Vulnerability Assessment Applications / host insights addon

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Vulnerability Assessment Applications / host insights addon

L3 Networker

Hello dear community! 

 

From my perspective, this documentation brings more questions, than answers. 

 

There is written cortex does not collect CVEs for Applications. 

 

"

  • Cortex 
    XDR lists only CVEs relating to the operating system, and not CVEs relating to applications provided by other vendors.
    "
    Then its written
     
    Cortex

     

    XDR

     calculates CVEs for applications according to the application version, and not according to application build numbers.

    "

    And 

     

    "A list of all CVEs that exist on applications that are installed on the endpoint

    "

    So what is right now? 

     

    CVEs For Applications or only CVEs for OS?

    There are also in the gui some hints for applications but I never found a CVE related to Applications. 

    https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/endpoint-security/hardened-...

     

    Please help me to understand what is right or wrong!

     

    BR 

     

    Rob 

     

     

1 accepted solution

Accepted Solutions

Hi @Cyber1985 ,

 

We assure you, it is in the works. As you know there are gazillions of applications in Windows world to assess and research and hence we have an intensive R&D already going on around it. I do not have a definite date for the same, but it is in future consideration to be derived in.

 

Hope that answers your question! Please mark "Accept as Solution" if it does.

 

Regards.

View solution in original post

12 REPLIES 12

L5 Sessionator

Hi @Cyber1985 ,

 

Thank you for writing to live community!

 

As per the documentation, both the statements are correct. 

  1. For Windows and MacOS, we do not do vulnerability assessment for applications and it is limited to OS only
  2. For Linux however, we do vulnerability assessment for both.

Hence the above two statements. As you can see in the documentations the Operating System Platforms are bolded against the statements. Hope that answers your question!

 

Regards.

L3 Networker

Hey @neelrohit

 

Thank you for this clarifiction! From the OS point it is clear now.

Will there be a change in the future to see CVEs for applications on windows? 

 

BR

 

Rob

Hi @Cyber1985 ,

 

We assure you, it is in the works. As you know there are gazillions of applications in Windows world to assess and research and hence we have an intensive R&D already going on around it. I do not have a definite date for the same, but it is in future consideration to be derived in.

 

Hope that answers your question! Please mark "Accept as Solution" if it does.

 

Regards.

I am glad to hear this topic is in progress! 

 

Thank you very much for this good news! 

 

BR

 

Rob

Linux vulnerability reporting on applications does not take into account backporting. I opened a support ticket and was told it was put in as an "improvment"

Applications are reporting vulnerable to old cve's. However they have been patched and the changelog on the server shows the cve fixed via the updated minor version

L1 Bithead

Hello,

Please, will you know how to add/remove applications on cortex xdr (eg. wireshark, etc.) ?

 

Thank you.

Hi @Christshimanga 

 

Regarding your query on how to add/remove applications on cortex xdr (eg. wireshark, etc.). One cannot add/remove applications as this telemetry/data is part of Host Inventory which is a part of the Host Insights Add-On. 

 

However you have an option to "Recalculate" as shared in below screenshot. Normally Cortex XDR agent scans the endpoint every 24 hours for any updates and displays the data found over the last 30 days. But with "Recalculate", you can force data recalculation to retrieve the most updated data.

Note: To collect initial data from all endpoints in your network could take Cortex XDR up to 6 hours.

PiyushKohli_0-1681455872740.png

 

Hope that answers your question! Please mark "Accept as Solution" if it does.

 

Thank You!

L1 Bithead

Hello PiyushKohli,

Once again, Thank you for your response. If I understand these applications reside on the "end users Host machines". In that case, would you then advise (1) I recalculate (2) I delete the application (e.g wireshark) from ALL hosts, servers machines on the network. One can do that? so that I can get ride of "wireshark" from the Host Inventory (and won't be listed as part of the telemetry/data)? is that best way to approach it, or not?

 

Thank you once more....

 

Chris 

Hi @Christshimanga 

 

If your organization Information Security/IT process is not to have that reported application installed on ALL hosts, servers machines on the network for ex Wireshark in this use case, then yes you will have to delete/remove the application from reported Hosts. And once that application is removed from the reported hosts then either you may recalculate or can wait as Cortex XDR agent scans the endpoint every 24 hours.

 

Live Community video on this feature for your reference: https://live.paloaltonetworks.com/t5/cortex-xdr-how-to-videos/cortex-xdr-how-to-video-host-insights/...

Hope this helps.

 

Thank You

L1 Bithead

Dear PiyushKohli

Great, and many Thanx.

You seem to know well Cortex XDR, happy you have indeed assisted in this regard. Please tell me, maybe my last question, how do you delete/remove such applications (example "wireshark") from all hosts. Since I do not see any feature on my cortex xdr setting to use and remove/delete files. Do I need to write a script?, do you have any reference documents or link you can refer me to? so I can read through and execute? How do I go about removing from any Host/Servers such application for example "wireshark"? and what do I need to be advisable to be carefull NOT to do?

 

Again, Thank you

L1 Bithead

The Top 10 Vulnerable Applications on my dashboard never shows anything. Has anyone been able to confirm that it only supports CVE alerts for OS only and not applications?

Has R&D completed this so that we can see application CVE alerts?

  • 1 accepted solution
  • 6518 Views
  • 12 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!