Vulnerability policies - A vulnerability policy defines the action you want to take for a specific set of vulnerability findings. - Administrator Guide - Cortex XSIAM - Cortex

Vulnerability policies - A vulnerability policy defines the action you want to take for a specific set of vulnerability findings. - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM 3.x Documentation

Product

Cortex XSIAM

Creation date

2025-07-15

Last date published

2026-06-04

Category

Administrator Guide

Abstract

A vulnerability policy defines the action you want to take for a specific set of vulnerability findings.

A vulnerability policy defines the action you want to take for a specific set of vulnerability findings that match your policy criteria. Cortex XSIAM provides a set of predefined vulnerability policies based on CVSS severity, EPSS severity, and vulnerabilities confirmed through Attack Surface Testing. You can also create custom policies based on your unique business requirements. Custom policies allow you to focus on the risks that matter most to your organization. Some examples of custom vulnerability policies include the following:

A policy that creates issues with a severity of critical for findings that have a CVSS score of 9 or more
A policy that creates issues with a severity of low for findings that appear on dev servers
A policy that specifies not to create issues for findings on assets in the asset group Leased to customers
A policy which creates issues with a severity of critical for vulnerabilities that appear on the CISA KEV list and are in the asset group called Production Servers, regardless of CVSS score.
A policy that prevents an image that contains code with a CVE with an EPSS score greater than 90% from being deployed to the Kubernetes cluster

Each time a new vulnerability finding is discovered, the system compares that finding to your vulnerability policies to determine whether one of the policies is a match. Vulnerability policies have an evaluation order, which means the system starts by evaluating the finding against the first policy. If it does not match, the second policy is evaluated for a match. As soon as a finding matches a policy, no further policies are evaluated for that finding.

The following sections describe the elements that make up a vulnerability policy:

Policy conditions and scope

Vulnerability policy conditions and scope define the specific set of findings that a policy applies to. You define the conditions by configuring a filter with criteria for including and excluding findings. You define scope by creating one or more Asset Groups and adding assets to those groups in the Assets view. Once the Asset Groups are created you may select one or more of them in the policy creation process, this will limit the scope of that policy to only the assets in the chosen asset groups.

Policy actions

Policy actions are the actions the policy will perform automatically on vulnerability findings that match the policy conditions and scope. There are two types of policy actions, issue creation and prevention.

Prevention actions prevent vulnerabilities from being introduced into your systems by failing a build or blocking deployment. Available actions are described in the table below.

Type of prevention action	Action	Description
Kubernetes pod actions	Block new deployments	New deployments are blocked by the Kubernetes Admission Controller when vulnerabilities matching the policy conditions are detected in an image. This requires that the agent be installed and activated.
Kubernetes pod actions	Do nothing	No action will be taken for matching findings on Kubernetes clusters with Kubernetes Admission Controller activated.
Build actions	Fail the build	Fails the build in your CI/CD system when an attempt is made to check in code that includes a vulnerability that matches the policy conditions. This requires that the agent be installed and activated on your CI/CD system.
Build actions	Do nothing	No action will be taken for matching findings from code repository assets where the agent is activated.

Policy order

The order of policies in the policy list is important. Policies are executed in order from top to bottom, and the first policy that matches a finding determines the action on that finding. After that first match, no other policies are evaluated. We recommend placing your most important and most specific policies toward the top of the list and wider-reaching, more generic policies towards the bottom of the policy list.

Policy 0 is the Globally Ignored CVEs, Assets, and Asset Groups policy. It includes a list of CVEs and assets for which Cortex XSIAM will not create vulnerability issues. You can update the Globally Ignored CVEs, Assets, and Asset Groups policy by adding or removing CVEs, asset groups, and assets, but you cannot move the policy down list to change order.