Learn about Cortex Xpanse risk scores and how they are calculated.
In Cortex Xpanse Expander you can prioritize incidents and quantify your organization's risk trends using risk scoring. By default, Expander assigns a base risk score (called the Xpanse Risk Score) to every incident. Expander calculates this risk score using the threat and exploit intelligence relevant to the CVEs on the related service or website (based on active classifications or web technologies) for an incident. When the alerts change (for example, if an alert is resolved or a new alert is created) or if the underlying risks change, Expander recalculates and updates the risk score .
The Xpanse Risk Score calculation is based on a number of factors, including the following:
The EPSS and CVSS scores of the inferred CVEs on the related service or website
Whether the inferred CVEs were weaponized or exploited in the wild
How recently the inferred CVEs were exploited
The presence of these Risk Factors
In addition to the Xpanse Risk Score that is assigned to each incident, you can also create custom risk-scoring rules that adjust the Xpanse Risk Score or manually assign a risk score. These flexible approaches to risk scoring enable you to prioritize incidents based on the specific requirements of your organization. See Customize Risk Scoring for instructions on how to enable or disable Xpanse Risk Scoring, how to create or edit custom User Scoring Rules, or how to manually assign a risk score.
The risk score is displayed on the Incidents page in the Incidents list and in the incident details pane. Click on the score to open the Manage Risk Score dialog box, where you can view the User Scoring Rules for this incident or set the risk score manually.
 |
By default, the incident list is sorted by risk score, and you can also filter incidents on risk score.
Incident Risk Details
Expander provides detailed information about the risks associated with an incident on the Risk tab of the incident details pane. The Risk Details section includes information about the top three inferred CVEs impacting the risk score and a listing of the Risk Factors associated with the alerts in the incident.
 |
The following table explains the information about inferred CVEs that is used in calculating the risk score.
CVE Information | Description |
|---|---|
CVE Confidence | Cortex Xpanse categorizes inferred CVE matches as High or Medium confidence based on the version information that is available on the service and from the National Vulnerability Database (NVD).
For more information about how Expander defines inferred CVEs and levels of confidence around CVEs, see Inferred CVEs |
Exploit Maturity |
|
Exploited in Wild | A value of Yes indicates one of the following conditions have been met:
|
CVSS | The Common Vulnerability Scoring System (CVSS) score indicates the severity of a security vulnerability with a value between 0 and 10. |
EPSS Score | The Exploit Prediction Scoring System (EPSS) score indicates the likelihood that a vulnerability will be exploited in the wild. Possible values are between 0 and 100%, and the higher the score, the greater the probability that a vulnerability will be exploited. |
Recent Reported Exploit Date | The date when the vulnerability was first known to be exploited-in-the-wild or when it was added to CISA KEV catalog. |
For more information about the risk factors that contribute to the risk score for an incident, see Risk Factors.