https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-host-insight-vulnerability-assessment-average-severity/m-p/1222051#M7966 <P>Hi,</P> <P>&nbsp;</P> <P>Thanks for joining Live Community.</P> <P>&nbsp;</P> <P>You can try using the va_endpoint and va_cves datasets, and then filter as you need.</P> <P>&nbsp;</P> <P>Example below short query:</P> <P>&nbsp;</P> <P>|dataset = va_endpoints <BR />| fields cves, endpoint_name, os_type, severity</P> <P>&nbsp;</P> <P>If you need information on XQL, you can review below:</P> <P>&nbsp;</P> <P><A href="https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-XQL-Language-Reference/Get-Started-with-XQL" target="_blank">https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-XQL-Language-Reference/Get-Started-with-XQL</A></P> <P><A href="https://docs-cortex.paloaltonetworks.com/r/Cortex-XQL-Schema-Reference-Guide/Introduction" target="_blank">https://docs-cortex.paloaltonetworks.com/r/Cortex-XQL-Schema-Reference-Guide/Introduction</A></P> <P><A href="https://live.paloaltonetworks.com/t5/cortex-xdr-how-to-videos/cortex-xdr-basic-xql-crash-course/ta-p/544056" target="_blank">LIVEcommunity - Cortex XDR Basic XQL Crash Course - LIVEcommunity - 544056</A></P> <P><A href="https://live.paloaltonetworks.com/t5/cortex-xdr-how-to-videos/cortex-xdr-xql-use-cases-and-applications-crash-course/ta-p/544228" target="_blank">LIVEcommunity - Cortex XDR XQL Use Cases and Applications Crash Course - LIVEcommunity - 544228</A></P> <P>&nbsp;</P> <P>If this post solves your inquiry, please mark As Solution.</P> Wed, 26 Feb 2025 18:55:51 GMT mavega 2025-02-26T18:55:51Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-host-insight-vulnerability-assessment-average-severity/m-p/1221968#M7961 <P>trying to find XQL query that will take all of our severity scores and give us a average and send that to report. I cant seem find the dataset&nbsp;</P> <P>Not very good with XQL at this time. maybe someone from the community can help</P> <P>dataset = host_inventory <BR />| filter 0 is not null and array_length(vulnerabilities) &gt; 0&nbsp;<BR />| alter vulnerability_scores = array_map(vulnerabilities, vulnerability -&gt; case(<BR />vulnerability.severity == "Critical", 10,<BR />vulnerability.severity == "High", 7,<BR />vulnerability.severity == "Medium", 5,<BR />vulnerability.severity == "Low", 2,<BR />vulnerability.cvss_score, vulnerability.cvss_score,&nbsp;<BR />0 // Default if severity is unknown<BR />))<BR />| alter average_severity_score = array_avg(vulnerability_scores)<BR />| fields host_name, average_severity_score, timestamp<BR />| sort timestamp desc</P> Wed, 26 Feb 2025 01:00:28 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-host-insight-vulnerability-assessment-average-severity/m-p/1221968#M7961 TCoffey2 2025-02-26T01:00:28Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-host-insight-vulnerability-assessment-average-severity/m-p/1222051#M7966 <P>Hi,</P> <P>&nbsp;</P> <P>Thanks for joining Live Community.</P> <P>&nbsp;</P> <P>You can try using the va_endpoint and va_cves datasets, and then filter as you need.</P> <P>&nbsp;</P> <P>Example below short query:</P> <P>&nbsp;</P> <P>|dataset = va_endpoints <BR />| fields cves, endpoint_name, os_type, severity</P> <P>&nbsp;</P> <P>If you need information on XQL, you can review below:</P> <P>&nbsp;</P> <P><A href="https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-XQL-Language-Reference/Get-Started-with-XQL" target="_blank">https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-XQL-Language-Reference/Get-Started-with-XQL</A></P> <P><A href="https://docs-cortex.paloaltonetworks.com/r/Cortex-XQL-Schema-Reference-Guide/Introduction" target="_blank">https://docs-cortex.paloaltonetworks.com/r/Cortex-XQL-Schema-Reference-Guide/Introduction</A></P> <P><A href="https://live.paloaltonetworks.com/t5/cortex-xdr-how-to-videos/cortex-xdr-basic-xql-crash-course/ta-p/544056" target="_blank">LIVEcommunity - Cortex XDR Basic XQL Crash Course - LIVEcommunity - 544056</A></P> <P><A href="https://live.paloaltonetworks.com/t5/cortex-xdr-how-to-videos/cortex-xdr-xql-use-cases-and-applications-crash-course/ta-p/544228" target="_blank">LIVEcommunity - Cortex XDR XQL Use Cases and Applications Crash Course - LIVEcommunity - 544228</A></P> <P>&nbsp;</P> <P>If this post solves your inquiry, please mark As Solution.</P> Wed, 26 Feb 2025 18:55:51 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-host-insight-vulnerability-assessment-average-severity/m-p/1222051#M7966 mavega 2025-02-26T18:55:51Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-host-insight-vulnerability-assessment-average-severity/m-p/1222133#M7969 <P>Hello,</P> <P>&nbsp;</P> <P>Below query gives you the average by Endpoint name</P> <P>dataset = va_endpoints <BR />| filter cves != null<BR />| fields cves , endpoint_name , severity , severity_score<BR />| comp avg(severity_score) as Average_Severity_Score by endpoint_name</P> <P>&nbsp;</P> <P><SPAN>If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution". Thank you.</SPAN></P> Thu, 27 Feb 2025 06:05:14 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-host-insight-vulnerability-assessment-average-severity/m-p/1222133#M7969 aspatil 2025-02-27T06:05:14Z