https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/vulnerability-assessment-how-does-it-work/m-p/579259#M6247 <P>Dear&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/311763">@RemiLiquete</a>&nbsp;,</P> <P>&nbsp;</P> <P>&nbsp;Hope you are doing well, and thank you for reaching out to our Live Community. From the above query I do understand that you have some queries in relation to the Vulnerability Assessment feature available with cortex XDR.&nbsp;</P> <P>&nbsp;</P> <P>Please note that for Windows OS,&nbsp;<SPAN class="phrase">Cortex XDR</SPAN><SPAN>&nbsp;</SPAN>lists only CVEs relating to the operating system, and not CVEs relating to applications provided by other vendors.&nbsp;<SPAN class="phrase">Cortex XDR</SPAN><SPAN>&nbsp;</SPAN>retrieves the latest data for each CVE from the NIST National Vulnerability Database as well as from the Microsoft Security Response Center (MSRC). However,&nbsp;<SPAN class="phrase">Cortex XDR</SPAN><SPAN>&nbsp;</SPAN>collects KB and application information from the agents but calculates CVE only for KBs based on the data collected from MSRC and other sources.</P> <P>&nbsp;</P> <P>Also, please note for endpoints running Windows Insider,<SPAN>&nbsp;</SPAN><SPAN class="phrase">Cortex XDR</SPAN><SPAN>&nbsp;</SPAN>cannot guarantee an accurate CVE assessment.</P> <P>&nbsp;</P> <P>To add to your point, please note that you are right when it comes to&nbsp;<SPAN>VA looking for application version and not application build numbers. This is one of the limitation of this feature. All this and more information can also be found on the documentation I have provided below, thank you:&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN><A href="https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Vulnerability-Assessment?tocId=Hp_9TFhScGCnppEnCHawXA" target="_blank">https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Vulnerability-Assessment?tocId=Hp_9TFhScGCnppEnCHawXA</A></SPAN></P> <P>&nbsp;</P> <P><SPAN>If you feel this has answered your query, please let us know by clicking on "mark this as a Solution". Thank you. <BR /></SPAN></P> Tue, 05 Mar 2024 07:18:25 GMT abdrahman 2024-03-05T07:18:25Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/vulnerability-assessment-how-does-it-work/m-p/578621#M6187 <P>Hello,</P> <P>&nbsp;</P> <P>I'm trying to figure out how the vulnerability assessment (VA) feature works since I've got so many false positives.</P> <P>I've check the documentation but it's not clear enough for me.</P> <P>&nbsp;</P> <P>For Windows, does VA looking for installed KB? If the KB is not found, does it show up CVEs linked to this KB? What if the KB is included in another one?</P> <P>Or is it looking for the build number?</P> <P>&nbsp;</P> <P>For Linux, I've undestood VA is only looking for application version and not application build numbers. So, if an application X with a version 4.3.21 is vulnerable and the server has installed 4.3.22 (which is not vulnerable), the server will appears vulnerable because VA will only see 4.3?</P> <P>&nbsp;</P> <P>Regards,</P> <P>Rémi.</P> Wed, 28 Feb 2024 10:29:44 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/vulnerability-assessment-how-does-it-work/m-p/578621#M6187 RemiLiquete 2024-02-28T10:29:44Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/vulnerability-assessment-how-does-it-work/m-p/579259#M6247 <P>Dear&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/311763">@RemiLiquete</a>&nbsp;,</P> <P>&nbsp;</P> <P>&nbsp;Hope you are doing well, and thank you for reaching out to our Live Community. From the above query I do understand that you have some queries in relation to the Vulnerability Assessment feature available with cortex XDR.&nbsp;</P> <P>&nbsp;</P> <P>Please note that for Windows OS,&nbsp;<SPAN class="phrase">Cortex XDR</SPAN><SPAN>&nbsp;</SPAN>lists only CVEs relating to the operating system, and not CVEs relating to applications provided by other vendors.&nbsp;<SPAN class="phrase">Cortex XDR</SPAN><SPAN>&nbsp;</SPAN>retrieves the latest data for each CVE from the NIST National Vulnerability Database as well as from the Microsoft Security Response Center (MSRC). However,&nbsp;<SPAN class="phrase">Cortex XDR</SPAN><SPAN>&nbsp;</SPAN>collects KB and application information from the agents but calculates CVE only for KBs based on the data collected from MSRC and other sources.</P> <P>&nbsp;</P> <P>Also, please note for endpoints running Windows Insider,<SPAN>&nbsp;</SPAN><SPAN class="phrase">Cortex XDR</SPAN><SPAN>&nbsp;</SPAN>cannot guarantee an accurate CVE assessment.</P> <P>&nbsp;</P> <P>To add to your point, please note that you are right when it comes to&nbsp;<SPAN>VA looking for application version and not application build numbers. This is one of the limitation of this feature. All this and more information can also be found on the documentation I have provided below, thank you:&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN><A href="https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Vulnerability-Assessment?tocId=Hp_9TFhScGCnppEnCHawXA" target="_blank">https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Vulnerability-Assessment?tocId=Hp_9TFhScGCnppEnCHawXA</A></SPAN></P> <P>&nbsp;</P> <P><SPAN>If you feel this has answered your query, please let us know by clicking on "mark this as a Solution". Thank you. <BR /></SPAN></P> Tue, 05 Mar 2024 07:18:25 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/vulnerability-assessment-how-does-it-work/m-p/579259#M6247 abdrahman 2024-03-05T07:18:25Z