Axonius Documentation
Start typing to search…

Vulnerability Instances Page

Use the Vulnerability Instances Assets Page to view specific CVEs detected on specific assets.

Click the Assets icon and from the left pane, and under the Exposures category, select Vulnerability Instances.

VIMenuOption

Vulnerability Instances Assets Page

VIPage

The fields on the Vulnerability Instances Assets table provide valuable information on the CVEs detected on your assets.

📘

Note

All default and optional Vulnerability Instances fields, explained in the following sections, are also accessible from the Vulnerable Software table in any asset's Profile Page. In this page, go to the left navigation menu, and under Tables, select Vulnerable Software.

VulnSoftTable

Default Fields

  • Vuln ID - The identifier of the vulnerability, either the CVE ID number as provided by the NIST National Vulnerability Database (NVD), or a unique ID number provided by the adapter.
  • Associated Asset Type - The asset type on which the vulnerability was detected: Device, Database, Compute Image, etc.
  • CVSS -Common Vulnerability Scoring System (CVSS), a numeric score used to supply a qualitative measure of severity. The CVSS rating is fetched from the source (v2,0, v3.0, v4.0, etc.).
  • CVE Severity -NONE, LOW, MEDIUM, HIGH, CRITICAL, UNTRIAGED, NEGLIGIBLE, INFO, MODERATE, SERIOUS, SEVERE, URGENT, or CRITICAL (based on the CVSS rating).
  • Preferred Host Name - a clickable field that allows you to navigate to the Profile Page of the asset the vulnerability was detected on. Note that you can also use the Asset Unique ID or Associated Asset ID fields for the same information.
  • Preferred First Seen - An aggregated date field that shows the earliest date that a Vulnerability was seen on the asset. Generally, the date represents the first time this vulnerability was fetched, unless there is a date when it was first seen by an adapter.
  • Preferred Last Seen - An aggregated date field that shows the latest date that a Vulnerability was seen on the asset. The value of this field depends on the vulnerability's state - Open or Closed.
    • For a Closed vulnerability, the Preferred Last Seen date is either the remediation time reported by the adapter, or, if no remediation time is reported, the last time it was fetched as an Open vulnerability.
    • For an Open vulnerability, the Preferred Last Seen date is the last time it was fetched or reported by an adapter.
  • Preferred Age (Days) - How many days ago the vulnerability was open. This value is calculated by deducting the Preferred First Seen date from the Preferred Last Seen date.
📘

Note

The information in the Preferred First Seen, Preferred Last Seen and Preferred Age (Days) fields is provided to allow for MTTR (Mean Time to Remediate) and SLA metrics calculations.

  • CVE Impact Score - An evaluation of the "damage level" that might occur if the vulnerability is exploited, according to NIST.
  • CVE Exploitability Score - How likely it is that a vulnerability will be exploited according to NIST.
  • Mitigated - Whether actions were taken to reduce or eliminate the risk associated with the vulnerability (Yes/No).

Additional fields

The following fields are not default in the Vulnerability Instances table. You can add them by clicking Edit Table > Edit Columns.

  • CVE Description - A description of the vulnerability.
  • Associated Asset Tags - Any tags assigned to this asset from its Assets page are also displayed in the Vulnerability Instances table.
  • Status - a field showing whether the vulnerability is Open or Closed. Note that this field can be populated with additional values fetched from the adapter.

Remediation Tracking Fields

Some vulnerability adapters do not report vulnerabilities after they were remediated. To address this issue and maintain accurate calculation of key metrics such as Time to Remediate (TTR) and SLA, Axonius offers a mechanism to identify when a vulnerability is no longer being reported, indicating potential remediation. This mechanism compares the reported vulnerabilities in the latest discovery cycle with those reported in the previous cycle. When a vulnerability is reported in the previous cycle but is absent from the latest cycle, it is considered potentially remediated. The following fields pertain to tracking and calculating remediation times:

Adapter Fields

  • First Seen, Last Seen - The time when an adapter first or last detected the vulnerability.
  • Status - whether the vulnerability is Open or Closed.
  • Remediation Time - When the vulnerability was remediated according to information reported by an adapter.

Axonius Fields

  • First Fetch Time, Last Fetch Time - The time when an adapter first or last reported the vulnerability to Axonius.
  • Axonius Status - The vulnerability status: Open, Closed, or Reopen.
    • A Closed status appears either when this vulnerability was reported closed by an adapter, or when it stopped being reported by an adapter.
    • A Reopen status appears when the vulnerability was reported again by an adapter after a period of time when it was not reported. In this case, the First Fetch Time field value matches the date when it was re-opened. Note that this might also affect the Preferred Age field value.
  • Axonius Status Last Update - When the Axonius Status field was last updated, reflecting the most recent status change.
  • Axonius Remediation Time - When the status was changed from Open to Closed or from Reopen to Closed. This field is populated only when the Axonius Status field value is Closed.
RemediationFields
📘

Notes

  • The Axonius fields are populated by values from the adapter only if the adapter indeed reported this information. Otherwise, these values are generated by Axonius.

  • This logic does not apply to manually closed vulnerabilities.

Vulnerability Instances Queries

Use the Query Wizard to build queries on the Vulnerability Instances page. For example, you can build a simple query that shows only CVEs with a certain range of CVE Impact Score, as demonstrated below.

VIQuery1

You can also use build relationship queries based on the relationship between a Vulnerability Instance and the asset it was detected on. In the example below, we want to show instances of a specific Vuln ID only on devices that have a Windows OS type:

VIQuery2

Excluding Vulnerability Instances

In some cases, remediation of vulnerabilities is either impractical, cost-prohibitive, or involves a false positive. In these cases, you might want to exclude specific vulnerability instances from your reports and management workflows. You can exclude a vulnerability temporarily, for a defined period of time, or permanently. To manage your excluded vulnerabilities, add the following custom fields to the Vulnerability Instances table:

  • Excluded - A boolean field marking whether this vulnerability instance is excluded or not.
  • Exclusion Type - Temporary or permanent.
  • Exclusion Reason - Provide the reason for excluding this vulnerability instance.
  • Exclusion Justification (Link) - Provide a link to documentation supporting the exclusion of this vulnerability instance.
  • Exclusion Expiration Date - If the exclusion is temporary, enter its expiration date.

To learn about adding custom data fields to assets, see: Managing Custom Fields Working with Custom Data Axonius - Add Custom Data to Assets (from the Enforcement Center)

Vulnerability Instances Profile Page

Click on a Vulnerability Instance row to view its Asset Profile page. The Vulnerability Instances Profile page provides detailed information about the Vulnerability Instance selected. The Vulnerability Instances Profile page is identical to the Assets Profile page with all of its relevant capabilities. Refer to Asset Profile Page to learn more.

Updated about 5 hours ago