Vulnerability Assessment - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Pro Administrator Guide

Product
Cortex XDR
License
Pro
Creation date
2023-10-31
Last date published
2024-03-18
Category
Administrator Guide
Abstract

Perform vulnerability assessment of all endpoints in your network using Cortex XDR. This includes CVE, endpoint, and application analysis.

Cortex XDR vulnerability assessment enables you to identify and quantify the security vulnerabilities on an endpoint in Cortex XDR. Relying on the information from Cortex XDR, you can easily mitigate and patch these vulnerabilities on all endpoints in your organization.

To provide you with a comprehensive understanding of the vulnerability severity, Cortex XDR retrieves the latest data for each CVE from the NIST National Vulnerability Database, including Common Vulnerabilities and Exposures (CVE) severity and metrics. You can use Cortex XDR to evaluate the extent and severity of each CVE in your network, gain full visibility into the risks to which each endpoint is exposed, and assess the vulnerability status of an installed application in your network.

You can access the Vulnerability Assessment panel from AssetsVulnerability Assessment.

Collecting the initial data from all endpoints in your network could take up to 6 hours. After that, Cortex XDR initiates periodical recalculations to rescan the endpoints and retrieve the updated data. If at any point you want to force data recalculation, click Recalculate.

The following are prerequisites for Cortex XDR to perform a vulnerability assessment of your endpoints.

Requirement

Description

Licenses and Add-ons

  • Cortex XDR Pro per Endpoint license.

  • Host Insights Add-on.

Supported Platforms

  • Windows

    • Cortex XDR agent 7.1 or a later release.

    • Cortex XDR lists only CVEs relating to the operating system, and not CVEs relating to applications provided by other vendors.

    • Cortex XDR retrieves the latest data for each CVE from the NIST National Vulnerability Database as well as from the Microsoft Security Response Center (MSRC).

    • Cortex XDR collects KB and application information from the agents but calculates CVE only for KBs based on the data collected from MSRC and other sources.

    • For endpoints running Windows Insider, Cortex XDR cannot guarantee an accurate CVE assessment.

    • Cortex XDR does not display open CVEs for endpoints running Windows releases for which Microsoft no longer fixes CVEs.

  • Linux— Cortex XDR agent 7.1 or a later release.

    Cortex XDR collects all the information about the installed application and calculates CVE based on the the latest data retrieved from the NIST.

  • MacCortex XDR collects only the applications list from macOS without CVE calculation.

If Cortex XDR doesn't match any CVE to its corresponding application, an error message is displayed, "No CVEs Found".

Setup and Permissions

  • Ensure Host Inventory Data Collection is enabled for your Cortex XDR agent.

Limitations

Cortex XDR calculates CVEs for applications according to the application version, and not according to application build numbers.

CVE Analysis

To evaluate the extent and severity of each CVE across your endpoints, you can drill down into each CVE in Cortex XDR and view all the endpoints and applications in your environment that are impacted by the CVE. Cortex XDR retrieves the latest information from the NIST public database. From Add-onsHost InsightsVulnerability Assessment, select CVEs on the upper-right bar. This information is also available in the va_cves dataset, which you can use to build queries in XQL Search.

For each vulnerability, Cortex XDR displays the following default and optional values:

Value

Description

Affected endpoints

The number of endpoints that are currently affected by this CVE. For excluded CVEs, the affected endpoints are N/A.

Applications

The names of the applications affected by this CVE.

CVE

The name of the CVE.

Tip

You can click each individual CVE to view in-depth details about it on a panel that appears on the right.

Description

The general NIST description of the CVE.

Excluded

Indicates whether this CVE is excluded from all endpoint and application views and filters, and from all Host Insights widgets.

Platforms

The name and version of the operating system affected by this CVE.

Severity

The severity level (Critical, High, Medium, or Low) of the CVE as ranked in the NIST database.

Severity score

The CVE severity score is based on the NIST Common Vulnerability Scoring System (CVSS). Click the score to see the full CVSS description.

You can perform the following actions from Cortex XDR as you analyze the existing vulnerabilities:

  • View CVE details—Left-click the CVE to view in-depth details about it on a panel that appears on the right. Use the in-panel links as needed.

  • View a complete list of all endpoints in your network that are impacted by a CVE—Right-click the CVE and then select View affected endpoints.

  • Learn more about the applications in your network that are impacted by a CVE—Right-click the CVE and then select View applications.

  • Exclude irrelevant CVEs from your endpoints and applications analysis—Right-click the CVE and then select Exclude. You can add a comment if needed, as well as Report CVE as incorrect for further analysis and investigation by Palo Alto Networks. The CVE is grayed out and labeled Excluded and no longer appears on the Endpoints and Applications views in Vulnerability Assessment, or in the Host Insights widgets. To restore the CVE, you can right-click the CVE and Undo exclusion at any time.

    Note

    The CVE will be removed/reinstated to all views, filters, and widgets after the next vulnerability recalculation.

Endpoint Analysis

To help you assess the vulnerability status of an endpoint, Cortex XDR provides a full list of all installed applications and existing CVEs per endpoint and also assigns each endpoint a vulnerability severity score that reflects the highest NIST vulnerability score detected on the endpoint. This information helps you to determine the best course of action for remediating each endpoint. From Add-onsHost InsightsVulnerability Assessment, select Endpoints on the upper-right bar. This information is also available in the va_endpoints dataset. In addition, the host_inventory_endpoints preset lists all endpoints, CVE data, and additional metadata regarding the endpoint information. You can use this dataset and preset to build queries in XQL Search.

For each vulnerability, Cortex XDR displays the following default and optional values:

Value

Description

CVEs

A list of all CVEs that exist on applications that are installed on the endpoint.

Endpoint ID

A unique ID assigned by Cortex XDR that identifies the endpoint.

Endpoint name

The hostname of the endpoint.

Tip

You can click each individual endpoint to view in-depth details about it on a panel that appears on the right.

Last Reported Timestamp

The date and time of the last time the Cortex XDR agent started the process of reporting its application inventory to Cortex XDR .

MAC address

The MAC address associated with the endpoint.

IP address

The IP address associated with the endpoint.

Platform

The name of the platform running on the endpoint.

Severity

The severity level (Critical, High, Medium, or Low) of the CVE is ranked in the NIST database.

Severity score

The CVE severity score based on the NIST Common Vulnerability Scoring System (CVSS). Click the score to see the full CVSS description.

You can perform the following actions from Cortex XDR as you investigate and remediate your endpoints:

  • View endpoint details—Left-click the endpoint to view in-depth details about it on a panel that appears on the right. Use the in-panel links as needed.

  • View a complete list of all applications installed on an endpoint—Right-click the endpoint and then select View installed applications. This list includes the application name, version, and installation path on the endpoint. If an installed application has known vulnerabilities, Cortex XDR also displays the list of CVEs and the highest Severity.

  • (Windows only) Isolate an endpoint from your network—Right-click the endpoint and then select Isolate the endpoint before or during your remediation to allow the Cortex XDR agent to communicate only with Cortex XDR .

  • (Windows only) View a complete list of all KBs installed on an endpoint—Right-click the endpoint and then select View installed KBs. This list includes all the Microsoft Windows patches that were installed on the endpoint and a link to the Microsoft official Knowledge Base (KB) support article. This information is also available in the host_inventory_kbs preset, which you can use to build queries in XQL Search.

  • Retrieve an updated list of applications installed on an endpoint—Right-click the endpoint and then select Rescan endpoint.

Application Analysis

You can assess the vulnerability status of applications in your network using the Host inventory. Cortex XDR compiles an application inventory of all the applications installed in your network by collecting from each Cortex XDR agent the list of installed applications. For each application on the list, you can see the existing CVEs and the vulnerability severity score that reflects the highest NIST vulnerability score detected for the application. Any new application installed on the endpoint will appear in Cortex XDR within 24 hours. Alternatively, you can re-scan the endpoint to retrieve the most updated list.

Note

Starting with macOS 10.15, Mac built-in system applications are not reported by the Cortex XDR agent and are not part of the Cortex XDR Application Inventory.

From Add-onsHost InsightsHost Inventory, select Applications.

  • To view the details of all the endpoints in your network on which an application is installed, right-click the application and select View endpoints.

  • To view in-depth details about the application, left-click the application name.