Exploitable Vulnerabilities
By using Vulnerability Management (InsightVM), Rapid7’s vulnerability management solutions, with SIEM (InsightIDR), you can see all the exploitable vulnerabilities found in your environment.
How to View Exploitable Vulnerabilities
On the Assets & Endpoints page, a card on the right displays the top Exploitable Vulnerabilities and the number of assets that are affected.
To see a complete list, click the Exploitable Vulnerabilities metric.
The Top 100 Vulnerabilities displays information about the exact title, the CVEs linked to the vulnerability, the Active Risk Score, and the number of assets affected. The list is sorted by the Active Risk Score and the number of assets affected. Clicking on any of the vulnerabilities takes you to the Vulnerability Management (IVM) page that holds all the details about the vulnerability.
How to view vulnerability details in Alerts
If you are using SIEM (InsightIDR) with Vulnerability Management (InsightVM), you can view vulnerability details in Alerts . As SIEM (InsightIDR) collects data from your environment, detection rules look for known threats, risks, and unusual actions. These detection rules can then trigger alerts, investigations, or other types of notifications when an event occurs that meets the detection rule logic.
In Alert Details, you can see a table of all known Vulnerability Management (InsightVM) Vulnerabilities related to the alert, helping you to understand the root cause of an alert, take appropriate action, and prioritize a vulnerability for remediation.
Correlation
Vulnerabilities are only displayed in Alerts if there is sufficient data available to correlate them with the asset associated with this alert.
Some event types are less likely to correlate with assets as an IP address is available in the event data. When asset correlation isn’t successful, associated vulnerabilities won’t appear in alerts. This is expected behavior.
Event types with low correlation accuracy include:
- Firewall events
- DnsQuery events
- NetworkFlow events
- AdvancedMalware events
- WebProxy events
- Process start events
- Sysmon events
- FileAccess events
The following contextual information is available in Vulnerability Management (InsightVM) Vulnerabilities in Alerts Details:
- CVE: The CVE (Common Vulnerabilities and Exposures) ID is provided and links to additional information.
- Risk Score: A risk score, based on the Vulnerability Management (InsightVM) Active Risk strategy . Active Risk is Rapid7’s recommended built-in strategy for assessing and analyzing vulnerability risk on a scale of 0-1000. Active Risk uses the latest CVSS score with intelligence from threat feeds like AttackerKB, Metasploit, ExploitDB, Project Lorelei, CISA KEV list, and other third-party dark web sources to provide security teams with a threat-aware vulnerability risk score and to help prioritize remediation for the most critical vulnerabilities.
- Exploits: States whether or not an exploit exists for this vulnerability.
- Last Assessed: The date that the vulnerability was first reported.
Using SIEM (InsightIDR) with Vulnerability Management (InsightVM)
Vulnerability Management (InsightVM) is Rapid7’s vulnerability management solution that helps you identify, prioritize, and remediate risk across your environment. When integrated with SIEM (InsightIDR), Vulnerability Management (InsightVM) enriches detections with asset risk context and vulnerability data, helping you identify exploitable weaknesses earlier in the attack chain and prioritize response.
You can connect Vulnerability Management (InsightVM) to SIEM (InsightIDR) to surface risk scores, vulnerabilities, and asset context directly in investigations and detections. To get started or explore additional capabilities, see the Vulnerability Management (InsightVM) documentation .