- 27 Nov 2023
- 10 Minutes to read
- Updated on 27 Nov 2023
- 10 Minutes to read
Use the Vulnerability Management Module to see a consolidated view of all the vulnerabilities in the organization, from all sources. The Vulnerabilities page delivers increased visibility into cybersecurity vulnerabilities. It helps security, IT, and risk teams identify vulnerabilities across fleets of devices, enabling them to prioritize vulnerabilities based on asset criticality, potential impact, and recognized threats.
A vulnerability is a software defect that could allow hackers to gain control of a system. Axonius presents vulnerabilities as defined by the Common Vulnerabilities and Exposures (CVE) list. Axonius discovers vulnerabilities by extracting CVE information fetched from adapters.
Some adapters, such as Tenable.sc, require selecting the Fetch Vulnerabilities option before viewing their vulnerabilities information in the Vulnerabilities Management module.
Click the Assets icon and from the left-pane, select Vulnerabilities.
Use Vulnerabilities to see the aggregated vulnerability data. The total number of unique devices on which Vulnerabilities were found is shown above the table. Click on the number of devices to open the devices on which Vulnerabilities were found on the Devices page.
Field displayed on the Vulnerabilities page include:
- Adapter Connections - shows the adapter source from which the vulnerabilities originate.
|Axonius Static Analysis||Software vulnerabilities detected by static analysis using NVD|
|NVD||Indicates Vulnerabilities enriched with data from the NIST NVD database.|
|EPSS||Indicates software vulnerabilities enriched with details from the Exploit Prediction Scoring System EPSS from connected adapters.|
|CISA||Indicates Vulnerabilities enriched with vulnerabilities information from your connected adapters with additional details from the CISA Known Exploited Vulnerabilities (KEV) Catalog. When relevant, the CISA fields and information are available for viewing and querying in the Vulnerabilities module and Devices module. Only CVEs that are part of the CISA KEV Catalog will be enhanced.|
|MSRC||Indicates software vulnerabilities enriched with details from MSRC from connected adapters.|
Vuln ID - Vulnerability data is presented by a vulnerability ID in the Vuln ID column. It can be presented either by a CVE ID or by a vulnerability identifier provided by some adapters. When it is a CVE ID, this is a link to the CVE details in the NIST National Vulnerability Database (NVD).
Device Count - The Device Count shows the number of devices affected by this vulnerability. When you click on Device Count, the Devices page opens with the devices affected by this vulnerability. Devices present Total CVE Count by Severity. CVEs are only counted if the CVE was validated on NVD.
Software Name and Software Vendor - When a CVE is applicable for multiple software, these fields are populated as "Multiple Software" and "Multiple Vendors".
NVD published date - The date the vulnerability was added to the NVD database.
NVD Modified date - The date the Vulnerability was modified.
Common Vulnerability Scoring System (CVSS) - With a v2.0 or v3.0 rating as was fetched from source.
CVE Exploitability Score - How likely it is that a vulnerability will be exploited according to NIST.
EPSS Score - How likely it is that a software vulnerability will be exploited in the wild according to EPSS.
CVE severity - LOW/MEDIUM/HIGH/CRITICAL value which is based on the CVSS rating.
CVE description, synopsis, and reference
First Seen - an aggregated date field that shows the earliest date that a Vulnerability was seen on the source.
Last Seen - an aggregated date field that shows the latest date that a Vulnerability was seen on the source.
Vulnerability data is presented by a vulnerability ID in the Vuln ID column. It can be presented either by a CVE ID or by a vulnerability identifier provided by some adapters.
When vulnerability information appears with a CVE ID, then this vulnerability is a CVE type. Click the CVE ID link to learn more about the vulnerability and how to remediate it.
When vulnerability identifier information that isn't a CVE type is fetched from an adapter, such as from a Tenable adapter, the vulnerability information appears with an ID without a CVE prefix. When a link is available for a specific vulnerability identifier, you can click it to learn more about the vulnerability and how to remediate it.
For supported adapters that fetch "non-CVE" vulnerability identifier information:
- A prefix of the adapter appears before the value displayed in the Vuln ID column.
- An optional Is CVE column displays ‘No’ for non-CVE vulnerabilities and ‘Yes’ for CVE vulnerabilities.
You can add the CWE ID column to view corresponding vulnerabilities appearing in the Common Weakness Enumeration (CWE) list. Click a specific CWE ID link to learn more about the vulnerability and how to remediate it.
Click the arrow next to any of the fields to see more details about that field, including which adapter connection obtained the information.
Not all fields are displayed by default. Use Edit Columns to add or remove columns. Refer to Setting Page Columns Display.
Click Repository to open the Vulnerabilities Repository.
CVE Vector Information
To view CVE Vector information add these columns to the Vulnerabilities page. Refer to Setting Page Columns Display.
The following fields are available:
|Vector||Available in CVSS Version||Notes|
|CVE Vector: Access Complexity||2.X||Describes whether the access complexity is low, medium, or high|
|CVE Vector: Access Vector||2.X||Describes whether the Access Vector is local or on a network|
|CVE Vector: Attack Complexity||3.X|
|CVE Vector: Attack Vector||3.X|
|CVE Vector: Authentication||2.0||Returns None if no CVE Vector Authentication exists|
|CVE Vector: Availability|
|CVE Vector: Confidentiality|
|CVE Vector: Integrity|
|CVE Vector: Privileges Required||3.X||Reports whether privileges or required, and what level, if known|
|CVE Vector: Scope||3.X|
|CVE Vector: User Interaction||3.X|
|CVE Vector: Version||3.1, 3.0, 2.0|
Creating Queries on Vulnerabilities
The Query Wizard on the Vulnerabilities page allows you to create a unique set of queries. Vulnerability queries are created on two levels. The first level of the query focuses on vulnerability parameters. You can query fields such as the CVSS score, severity, or attack vector. The second level queries devices, such as operating system, installed software, or the last update date. Use these queries to find out which critical vulnerabilities exist and whether they impact critical assets in your environment. Or, how many vulnerabilities exist, and whether they appear on devices with open ports, or that have a specific patch applied.
To configure the Query Wizard on the Vulnerabilities page
- Build a query on a Vulnerability field on the table, such as CVSS Score.
- Filter the vulnerabilities displayed by a Device query, and thus only show the vulnerabilities in your environment by a defined Device query, for instance Public IPs exist.
After running the query, the table shows the vulnerabilities queried, filtered by the devices they affect.
For example, show vulnerabilities with the CVSS score over 8, only on devices where the operating system is Windows.
You don't have to fill in the Device section of the query to find vulnerabilities in your environment.
Refining the Device Count Displayed from Device-based Fields in Vulnerabilities
It can be very useful to refine the device count displayed for device connected fields in Vulnerabilities. For instance, in this query:
- Build a query on a Vulnerability field on the table, such as CVSS Severity is High.
- Filter the vulnerabilities displayed by a Device query, and thus only show the vulnerabilities in your environment by a defined Device query, for instance Windows Devices.
- After running the query, the table shows the vulnerabilities queried, filtered by the devices they affect.
Once you get results for a query like this, in order to further refine the device count for such a query, you can use a special Data Refinement field on the Device Count column for unique Vulnerability fields that are found on devices.
For instance, there might be 50 devices with CVSS Severity is High, and 20 with Mitigated is Yes (and 30 with Mitigated no). In order to display the number of devices where both Mitigated is Yes matches those exact devices who also have CVSS Severity is High, you can perform the following data Refinement.
To refine the display to show the device count for a specific Vulnerability field.
- Click the Refine Data (filter) icon next to the Device Count column.
- From the Refine Data dialog, under Device related asset entities - refine by condition, Vulnerable Software is pre-selected. In the second row select the device related vulnerability field that you want to filter by and click Done. For instance you can select Mitigated yes, to display the exact number of devices where the selected Vulnerability on them has a mitigated field with yes.
The Vulnerabilities page now shows the device count that matches the number of devices on which the vulnerabilities were found. If the device count is zero the row is hidden.
Click on the Device Count to open these devices on the Devices page.
You can also Refine the data displayed on the Vulnerabilities page in additional ways.
- Click Save As to save the query.
- When you click Saved Queries and open the Queries page, the vulnerabilities queries you created are displayed on the Queries page, filtered by Vulnerabilities.
Refer to Creating Queries with the Queries Wizard to learn more about creating queries.
Displaying Historical Data
Axonius saves daily “snapshots” of all the collected data, which you can view for any query on the Vulnerabilities page.
To view query results for a specific date, click 'Display by Date' on the top menu above the Vulnerabilities table.
A date picker control opens, enabling you to select the desired date. By default, the latest day for which data was collected is displayed. Note that you can only select one date.
Notice that only dates with collected data are enabled as options for choice.
The System then displays the historical snapshot data of the page as it was presented on the date you selected.
To clear the historical view and set back to the latest, hover over the displayed date and click on the 'X' next to the displayed date.
Exporting Vulnerability Data to CSV
You can export the Vulnerability data to CSV. Refer to Exporting Asset Data to CSV.
Adding Custom Data to Vulnerabilities
You can add custom fields to one or more Vulnerabilities at the same time.
Select one or more Vulnerabilities and from the Actions menu choose Add Custom Fields.
Refer to Working with Custom Data to learn about adding custom fields.
Adding Tags to Vulnerabilities
Use tags to assign context to your assets for granular filters and queries. Apply new or existing tags to the selected vulnerabilities. The list of selected tags is applied to all selected vulnerabilities. Hence, tagging may result in the removal of existing tags from one or from several of the selected vulnerabilities.
Refer to Working with Tags to learn about adding Tags to Vulnerabilities.
Adding Risk Scores to Vulnerabilities
You can use the Axonius - Calculate Risk Score Enforcement Action to calculate the risk score of each vulnerability that matches the Vulnerability query defined for the Enforcement Set, and write the calculated value to the Risk Score - Axonius calculated field per vulnerability field in the table on the Vulnerabilities page. Learn how to view Risk Scores on the Vulnerabilities page.
Using Vulnerabilities Queries in Enforcement Actions
Vulnerabilities Management supports automatic enforcement actions, enabling you to perform a wide range of automated activities. Among the examples are:
- Ability to allocate actions to teams using tags
- Notification by email of newly found critical vulnerabilities
- Setting a custom risk score using the Enforcement Action Conditional Statements
- Calculating a vulnerability or cross-device-cross-vulnerability risk score using an Axonius Utility Enforcement Action
The following Enforcement Center Actions can be used with Vulnerability queries.
- Axonius - Push System Notification
- Axonius - Send Email
- Email - Send per Asset
- Axonius - Add Custom Data to Assets
- Axonius - Remove Custom Data from Assets
- Manage Custom Enrichment - Enrich assets with CSV file
- Axonius - Add Tag
- Axonius - Remove Tag
- Axonius - Calculate Risk Score
- Cherwell - Create Incident
- Cherwell - Create Incident per Asset
- Freshservice - Create Ticket
- Freshservice - Create Ticket per Asset
- Jira - Create Issue
- Jira - Create Issue per Asset
- Jira Service Management - Create Issue
- Jira Service Management - Create Issue per Asset
- ServiceNow - Create Incident
- ServiceNow - Create Incident per Asset
Enforce - Create New Enforcement
You can create a new enforcement set directly from the Vulnerabilities page with a Main Action that will run on the entities you selected ('custom selection').
When you select this option, a drawer is opened that lets you configure the following:
- Enforcement set name.
- Main Action - Select an action from the Action Library, to be performed when the enforcement set is executed.
Once configured, click Save and Run to save the enforcement set and to generate an enforcement task that will run on the entities you have selected.
For more details, see Creating Enforcement Sets.