Exposure Management Command Center - Administrator Guide - Cortex XSIAM - Cortex

Exposure Management Command Center - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM 3.x Documentation

Product

Cortex XSIAM

Creation date

2025-07-15

Last date published

2026-06-11

Category

Administrator Guide

The Exposure Management Command Center dashboard provides a dynamic, overall view of your exposure management operation with visualizations, key performance indicators, and actionable data that is useful to both executives and vulnerability management teams.

You can click on many elements in the command center to drill down to more focused dashboards or pages displaying data that is filtered by your selection.

The table below describes each section of the visualization, from left to right.

Section	Description
Sources	Each vulnerability data source is displayed along with number of vulnerabilities findings. Click on this section to open the Source Coverage and Optimization page, which displays details about the overlap in vulnerabilities across the sources.
Vulnerabilities	The total number of vulnerability findings from all sources.
Unique Vulnerabilities	The total number of vulnerability findings after deduplication. Deduplication removes duplicate findings, which are defined as findings for the same CVE on the same asset. Click on Unique Vulnerabilities to display the Prioritization page, which shows how findings are deduplicated, prioritized, and grouped into cases.
Cases	The number of cases created after the system has prioritized the findings, created vulnerability issues, and groups the issues into cases. Vulnerability issues are grouped into cases based on the fix for resolving the vulnerability. Issues with the same fix are grouped together into a single case.
Active Cases	Number of active cases, broken down into the following categories: Require Attention: Cases with the status New. In Progress: Cases with the status In Progress Click on any of these Active Cases categories to display the list of cases along with case details, status, and recommended actions.
Resolved Cases	Total number of resolved cases, number of resolved cases by severity, and resolved cases broken down into the following categories: Resolved: Cases with any Resolved status except Accepted Risk. Accepted Risk: Cases with the status Resolved - Accepted Risk. Click on either of these Resolved Cases categories to display the list of cases along with case details, status, and additional information.

The following table explains the data points displayed along the bottom of the Exposure Management Command Center.

Data Point	Description
Vulnerable Assets	Number of assets with one or more active vulnerability issues.
Active Cases	Number of cases in an active status, broken down by case severity.
Mean Time to Resolve	Mean of the creation date to the date when the case was assigned a terminal closed status, broken down by case severity.

The following sections describe the focused dashboards that appear when clicking on specific elements in the command center.

The Source Coverage & Optimization page shows a breakdown of the vulnerability findings from each source and the overlap in findings between third-party sources and Palo Alto Networks sources. The data and and visualizations on this page show you which of your sources are most effective and help determine if you can consolidate vulnerability tools.

Section	Description
Vulnerabilities Before Deduplication	Total number of vulnerability findings from all sources before deduplication.
Overlap with <source>	Highest amount of vulnerability overlap between Palo Alto Networks sources and a third-party product. The label HIGH indicates a greater than 30% overlap between the Palo Alto Networks and this third-party vendor.
Findings bar	Number of vulnerability findings from Palo Alto Network sources, not deduplicated. Hover over the different sections of the bar to see the breakdown of findings come from each Palo Alto Networks source.
Overlap	List of third-party sources and the number of vulnerability findings from each source that overlap with Palo Alto Networks sources.
Findings	Total number of vulnerability findings from each third-party source.

The Prioritization page breaks down how Cortex XSIAM starts with the total number of raw vulnerability findings in your environment and deduplicates, prioritizes, and consolidates them into a manageable number of cases that require attention. Percentages that appear next to some values indicate the change over the last 30 days. The table below explains each part of visualization, from left to right.

Section	Description
Vulnerabilities	The total number of vulnerability findings across all sources.
Duplicative Findings	Number of duplicate findings that were eliminated. Duplicate findings are findings for the same CVE on the same asset.
Unique Vulnerabilities	The number of vulnerability findings after deduplication.
Not Internet Exposed Low Business Impact No Known Public Exploits Low and Medium CVSS Base Score Deprioritized by Policy	These are the low-priority findings that did not result in the creation of an issue. The reason for deprioritization is provided along with the count. Not Internet Exposed: ASM and CNA data indicates that these vulnerabilities are not exposed to the internet. Low Business Impact: The asset group for the vulnerability is dev, test, internal, or low business criticality. No Known Public Exploits: These vulnerabiliities have an EPSS score less than 80% or other public data indicating the vulnerability hasn't been exploited. Low and Medium CVSS Base Score: CVSS severity is Low or Medium. Deprioritized by Policy: These vulnerabilities were deprioritized by custom policies created by your organization. Typically this is any policy that specifies not to create an issue for a specific type of vulnerability.
Open Issues	The number of open vulnerability issues.
Issues Consolidated into Cases	Number of issues that were consolidated into open cases. Issues are grouped together into cases based on whether they share the same fix.
Cases	Total number of vulnerability cases after vulnerability issues were grouped into cases.
Require Attention	Number of cases with the status New. Click to pivot to a filtered view of the cases that includes detailed information to help you investigate and remediate each case.
In Progress	Number of cases with the status In Progress. Click to pivot to a filtered view of the cases that includes detailed information to help you investigate and remediate each case.
Resolved	Number of cases with the status Closed - Remediated or Closed - No Longer Observed.
Accepted Risk	Number of cases with the status Accepted Risk.