topic Re: Vulnerability Assessment report in Cortex XDR Discussions

Vulnerability Assessment report

Toppenberg — Thu, 30 May 2024 06:15:54 GMT

Is it possible to create a Vulnerability Assessment base on endpoint with endpoint name, amount of CVE’s, Severity, Severity Score, Last reported Timestamp and Endpoint Type.

Re: Vulnerability Assessment report

aspatil — Thu, 30 May 2024 06:37:04 GMT

Hello @Toppenberg ,

Thank you for reaching out to Live Community.

You can refer to below query as sample:

dataset = va_cves
| fields name, cve_id , severity , severity_score, affected_hosts
|arrayexpand affected_hosts
| join(preset = host_inventory_endpoints | fields endpoint_name, operating_system , endpoint_type, last_report_time )
as ep ep.endpoint_name = affected_hosts

If you feel this has answered your query, please let us know by clicking on "mark this as a Solution".

Re: Vulnerability Assessment report

Toppenberg — Thu, 30 May 2024 07:08:37 GMT

Hi Ashutosh,

Thanks for your reply.

But the query that you did send me don't get me the report the way I want it.

What i want to see in the report is:

"Endpoint Name", The number of CVE's that the endpoint is vulnerable for, "Severity", "Severity Score" and "Last Reported Timestamp".

With other words, I want to have a report that give me the same information as when I navigate to:

"Assets" => "Vulnerability Assessment" => and then click on "Endpoints" in the upper corner.

Re: Vulnerability Assessment report

aspatil — Thu, 30 May 2024 07:14:56 GMT

Hello @Toppenberg ,

Please check below:

Re: Vulnerability Assessment report

Toppenberg — Thu, 30 May 2024 07:23:17 GMT

Hi Ashutosh,

Still this is not the way I want the report to be because this way the report will be very long.

The way I want the report to be is like below:

Endpoint, the amount of CVE’s (Total CVE’s), Severity Score (the highes severity score of the CVE), Severity (base on the endpoint)

In advance thanks

Re: Vulnerability Assessment report

aspatil — Thu, 30 May 2024 09:42:24 GMT

Hello @Toppenberg ,

Then you can start with dataset = va_endpoints

Hope that helps.

Re: Vulnerability Assessment report

Toppenberg — Thu, 30 May 2024 11:45:17 GMT

Hi Ashutosh,

So the query will look like this:

dataset = va_endpoints

| fields affected_hosts, severity , severity_score, name

|arrayexpand affected_hosts

| join(preset = host_inventory_endpoints | fields endpoint_name, operating_system , endpoint_type, last_report_time )

as ep ep.endpoint_name = affected_hosts

But than I can not press "Run"

Re: Vulnerability Assessment report

aspatil — Thu, 30 May 2024 11:49:10 GMT

This is not the valid query.

May be you can just run dataset = va_endpoints analyze the output and create your own as per your requirement.

https://live.paloaltonetworks.com/t5/cortex-xdr-how-to-videos/cortex-xdr-basic-xql-crash-course/ta-p/544056