Vulnerability Assessment - How does it work?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Vulnerability Assessment - How does it work?

L1 Bithead

Hello,

 

I'm trying to figure out how the vulnerability assessment (VA) feature works since I've got so many false positives.

I've check the documentation but it's not clear enough for me.

 

For Windows, does VA looking for installed KB? If the KB is not found, does it show up CVEs linked to this KB? What if the KB is included in another one?

Or is it looking for the build number?

 

For Linux, I've undestood VA is only looking for application version and not application build numbers. So, if an application X with a version 4.3.21 is vulnerable and the server has installed 4.3.22 (which is not vulnerable), the server will appears vulnerable because VA will only see 4.3?

 

Regards,

Rémi.

1 accepted solution

Accepted Solutions

L3 Networker

Dear @RemiLiquete ,

 

 Hope you are doing well, and thank you for reaching out to our Live Community. From the above query I do understand that you have some queries in relation to the Vulnerability Assessment feature available with cortex XDR. 

 

Please note that for Windows OS, Cortex XDR lists only CVEs relating to the operating system, and not CVEs relating to applications provided by other vendors. Cortex XDR retrieves the latest data for each CVE from the NIST National Vulnerability Database as well as from the Microsoft Security Response Center (MSRC). However, Cortex XDR collects KB and application information from the agents but calculates CVE only for KBs based on the data collected from MSRC and other sources.

 

Also, please note for endpoints running Windows Insider, Cortex XDR cannot guarantee an accurate CVE assessment.

 

To add to your point, please note that you are right when it comes to VA looking for application version and not application build numbers. This is one of the limitation of this feature. All this and more information can also be found on the documentation I have provided below, thank you: 

 

https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Vulnerabili...

 

If you feel this has answered your query, please let us know by clicking on "mark this as a Solution". Thank you.

View solution in original post

1 REPLY 1

L3 Networker

Dear @RemiLiquete ,

 

 Hope you are doing well, and thank you for reaching out to our Live Community. From the above query I do understand that you have some queries in relation to the Vulnerability Assessment feature available with cortex XDR. 

 

Please note that for Windows OS, Cortex XDR lists only CVEs relating to the operating system, and not CVEs relating to applications provided by other vendors. Cortex XDR retrieves the latest data for each CVE from the NIST National Vulnerability Database as well as from the Microsoft Security Response Center (MSRC). However, Cortex XDR collects KB and application information from the agents but calculates CVE only for KBs based on the data collected from MSRC and other sources.

 

Also, please note for endpoints running Windows Insider, Cortex XDR cannot guarantee an accurate CVE assessment.

 

To add to your point, please note that you are right when it comes to VA looking for application version and not application build numbers. This is one of the limitation of this feature. All this and more information can also be found on the documentation I have provided below, thank you: 

 

https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Vulnerabili...

 

If you feel this has answered your query, please let us know by clicking on "mark this as a Solution". Thank you.

  • 1 accepted solution
  • 271 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!