Learn about Cortex Xpanse risk scores and how they are calculated.
In Cortex Xpanse Expander you can prioritize incidents and quantify your organization's risk trends using risk scoring. By default, Expander assigns a base risk score (called the Xpanse Risk Score) to every incident. Expander calculates this risk score using the threat and exploit intelligence relevant to the CVEs on the related service or website (based on active classifications or web technologies) for an incident. When the alerts change (for example, if an alert is resolved or a new alert is created) or if the underlying risks change, Expander recalculates and updates the risk score .
The Xpanse Risk Score calculation is based on a number of factors, including the following:
The EPSS and CVSS scores of the inferred CVEs on the related service or website
Whether the inferred CVEs were weaponized or exploited in the wild
How recently the inferred CVEs were exploited
The presence of these Risk Factors
Attack surface test results—"Confirmed Vulnerable" attack surface test results associated with an incident increase the risk score. Negative attack surface test results on one or more alerts associated with an incident are removed from the calculation of an incident's risk.
In addition to the Xpanse Risk Score that is assigned to each incident, you can also create custom risk-scoring rules that adjust the Xpanse Risk Score or manually assign a risk score. These flexible approaches to risk scoring enable you to prioritize incidents based on the specific requirements of your organization. See Customize Risk Scoring for instructions on how to enable or disable Xpanse Risk Scoring, how to create or edit custom User Scoring Rules, or how to manually assign a risk score.
The risk score is displayed on the Incidents page in the Incidents list and in the incident details pane. Click on the score to open the Manage Risk Score dialog box, where you can view the User Scoring Rules for this incident or set the risk score manually.
By default, the incident list is sorted by risk score, and you can also filter incidents on risk score.
Risk score color coding
The color of the risk score indicates the risk score range to help you identify incident risk at a glance.
Color | Risk Score Range |
---|---|
Dark red | More than 650 |
Red | 501 to 650 |
Orange | 251 to 500 |
Blue | 1 to 250 |
Gray | 0 |
Incident Risk Details
Expander provides detailed information about the risks associated with an incident on the Risk tab of the incident details pane. The Risk Details section includes information about the top three inferred CVEs impacting the risk score and a listing of the Risk Factors associated with the alerts in the incident.
The following table explains the information about inferred CVEs that is used in calculating the risk score.
CVE Information | Description |
---|---|
CVE Confidence | Cortex Xpanse categorizes inferred CVE matches as High or Medium confidence based on the version information that is available on the service and from the National Vulnerability Database (NVD).
For more information about how Expander defines inferred CVEs and levels of confidence around CVEs, see Inferred CVEs |
Exploit Maturity |
|
Exploited in Wild | A value of Yes indicates one of the following conditions have been met:
|
CVSS | The Common Vulnerability Scoring System (CVSS) score indicates the severity of a security vulnerability with a value between 0 and 10. |
EPSS Score | The Exploit Prediction Scoring System (EPSS) score indicates the likelihood that a vulnerability will be exploited in the wild. Possible values are between 0 and 100%, and the higher the score, the greater the probability that a vulnerability will be exploited. |
Recent Reported Exploit Date | The date when the vulnerability was first known to be exploited-in-the-wild or when it was added to CISA KEV catalog. |
For more information about the risk factors that contribute to the risk score for an incident, see Risk Factors.