Host Inventory and Vulnerability Management

Perform vulnerability assessment of all endpoints in your network using Cortex XDR.
In
Add-ons
Host Insights
Vulnerability Management
you can detect existing vulnerabilities, the Cortex XDR agent provides Cortex XDR a host inventory with the name and version of all applications installed on the endpoint. Every four hours, Cortex XDR correlates the network application inventory with the data from the NIST public database. If Cortex XDR detects a new CVE during data correlation, it creates an alert and generates an incident in Cortex XDR (only one alert per CVE). The alerts help you proactively identify new risks in your network, so that you can follow-up and remediate them, and associate other alerts with security patching problems in your organization.
Additionally, you can use Cortex XDR to evaluate the extent and severity of each CVE in your network, gain full visibility in to the risks to which each endpoint is exposed, and assess the vulnerability status of an installed application in your network.
See Hardened Endpoint Security for the list of all operating systems that support Vulnerability Management.
vulnerability-assessment.png
See Hardened Endpoint Security for the list of all operating systems that support Vulnerability Management.

CVE Analysis

To evaluate the extent and severity of each CVE across your endpoints, you can drill down in to each CVE in Cortex XDR and view all the endpoints and applications in your environment that are impacted by the CVE. Cortex XDR retrieves the latest information from the NIST public database every 24 hours. From
Host Insights
Vulnerability Management n
, select
CVEs
on the upper-right bar. For each vulnerability, Cortex XDR displays the following default and optional values:
Value
Description
Affected endpoints
The number of endpoints that are currently affected by this CVE.
Applications
The names of the applications affected by this CVE.
CVE
The name of the CVE.
Description
The general NIST description of the CVE.
Platforms
The name and version of the operating system affected by this CVE.
Severity
The severity level (High, Medium, or Low) of the CVE as ranked in the NIST database.
Severity score
The CVE severity score based on the NIST Common Vulnerability Scoring System (CVSS). Click the score to see the full CVSS description.
For detailed information about the endpoints in your network that are impacted by a CVE, right-click the CVE and select
View affected endpoints
.
To learn more about the application in your network that is impacted by a CVE, right-click the CVE and select
View applications
.

Endpoint Analysis

To help you assess the vulnerability status of an endpoint, Cortex XDR provides a full list of all installed applications and existing CVEs per endpoint and also assigns each endpoint a vulnerability severity score that reflects the highest NIST vulnerability score detected on the endpoint. This information helps you to determine the best course of action for remediating each endpoint. From
Host Insights
Vulnerability Management
, select
Endpoints
on the upper-right bar. For each endpoint, Cortex XDR displays the following default and optional values:
Value
Description
CVEs
A list of all CVEs that exist on applications that are installed on the endpoint.
Cortex XDR displays a maximum of 500 CVEs per endpoint. If your endpoint has more than 500 CVEs, you must address some of them to reduce the number of CVEs and rescan the endpoint. Then, additional CVEs can be displayed.
Endpoint ID
Unique ID assigned by Cortex XDR that identifies the endpoint.
Endpoint name
Hostname of the endpoint.
Last Reported Timestamp
The date and time of the last time the Cortex XDR agent started the process of reporting its application inventory to Cortex XDR.
MAC address
The MAC address associated with the endpoint.
IP address
The IP address associated with the endpoint.
Platform
The name of the platform running on the endpoint.
Severity
The severity level (High, Medium, or Low) of the CVE as ranked in the NIST database.
Severity score
The CVE severity score based on the NIST Common Vulnerability Scoring System (CVSS). Click the score to see the full CVSS description.
You can perform the following actions from Cortex XDR as you investigate and remediate your endpoints:
  • View a complete list of all applications installed on an endpoint
    —Right-click the endpoint and
    View installed applications
    . This list includes the application name, version, and installation path on the endpoint. If an installed application has known vulnerabilities, Cortex XDR also displays the list of CVEs and the highest
    Severity
    .
  • (Windows only)
    Isolate an endpoint from your network
    —Right-click the endpoint and
    Isolate
    the endpoint before or during your remediation to allow the Cortex XDR agent to communicate only with Cortex XDR.
  • Retrieve an updated list of applications installed on an endpoint
    —Right-click the endpoint and
    Rescan
    endpoint.

Application Analysis with Host inventory

You can assess the vulnerability status of applications in your network using the Host inventory. Cortex XDR compiles an application inventory of all the applications installed in your network by collecting from each Cortex XDR agent the list of installed applications. For each application on the list, you can see the existing CVEs and the vulnerability severity score that reflects the highest NIST vulnerability score detected for the application. Any new application installed on the endpoint will appear in Cortex XDR with 24 hours. Alternatively, you can re-scan the endpoint to retrieve the most updated list.
Starting with macOS 10.15, Mac built-in system applications are not reported by the Cortex XDR agent and are not part of the Cortex XDR Application Inventory.
From
Host Insights
Vulnerability Management
, select
Apps
. For each application, Cortex XDR displays the following default and optional values:
Value
Description
Affected endpoints
The number of endpoints that are currently affected by this CVE.
Application name
The name of the application affected by this CVE.
CVEs
A list of all CVEs that exist on applications that are installed on the endpoint.
Cortex XDR displays a maximum of 500 CVEs per endpoint. If your endpoint has more than 500 CVEs, you must address some of them to reduce the number of CVEs and rescan the endpoint. Then, additional CVEs can be displayed.
Platform
A list of all platforms on which the application is installed.
Severity
The severity level (High, Medium, or Low) of the CVE as ranked in the NIST database.
Severity score
The CVE severity score based on the NIST Common Vulnerability Scoring System (CVSS). Click the score to see the full CVSS description.
Version
The version of the installed application.
  • To view the details of all the endpoints in your network on which an application is installed, right click the application and
    View endpoints
    .
  • (
    Windows only
    )
    View a complete list of all KBs installed on an endpoint
    —Right-click the endpoint and
    View installed kbs
    . This list includes all the Microsoft Windows patches that were installed on the endpoint and a link to the Microsoft official Knowledge Base (KB) support article.
The number of affected endpoints in the host inventory is updated every four hours. Because Cortex XDR agents report their application inventory to Cortex XDR at different times within this four-hour window, the number of affected endpoints in the host inventory are sometimes different (and less accurate) than the number of endpoints you see when you view the endpoints list.

Recommended For You