Vulnerability Assessment report

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Vulnerability Assessment report

L1 Bithead

Is it possible to create a Vulnerability Assessment base on endpoint with endpoint name, amount of CVE’s, Severity, Severity Score, Last reported Timestamp and Endpoint Type.

1 accepted solution

Accepted Solutions

This is not the valid query.

 

May be you can just run dataset = va_endpoints analyze the output and create your own as per your requirement.

 

https://live.paloaltonetworks.com/t5/cortex-xdr-how-to-videos/cortex-xdr-basic-xql-crash-course/ta-p...

Ashutosh Patil

View solution in original post

7 REPLIES 7

L5 Sessionator

Hello @Toppenberg ,

 

Thank you for reaching out to Live Community.

You can refer to below query as sample:

dataset = va_cves
| fields name, cve_id , severity , severity_score, affected_hosts
|arrayexpand affected_hosts
| join(preset = host_inventory_endpoints | fields endpoint_name, operating_system , endpoint_type, last_report_time )
as ep ep.endpoint_name = affected_hosts

 

If you feel this has answered your query, please let us know by clicking on "mark this as a Solution".

Ashutosh Patil

L1 Bithead

Hi Ashutosh,

 

Thanks for your reply.

 

But the query that you did send me don't get me the report the way I want it.

What i want to see in the report is:

"Endpoint Name", The number of CVE's that the endpoint is vulnerable for, "Severity", "Severity Score" and "Last Reported Timestamp".

 

With other words, I want to have a report that give me the same information as when I navigate to:

"Assets" => "Vulnerability Assessment" => and then click on "Endpoints" in the upper corner.

L5 Sessionator

Hello @Toppenberg ,

 

Please check below:

dataset = va_cves
| fields name, cve_id , severity , severity_score, affected_hosts
|arrayexpand affected_hosts
| join(preset = host_inventory_endpoints | fields endpoint_name, operating_system , endpoint_type, last_report_time )
as ep ep.endpoint_name = affected_hosts
|comp count(name ) as Total_cve by endpoint_name , severity , severity_score , last_report_time

Ashutosh Patil

L1 Bithead

Hi Ashutosh,

 

Still this is not the way I want the report to be because this way the report will be very long.

The way I want the report to be is like below:

 

Endpoint, the amount of CVE’s (Total CVE’s), Severity Score (the highes severity score of the CVE), Severity (base on the endpoint)

 

In advance thanks

L5 Sessionator

Hello @Toppenberg ,

 

Then you can start with dataset = va_endpoints

 

Hope that helps.

Ashutosh Patil

L1 Bithead

Hi Ashutosh,

 

So the query will look like this:

 

dataset = va_endpoints

| fields affected_hosts, severity , severity_score, name

|arrayexpand affected_hosts

| join(preset = host_inventory_endpoints | fields endpoint_name, operating_system , endpoint_type, last_report_time )

as ep ep.endpoint_name = affected_hosts

 

But than I can not press "Run"

This is not the valid query.

 

May be you can just run dataset = va_endpoints analyze the output and create your own as per your requirement.

 

https://live.paloaltonetworks.com/t5/cortex-xdr-how-to-videos/cortex-xdr-basic-xql-crash-course/ta-p...

Ashutosh Patil
  • 1 accepted solution
  • 1540 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!