topic Re: Vulnerability Assessment Applications / host insights addon in Cortex XDR Discussions

Vulnerability Assessment Applications / host insights addon

Cyber1985 — Sat, 29 Oct 2022 21:24:14 GMT

Hello dear community!

From my perspective, this documentation brings more questions, than answers.

There is written cortex does not collect CVEs for Applications.

Cortex
XDR lists only CVEs relating to the operating system, and not CVEs relating to applications provided by other vendors.
"
Then its written

"
Cortex

XDR
calculates CVEs for applications according to the application version, and not according to application build numbers.

"

And

"A list of all CVEs that exist on applications that are installed on the endpoint

"

So what is right now?

CVEs For Applications or only CVEs for OS?

There are also in the gui some hints for applications but I never found a CVE related to Applications.

https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/endpoint-security/hardened-endpoint-security/vulnerability-management

Please help me to understand what is right or wrong!

BR

Rob

Re: Vulnerability Assessment Applications / host insights addon

neelrohit — Sat, 29 Oct 2022 22:58:47 GMT

Hi @Cyber1985 ,

Thank you for writing to live community!

As per the documentation, both the statements are correct.

For Windows and MacOS, we do not do vulnerability assessment for applications and it is limited to OS only
For Linux however, we do vulnerability assessment for both.

Hence the above two statements. As you can see in the documentations the Operating System Platforms are bolded against the statements. Hope that answers your question!

Regards.

Re: Vulnerability Assessment Applications / host insights addon

Cyber1985 — Sun, 30 Oct 2022 05:31:13 GMT

Hey @neelrohit,

Thank you for this clarifiction! From the OS point it is clear now.

Will there be a change in the future to see CVEs for applications on windows?

Rob

Re: Vulnerability Assessment Applications / host insights addon

neelrohit — Sun, 30 Oct 2022 08:05:35 GMT

Hi @Cyber1985 ,

We assure you, it is in the works. As you know there are gazillions of applications in Windows world to assess and research and hence we have an intensive R&D already going on around it. I do not have a definite date for the same, but it is in future consideration to be derived in.

Hope that answers your question! Please mark "Accept as Solution" if it does.

Regards.

Re: Vulnerability Assessment Applications / host insights addon

Cyber1985 — Sun, 30 Oct 2022 09:59:22 GMT

I am glad to hear this topic is in progress!

Thank you very much for this good news!

Rob

Re: Vulnerability Assessment Applications / host insights addon

NathanBradley — Mon, 07 Nov 2022 17:05:53 GMT

Linux vulnerability reporting on applications does not take into account backporting. I opened a support ticket and was told it was put in as an "improvment"

Applications are reporting vulnerable to old cve's. However they have been patched and the changelog on the server shows the cve fixed via the updated minor version

Re: Vulnerability Assessment Applications / host insights addon

Christshimanga — Thu, 13 Apr 2023 06:15:36 GMT

Hello,

Please, will you know how to add/remove applications on cortex xdr (eg. wireshark, etc.) ?

Thank you.

Re: Vulnerability Assessment Applications / host insights addon

PiyushKohli — Fri, 14 Apr 2023 07:12:45 GMT

Hi @Christshimanga

Regarding your query on how to add/remove applications on cortex xdr (eg. wireshark, etc.). One cannot add/remove applications as this telemetry/data is part of Host Inventory which is a part of the Host Insights Add-On.

However you have an option to "Recalculate" as shared in below screenshot. Normally Cortex XDR agent scans the endpoint every 24 hours for any updates and displays the data found over the last 30 days. But with "Recalculate", you can force data recalculation to retrieve the most updated data.

Note: To collect initial data from all endpoints in your network could take Cortex XDR up to 6 hours.

Hope that answers your question! Please mark "Accept as Solution" if it does.

Thank You!

Re: Vulnerability Assessment Applications / host insights addon

Christshimanga — Mon, 17 Apr 2023 05:37:47 GMT

Hello PiyushKohli,

Once again, Thank you for your response. If I understand these applications reside on the "end users Host machines". In that case, would you then advise (1) I recalculate (2) I delete the application (e.g wireshark) from ALL hosts, servers machines on the network. One can do that? so that I can get ride of "wireshark" from the Host Inventory (and won't be listed as part of the telemetry/data)? is that best way to approach it, or not?

Thank you once more....

Chris

Re: Vulnerability Assessment Applications / host insights addon

PiyushKohli — Mon, 17 Apr 2023 10:56:38 GMT

Hi @Christshimanga

If your organization Information Security/IT process is not to have that reported application installed on ALL hosts, servers machines on the network for ex Wireshark in this use case, then yes you will have to delete/remove the application from reported Hosts. And once that application is removed from the reported hosts then either you may recalculate or can wait as Cortex XDR agent scans the endpoint every 24 hours.

Live Community video on this feature for your reference: https://live.paloaltonetworks.com/t5/cortex-xdr-how-to-videos/cortex-xdr-how-to-video-host-insights/ta-p/510599

Hope this helps.

Thank You

Re: Vulnerability Assessment Applications / host insights addon

Christshimanga — Mon, 17 Apr 2023 13:35:06 GMT

Dear PiyushKohli

Great, and many Thanx.

You seem to know well Cortex XDR, happy you have indeed assisted in this regard. Please tell me, maybe my last question, how do you delete/remove such applications (example "wireshark") from all hosts. Since I do not see any feature on my cortex xdr setting to use and remove/delete files. Do I need to write a script?, do you have any reference documents or link you can refer me to? so I can read through and execute? How do I go about removing from any Host/Servers such application for example "wireshark"? and what do I need to be advisable to be carefull NOT to do?

Again, Thank you

Re: Vulnerability Assessment Applications / host insights addon

TDoerr — Tue, 12 Dec 2023 22:20:36 GMT

The Top 10 Vulnerable Applications on my dashboard never shows anything. Has anyone been able to confirm that it only supports CVE alerts for OS only and not applications?

Re: Vulnerability Assessment Applications / host insights addon

TDoerr — Tue, 12 Dec 2023 22:21:13 GMT

Has R&D completed this so that we can see application CVE alerts?