Manage Vulnerabilities

CVE data is shown in the Vulnerabilities  page: temporary placeholder You can apply filters, search for CVEs, and sort the displayed data by different fields. For example, you can filter by Technologies to find only those CVEs that affect Windows environments, etc. 
You can change the default Report Date  sorting by clicking other column headings. The figure above is sorted by Mentions.

Access to the Vulnerabilities  page may be limited by your administrator or your company subscription.

Populate CVEs

The Vulnerabilities page displays CVEs that have been populated into Threat Command. (Before uploading, the page will not display any CVEs.)

You can populate CVEs in the following ways:

  • Integrate with a vulnerability management system  (VMS)
    When you integrate a Tenable.IO or Qualys system with Threat Command, CVEs are populated automatically. The synchronization status is shown in the Vulnerabilities  page. 
    To integrate, see Import CVEs from Tenable Integration or Import CVEs from Qualys Integration.
  • Extract from the "Technologies in use" asset  
    When you add technologies in this asset, all relevant CVEs are automatically extracted and imported, in addition to alerts being created. You can also import a CPE file into this asset.
    If you remove technologies from the asset, their CVEs (but not alerts) will be removed, too. 
    For more information about this asset, see Technologies in use.
  • Upload using the Threat Command API  
    Download CVEs from any vulnerability management system, then use the Threat Command API to push them to Threat Command. 
    For more information, see the Threat Command API documentation, which can be downloaded from the administrator Settings > Subscription  tab.
  • Added from the Rapid7 Extend browser extension Click + on a CVE from Rapid7 Extend, and the CVE is added to the VRA. The Origin field of CVEs populated this way will display "Browser extension."

View CVE details

You can view the details of the listed CVEs.

To view CVE details:

  1. From the Threat Command main menu, select Risk Analyzer.
    The Vulnerabilities page is displayed.
  2. (Optional) You can filter the displayed CVEs list.
    See a filter description in Filter the VRA page.
  3. The Vulnerabilities page displays each CVE in a separate row.  
    To see CVE details, click a CVE.

The Vulnerabilities page shows the following information per CVE.

CVEThe CVE number, as registered in NVD.
If the CVE is trending, temporary placeholder is displayed.
TechnologiesThe technologies to which the CVE relates. If the technology is followed by "(+X)" that indicates that the CVE affects multiple technologies. The CVE CPEs tab shows all affected technologies, or you can hover to see a quick list.

If CPEs are imported from the Technologies in use asset (and sometimes from a Tenable or Qualys integration), and the CPE information is available, the tooltip will differentiate between Your CPEs  (related to your environment) and General CPEs. For example:

temporary placeholder
This is also shown in detail in the CPEs tab).
IntSights scoreA targeted, enriched score that takes into account:
- Trends and findings by non-malicious actors (security experts, IT personnel).
- Trends and findings by hackers and malicious actors (dark web, hacker forums, social media, etc.).
- Exploits found and the ease of use of these exploits. If a POC is found that is not yet an exploit, that will also increase the score.
- Scoring over time, i.e. the proximity of mentions to the current date.
- CVSS score.
VulnerabilitiesWeakness category.
MentionsTimes that the CVE is mentioned across all searched areas. Mentions are a very strong sign of a potential threat.
Affected hostsHow many hosts are affected.
Available when configured with the Tenable and Qualys integrations at the Automations > Integrations > Cloud tab.
CVSS scoreCVSS score, from NVD.
Report dateDate that the CVE was first reported, from NVD. This is the default sort field.
Labeltemporary placeholder - CVE is trending

temporary placeholder - CVE has an available exploit
temporary placeholder - CVE has a related cyberterm
View AlertClick to see the vulnerability in the Alerts page. Only alerts that were elevated with the Alert Profiler can become alerts.

You can view the rest of the CVE details as described in CVE Details.

Filter the Vulnerability Risk Analyzer page

You can filter the page so the results are more relevant. The following table shows the filters that you can use:

To filter by CVEs that match thisUse this filter
CVEs with a specific CWEVulnerability Type - Type a Common Weakness Emuneration.
A technology product family (like Google Chrome)Product - After you type the first few letters, you can select from the displayed list.
Hostname (This filter is available only if host information collection is enabled in or Qualys integrations.)Hostname - After you type the first few letters, you can select from the displayed list.
A technology with a specific version (like Google Chrome x.x.x.x)CPE - After you type the first few letters, you can select from the displayed list.
A known exploit existsExploit Availability - Choose from Exploit, POC, or None.
CVEs scored by Rapid7IntSights Score - Select scores to match.
CVEs that are trendingTrending CVEs - Select Show only Trending CVEs.
CVEs in a specific score rangeCVSS Score - Select scores to match.
Reported on a certain dateReport Date - Select a date range.
Published on a certain datePublish Date - Select a date range.
Updated on a certain dateUpdate Date - Select a date range.
CVEs that have a related alertAlerts - Select Show only CVEs with related alert.
CVEs with a related Threat Library cybertermCyberterms - Type cyberterms to match.
CVE origin (for example, Browser extension)Vulnerability Origin - Select desired origins.
Scanned hosts operating systems (This filter is available only if host information collection is enabled in or Qualys integrations.)Operating System - Select operating system.
Scanned hosts with tags (This filter is available only if host information collection is enabled in or Qualys integrations.)Tags - Select tags.

Vulnerability retention

Vulnerabilities remain in Threat Command until they are no longer relevant, determined by their source of origination:

  • Originated in CVE integrations (like InsightVM or Tenable) - These CVEs are synced every few hours and are constantly updated based on the vulnerability management integrated solution. When a CVE stops being relevant to an account (like when the vulnerability was patched), it will not be sent in the next sync and is removed from the VRA environment.
  • Originated in ‘Technologies in use’ assets - These vulnerabilities are synced against NVD every few hours. When a CVE stops being relevant to any of the user’s CPEs, the CVE will remain in the VRA environment for 21 days, and then it will be removed, as a means of precaution. A CVE can stop being relevant due to updates made by NVD (like removing the linkage between a CPE the account is using and a CVE), deletion of an asset, or other reasons.