Hello! I'd like to gather some community feedback before I submit a feature request from those of you using Fleet for vulnerability management. 🧵 A common frustration in vulnerability management is the effort of analyzing the firehose of vulnerability data to figure out what's important to you. While Fleet compares software or OS version information against a variety of sources (NVD, MSRC, OVAL, etc...), it doesn't account for other factors that makes a host vulnerable. For example: CVE-2024-49112 is a critical vulnerability affecting LDAP on Windows operating systems. Fleet uses the MSRC API and a host's OS version (specifically the UBR) to determine if the host is vulnerable, HOWEVER it does not evaluate if LDAP is running, or if LDAP ports are exposed. This creates extra noise and may lead you to schedule emergency patch processes for systems not affected, which is usually paired with downtime or other disruptive business activities. Proposal: Use osquery to filter vulnerabilities by host • Select a vulnerability in Fleet • add a query to it:

SELECT 1 FROM listening_ports WHERE port IN (389, 636)

This will filter out hosts that are not listening on a known LDAP port. You could also use filters to fix other types of false positives. Does NVD incorrectly state that a vulnerability affects all operating systems where it should only affect windows? Use this filter:

SELECT 1 FROM os_version WHERE platform = 'windows'

Proposal Phase 2: Crowdsourcing Filters While filters can help reduce noise within Fleet, they do not necessarily decrease the research workload for your vulnerability management team. The team still needs to investigate vulnerabilities and create custom filters for them. A potential solution is to embrace crowdsourcing. Since Fleet is open source, you can contribute filters that might benefit the community by submitting them to the Fleet repository. In turn, Fleet instances could optionally integrate these crowdsourced filters, streamlining efforts across the community.