` | | Falcon.KnownExploitExists | CrowdStrike's indication of whether or not a known exploit exists for the vulnerability that this Object fixes | Boolean (true or false) | `Falcon.KnownExploitExists == true` | ## SentinelOne | Property | Description | Type | Example | | ------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ---------------------------------------------------------------------------- | ----------------------------------------------- | | SentinelOne.Score | The MITRE-assigned risk score for this vulnerability. | Float: Value between 0.0 and 10.0 | `SentinelOne.Score > ".8"` | | SentinelOne.EpssScore | The Exploit Prediction Scoring System (EPSS) score which is a probability score between 0 and 1 (0 and 100%). The higher the score the greater the probability that a vulnerability will be exploited. | Float: Value between 0.0 and 1.0 | `SentinelOne.EpssScore > ".8"` | | SentinelOne.KnownExploitExists | SentinelOne's indication of whether or not a known exploit exists for the vulnerability that this Object fixes | Boolean (true or false) | `SentinelOne.KnownExploitExists == true` | | SentinelOne.ExploitedInTheWild | Indicates if this vulnerability has been successfully exploited in a production environment. | Boolean (true or false) | `SentinelOne.ExploitedInTheWild == true` | | SentinelOne.ExploitMaturity | The maturity of any exploit that exists for this vulnerability. | Dropdown: Unproven, Maturity not defined, Proof of concept, Functional, High | `SentinelOne.ExploitMaturity == "Unproven"` | | SentinelOne.RemediationLevel | The status of any available remediations for this vulnerability. | Dropdown: Official fix, Temporary fix, Workaround, Not defined, Unavailable | `SentinelOne.RemediationLevel == "Unavailable"` | | SentinelOne.ReportedConfidence | The confidence SentinelOne has that this vulnerability is present in the client's environment | Dropdown: Not defined, Unknown, Reasonable, Confirmed | `SentinelOne.ReportedConfidence == "Unknown"` | | SentinelOne.RiskSeverity | The severity SentinelOne has assigned to this vulnerability | Dropdown: Unknown, Low, Medium, High, Critical | `SentinelOne.RiskSeverity == "Critical"` | ## Tenable | Property | Description | Type | Example | | ---------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------- | | Tenable.Vpr | Range 0-10 with 10 being the most critical vulnerability priority rating | Float: 0.0 to 10.0 | `Tenable.Vpr > "9.5"` | | Tenable.VprInteger | Range 0-10 with 10 being the most critical vulnerability priority rating truncated to integer value | Whole number: 0 to 10 | `Tenable.vprInteger > "9"` | | Tenable.VprSeverity | VPR rating classified as Low Medium High or Critical | Dropdown: Low, Medium, High, Critical | `Tenable.VprSeverity == "High"` | | Tenable.AgeOfVulnerability | How long it has been since this vulnerability has been published in the National Vulnerability Database (NVD) | Dropdown: One week, One week to one month, One month to two months, Two months to six months, Six months to one year, One year to two years, More than two years | `Tenable.AgeOfVulnerability == "One week to one month"` | | Tenable.ExploitAvailable | True if a public exploit exists | Boolean (true or false) | `Tenable.ExploitAvailable == true` | | Tenable.ExploitCodeMaturity | The relative maturity of a possible exploit for the vulnerability based on the existence sophistication and prevalence of exploit intelligence from Tenable and external sources (such as Reversinglabs Metasploit etc.). Possible values parallel the CVSS Exploit Code Maturity categories. | Dropdown: Unproven, Proof of concept, Functional, High | `Tenable.ExploitCodeMaturity == "High"` | | Tenable.ExploitedByMalware | True if the vulnerability is known to be exploited by malware | Boolean (true or false) | `Tenable.ExploitedByMalware == true` | | Tenable.ExploitedByNessus | True if Nessus exploited the vulnerability during scanning | Boolean (true or false) | `Tenable.ExploitedByNessus == true` | | Tenable.ProductCoverage | The relative number of unique products affected by the vulnerability. | Dropdown: Unknown, Low, Medium, High, Very High | `Tenable.ProductCoverage == "Very High"` | | Tenable.ThreatIntensity | The relative intensity based on the number and frequency of recently observed threat events related to this vulnerability. | Dropdown: Very Low, Low, Medium, High, Very High | `Tenable.ThreatIntensity == "Very High"` | | Tenable.ThreatRecency | A range representing the number of days since a threat event occurred for the vulnerability. | Dropdown: More than one year, Four months to one year, One to four months, One week to one month, One week | `Tenable.ThreatRecency == "One week to one month"` | | Tenable.ExploitFrameworkCanvas | True if an exploit exists in the CANVAS framework | Boolean (true or false) | `Tenable.ExploitFrameworkCanvas == true` | | Tenable.ExploitFrameworkCore | True if an exploit exists in the CORE Impact framework | Boolean (true or false) | `Tenable.ExploitFrameworkCore == true` | | Tenable.ExploitFrameworkD2Elliot | True if an exploit exists in the D2 Elliot Web framework | Boolean (true or false) | `Tenable.ExploitFrameworkD2Elliot == true` | | Tenable.ExploitFrameworkExploitHub | True if an exploit exists in the ExploitHub framework | Boolean (true or false) | `Tenable.ExploitFrameworkExploitHub == true` | | Tenable.ExploitFrameworkMetasploit | True if an exploit exists in the Metasploit framework | Boolean (true or false) | `Tenable.ExploitFrameworkMetasploit == true` | | Tenable.InTheNews | True if this vulnerability has received media attention | Boolean (true or false) | `Tenable.InTheNews == true` | ## Qualys | Property | Description | Type | Example | | ---------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------ | -------------------------------------------- | | Qualys.ActiveAttacks | True if a given vulnerability is being actively attacked in the wild. | Boolean (true or false) | `Qualys.ActiveAttacks == true` | | Qualys.CisaKnownExploitedVulns | True if a given vulnerability is listed in CISA's Known Exploited Vulnerabilities (KEV) Catalog. | Boolean (true or false) | `Qualys.CisaKnownExploitedVulns == true` | | Qualys.ConfirmedVulnerability | True if a given vulnerability has the type "Confirmed". The remaining type options are "Potential" or "Info". | Boolean (true or false) | `Qualys.ConfirmedVulnerability == true` | | Qualys.DenialOfService | True if a given vulnerability has the ability to overload or crash a compromised system, causing temporary or even permanent unavailability. | Boolean (true or false) | `Qualys.DenialOfService == true` | | Qualys.EasyExploit | True if a given vulnerability can be exploited with few skills and little overall cybersecurity knowledge. | Boolean (true or false) | `Qualys.EasyExploit == true` | | Qualys.ExploitKit | True if a given vulnerability has an associated exploit kit available. | Boolean (true or false) | `Qualys.ExploitKit == true` | | Qualys.ExploitPublic | True if a given vulnerability is well known, and code that exploits the vulnerability is publicly available. | Boolean (true or false) | `Qualys.ExploitPublic == true` | | Qualys.HighDataLoss | True if a given vulnerability, when exploited, can result in a high amount of data lost. | Boolean (true or false) | `Qualys.HighDataLoss == true` | | Qualys.HighLateralMovement | True if a given vulnerability, when exploited, allows an attacker to propagate that attack over a broader network such as the corp-net of the vulnerable system. | Boolean (true or false) | `Qualys.HighLateralMovement == true` | | Qualys.Malware | True if a given vulnerability is associated with a malware infection | Boolean (true or false) | `Qualys.Malware == true` | | Qualys.MaxCvssScore | The maximum Common Vulnerability Scoring System (CVSS) score of a vulnerability. Decimal indicating the severity of a given vulnerability with 10.0 being the most severe. Unlike QDS, which is determined by Qualys' own formulation, the CVSS score is determined by an industry-shared scoring system, which is then taken into account to determine the QDS score. Similar to the QDS score, if the QIDs associated with one vulnerability report different CVSS scores, then only the highest value is considered here. If a CVSS score is not retrieved when querying Qualys servers, the value 0.0 is assumed. | Decimal, 0.0-10.0 (only single decimal place, e.g. 8.5, 9.2, etc.) | `Qualys.MaxCvssScore == "9.0"` | | Qualys.MaxEpssScore | A decimal value between 0.0 and 1.0, indicating the likelihood of the specified vulnerability being exploited in the next 30 days. Similar to the QDS and CVSS scores, if the QIDs associated with one vulnerability report different EPSS scores, then only the highest value is considered here. If an EPSS score is not retrieved when querying Qualys servers, the value 0.0 is assumed. | Decimal 0.0-1.0 | `Qualys.MaxEpssScore == "0.8"` | | Qualys.MaxQdsScore | The maximum Qualys Detection Score (QDS) of a vulnerability. A number between 1 and 100 describing the severity of a given vulnerability as reported by Qualys, with 100 being the most severe. A vulnerability (packaged as a CVE) may appear in multiple QIDs fetched from a Qualys server, so if the QIDs associated with that vulnerability contain different QDS scores, then only the highest value is considered here. | Whole number 1-100 | `Qualys.MaxQdsScore == "75"` | | Qualys.NoPatch | True if a given vulnerability does not have a fix from the vendor. | Boolean (true or false) | `Qualys.NoPatch == false` | | Qualys.PredictedHighRisk | True if a given vulnerability was predicted by the Qualys Machine Learning model to be high risk based on a variety of input sources. | Boolean (true or false) | `Qualys.PredictedHighRisk == true` | | Qualys.PrivilegeEscalation | True if a given vulnerability allows an attacker to gain elevated privileges upon exploiting the vulnerability. | Boolean (true or false) | `Qualys.PrivilegeEscalation == true` | | Qualys.Ransomware | True if a given vulnerability is associated with known ransomware. | Boolean (true or false) | `Qualys.Ransomware == true` | | Qualys.RemoteCodeExecution | True if a given vulnerability, when exploited, can allow an attacker to run an arbitrary set of commands or code on the targeted system. | Boolean (true or false) | `Qualys.RemoteCodeExecution == true` | | Qualys.SeverityLevel | This value comes from the max QDS score for a given vulnerability, where QDS range 1-39 maps to "Low", 40-69 to "Medium", 70-89 to "High", and 90-100 to "Critical". | Dropdown ("Low", "Medium", "High", "Critical") | `Qualys.SeverityLevel == "High"` | | Qualys.SolorigateSunburst | True if a given vulnerability is associated with the supply-chain backdoor, known as Solorigate/SUNBURST, introduced to SolarWinds Orion via a compromised software update mechanism. | Boolean (true or false) | `Qualys.SolorigateSunburst == true` | | Qualys.UnauthenticatedExploitation | True if a given vulnerability does not require authentication to exploit. | Boolean (true or false) | `Qualys.UnauthenticatedExploitation == true` | | Qualys.Wormable | True if a given vulnerability can be used in worms, allowing it to be spread without user interaction. | Boolean (true or false) | `Qualys.Wormable == true` | | Qualys.ZeroDay | True if a given vulnerability has no vendor patch available despite an active attack in the wild | Boolean (true or false) | `Qualys.ZeroDay == true` | ## WSUS Integration | Property | Description | Type | Example | | ----------------------- | ------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------- | ------------------------------------------------------- | | WSUS.UpdateID | Specifies the WSUS update ID for this patch. | String: GUID | `WSUS.UpdateID == e4369d21-5018-45ee-9547-bf4fc7fbc3c2` | | WSUS.Classification | Specifies the WSUS classification to which this update belongs e.g. Security updates Upgrades Critical updates etc. | String: "Security Updates", "Updates", "Feature Packs", "Critical Updates",etc. | `WSUS.Classification == "Feature Packs"` | | WSUS.UninstallSupported | If set to true this WSUS update can be uninstalled else it can not be uninstalled. | Boolean (true or false) | `WSUS.UninstallSupported == false` |