Vulnerabilities
  • 18 Nov 2024
  • 12 Minutes to read
  • Dark
    Light
  • PDF

Vulnerabilities

  • Dark
    Light
  • PDF

Article summary

Use the Vulnerability Management Module to see a consolidated view of all the vulnerabilities in the organization, from all sources. The Vulnerabilities page delivers increased visibility into cybersecurity vulnerabilities. It helps security, IT, and risk teams identify vulnerabilities across fleets of devices, enabling them to prioritize vulnerabilities based on asset criticality, potential impact, and recognized threats.

A vulnerability is a software defect that could allow hackers to gain control of a system. Axonius presents vulnerabilities as defined by the Common Vulnerabilities and Exposures (CVE) list. Axonius discovers vulnerabilities by extracting CVE information fetched from adapters.

Note:

Some adapters, such as Tenable.sc, require selecting the Fetch Vulnerabilities option before viewing their vulnerabilities information in the Vulnerabilities Management module.

Click the Assets icon Asset_Icon1 and from the left-pane, select Vulnerabilities.

VulnerabilitesUP

Use Vulnerabilities to see the aggregated vulnerability data. The total number of unique devices on which Vulnerabilities were found is shown above the table. Click on the number of devices to open the devices on which Vulnerabilities were found on the Devices page.
UniqueDEvVuln

Vulnerabilities Fields

Field displayed on the Vulnerabilities page include:

  • Adapter Connections - shows the icons of the adapter connections or enrichment from which the vulnerabilities originate.

  • Vuln ID - Vulnerability data is presented by a vulnerability ID in the Vuln ID column. It can be presented either by a CVE ID or by a vulnerability identifier provided by some adapters. When it is a CVE ID, this is a link to the CVE details in the NIST National Vulnerability Database (NVD).

  • Device Count - The Device Count shows the number of devices affected by this vulnerability. When you click on Device Count, the Devices page opens with the devices affected by this vulnerability. Devices present Total CVE Count by Severity. CVEs are only counted if the CVE was validated on NVD.

  • Software Name and Software Vendor - When a CVE is applicable for multiple software, these fields are populated as "Multiple Software" and "Multiple Vendors".

  • NVD published date - The date the vulnerability was added to the NVD database.

  • NVD Modified date - The date the Vulnerability was modified.

  • Common Vulnerability Scoring System (CVSS) - The CVSS rating as fetched from the source (v2,0, v3.0, v4.0, etc.).

  • CVE Exploitability Score - How likely it is that a vulnerability will be exploited according to NIST.

  • EPSS Score - How likely it is that a software vulnerability will be exploited in the wild according to EPSS.

  • CVE severity - LOW/MEDIUM/HIGH/CRITICAL value which is based on the CVSS rating.

  • CVE description, synopsis, and reference

  • CVE Vector information

  • First Seen - an aggregated date field that shows the earliest date that a Vulnerability was seen on the source.

  • Last Seen - an aggregated date field that shows the latest date that a Vulnerability was seen on the source.

Vulnerability ID

Vulnerability data is presented by a vulnerability ID in the Vuln ID column. It can be presented either by a CVE ID or by a vulnerability identifier provided by some adapters.

When vulnerability information appears with a CVE ID, then this vulnerability is a CVE type. Click the CVE ID link to learn more about the vulnerability and how to remediate it.
When vulnerability identifier information that isn't a CVE type is fetched from an adapter, such as from a Tenable adapter, the vulnerability information appears with an ID without a CVE prefix. When a link is available for a specific vulnerability identifier, you can click it to learn more about the vulnerability and how to remediate it.

Note:

For supported adapters that fetch "non-CVE" vulnerability identifier information:

  • A prefix of the adapter appears before the value displayed in the Vuln ID column.
  • An optional Is CVE column displays ‘No’ for non-CVE vulnerabilities and ‘Yes’ for CVE vulnerabilities.

You can add the CWE ID column to view corresponding vulnerabilities appearing in the Common Weakness Enumeration (CWE) list. Click a specific CWE ID link to learn more about the vulnerability and how to remediate it.

  • Click the arrow next to any of the fields to see more details about that field, including which adapter connection obtained the information.
  • Not all fields are displayed by default. Use Edit Columns to add or remove columns. Refer to Setting Page Columns Display.
  • Click Repository to open the Vulnerabilities Repository.

Enrichments

The Adapter Connection column shows the icons of enrichment from which the vulnerabilities originate.

IconIndicates
Axonius Static Analysis StatisAnalysisicon.pngSoftware vulnerabilities detected by static analysis using NVD
NVD NVDIconIndicates Vulnerabilities enriched with data from the NIST NVD database.
EPSS EPSSIconIndicates software vulnerabilities enriched with details from the Exploit Prediction Scoring System EPSS from connected adapters.
CISA CISA_logo_50x50Indicates Vulnerabilities enriched with vulnerabilities information from your connected adapters with additional details from the CISA Known Exploited Vulnerabilities (KEV) Catalog. When relevant, the CISA fields and information are available for viewing and querying in the Vulnerabilities module and Devices module. Only CVEs that are part of the CISA KEV Catalog will be enhanced.
MSRC MSRCVulnLogoIndicates software vulnerabilities enriched with details from MSRC from connected adapters.
VulnCheck VulncheckIndicates Vulnerabilities enriched with data from the VulnCheck enrichment enforcement action.

CVE Vector Information

To view CVE Vector information add these columns to the Vulnerabilities page. Refer to Setting Page Columns Display.

The following fields are available:

VectorAvailable in CVSS VersionNotes
CVE Vector: Access Complexity2.XDescribes whether the access complexity is low, medium, or high
CVE Vector: Access Vector2.XDescribes whether the Access Vector is local or on a network
CVE Vector: Attack Complexity3.X
CVE Vector: Attack Vector3.X
CVE Vector: Authentication2.0Returns None if no CVE Vector Authentication exists
CVE Vector: Availability
CVE Vector: Confidentiality
CVE Vector: Integrity
CVE Vector: Privileges Required3.XReports whether privileges or required, and what level, if known
CVE Vector: Scope3.X
CVE Vector: User Interaction3.X
CVE Vector: Version3.1, 3.0, 2.0


Creating Queries on Vulnerabilities

You can use Queries on the Vulnerabilities page to create a unique set of queries.
You can create queries on Vulnerabilities using one of the following modes:

  • Query Wizard (the default) - Create a query using the Query Wizard, or in the query bar, selecting a saved query or writing a query.

  • Basic mode - Create a query by selecting filters. Learn more and how to create Queries in Basic mode.

The Query Wizard on the Vulnerabilities page allows you to create a unique set of queries. Vulnerability queries with the Query Wizard are created on two levels. The first level of the query focuses on vulnerability parameters. You can query fields such as the CVSS score, severity, or attack vector. The second level queries devices, such as operating system, installed software, or the last update date. Use these queries to find out which critical vulnerabilities exist and whether they impact critical assets in your environment. Or, how many vulnerabilities exist, and whether they appear on devices with open ports, or that have a specific patch applied.
To configure the Query Wizard on the Vulnerabilities page

  1. Build a query on a Vulnerability field on the table, such as CVSS Score.
  2. Filter the vulnerabilities displayed by a Device query, and thus only show the vulnerabilities in your environment by a defined Device query, for instance Public IPs exist.

After running the query, the table shows the vulnerabilities queried, filtered by the devices they affect.
For example, show vulnerabilities with the CVSS score over 8, only on devices where the operating system is Windows.

Vulnerability query.png

Note:

You don't have to fill in the Device section of the query to find vulnerabilities in your environment.

Creating a Query using a Saved Query

You can use a choose a saved query to use as part of a query.
Note the following:

  • You can only use queries that do not use the device level of the query.
  • If a saved query is used in a Vulnerabilities Query (chosen as a Saved query), then the system does not allow you to add a device level in that query.

ChooseSavedQuery

Refining the Device Count Displayed from Device-based Fields in Vulnerabilities

It can be very useful to refine the device count displayed for device connected fields in Vulnerabilities. For instance, in this query:

  1. Build a query on a Vulnerability field on the table, such as CVSS Severity is High.
  2. Filter the vulnerabilities displayed by a Device query, and thus only show the vulnerabilities in your environment by a defined Device query, for instance Windows Devices.
  3. After running the query, the table shows the vulnerabilities queried, filtered by the devices they affect.

Once you get results for a query like this, in order to further refine the device count for such a query, you can use a special Data Refinement field on the Device Count column for unique Vulnerability fields that are found on devices.
For instance, there might be 50 devices with CVSS Severity is High, and 20 with Mitigated is Yes (and 30 with Mitigated no). In order to display the number of devices where both Mitigated is Yes matches those exact devices who also have CVSS Severity is High, you can perform the following data Refinement.

To refine the display to show the device count for a specific Vulnerability field.

  1. Click the Refine Data (filter) icon next to the Device Count column.

MitigVuln1

  1. From the Refine Data dialog, under Device related asset entities - refine by condition, Vulnerable Software is pre-selected. In the second row select the device related vulnerability field that you want to filter by and click Done. For instance you can select Mitigated yes, to display the exact number of devices where the selected Vulnerability on them has a mitigated field with yes.

mt22

The Vulnerabilities page now shows the device count that matches the number of devices on which the vulnerabilities were found. If the device count is zero the row is hidden.
Click on the Device Count to open these devices on the Devices page.

You can also Refine the data displayed on the Vulnerabilities page in additional ways.

Saving Queries

  • Click Save As to save the query.
  • When you click Saved Queries and open the Queries page, the vulnerabilities queries you created are displayed on the Queries page, filtered by Vulnerabilities.

VulnerabilitesSavedQuery.png

Refer to Creating Queries with the Queries Wizard to learn more about creating queries.


Displaying Historical Data

Axonius saves daily “snapshots” of all the collected data, which you can view for any query on the Vulnerabilities page.

To view query results for a specific date, click 'Display by Date' on the top menu above the Vulnerabilities table.
Snappng

A date picker control opens, enabling you to select the desired date. By default, the latest day for which data was collected is displayed. Note that you can only select one date.

Notice that only dates with collected data are enabled as options for choice.
The System then displays the historical snapshot data of the page as it was presented on the date you selected.

To clear the historical view and set back to the latest, hover over the displayed date and click on the 'X' next to the displayed date.

Exporting Vulnerability Data to CSV

You can export the Vulnerability data to CSV. Refer to Exporting Asset Data to CSV.


Adding Custom Data to Vulnerabilities

You can add custom fields to one or more Vulnerabilities at the same time.
Select one or more Vulnerabilities and from the Actions menu choose Add Custom Fields.

VulnerabilitesAddCustomData

Refer to Working with Custom Data to learn about adding custom fields.

Adding Tags to Vulnerabilities

Use tags to assign context to your assets for granular filters and queries. Apply new or existing tags to the selected vulnerabilities. The list of selected tags is applied to all selected vulnerabilities. Hence, tagging may result in the removal of existing tags from one or from several of the selected vulnerabilities.

Refer to Working with Tags to learn about adding Tags to Vulnerabilities.


Adding Risk Scores to Vulnerabilities

You can use the Axonius - Calculate Risk Score Enforcement Action to calculate the risk score of each vulnerability that matches the Vulnerability query defined for the Enforcement Set, and write the calculated value to the Risk Score - Axonius calculated field per vulnerability field in the table on the Vulnerabilities page. Learn how to view Risk Scores on the Vulnerabilities page.

Managing Exclusions

You can manage exclusions from the Vulnerabilities page

  1. To add a Vulnerability to a rule, mouse over a row, the Exclude button is displayed, or select one or more items and choose Exclude. The Create Exclusion Rule dialog opens with the Vulnerability you selected filled in.
  2. You can assign a name to the Exclusion Rule and configure it as required and choose Create. A notification is displayed and from the next discovery cycle, the Vulnerability will be excluded from the inventory according to the definitions in the rule. The rule will be added to the Exclusion Rules page. On the Vulnerabilities Repository page the Exclusion Status is shown as Pending.

Using Vulnerabilities Queries in Enforcement Actions

Vulnerabilities Management supports automatic enforcement actions, enabling you to perform a wide range of automated activities. Among the examples are:

  • Ability to allocate actions to teams using tags
  • Notification by email of newly found critical vulnerabilities
  • Setting a custom risk score using the Enforcement Action Conditional Statements
  • Calculating a vulnerability or cross-device-cross-vulnerability risk score using an Axonius Utility Enforcement Action

The following Enforcement Center Actions can be used with Vulnerability queries.

Enforce - Create New Enforcement

You can create a new enforcement set directly from the Vulnerabilities page with a Main Action that will run on the entities you selected ('custom selection').
When you select this option, a drawer is opened that lets you configure the following:

  1. Enforcement set name.
  2. Main Action - Select an action from the Action Library, to be performed when the enforcement set is executed.

Once configured, click Save and Run to save the enforcement set and to generate an enforcement task that will run on the entities you have selected.

For more details, see Creating Enforcement Sets.


For general information about working with tables refer to Working with Tables.



Was this article helpful?