CVE data is shown in the Vulnerabilities page:
You can apply filters, search for CVEs, and sort the displayed data by different fields. For example, you can filter by Technologies to find only those CVEs that affect Windows environments, etc.
You can change the default Report Date sorting by clicking other column headings. The figure above is sorted by Mentions.
Access to the Vulnerabilities page may be limited by your administrator or your company subscription.
The Vulnerabilities page displays CVEs that have been populated into Threat Command. (Before uploading, the page will not display any CVEs.)
You can populate CVEs in the following ways:
- Integrate with a vulnerability management system (VMS)
When you integrate a Tenable.IO or Qualys system with Threat Command, CVEs are populated automatically. The synchronization status is shown in the Vulnerabilities page.
To integrate, see Import CVEs from Tenable Integration or Import CVEs from Qualys Integration.
- Extract from the "Technologies in use" asset
When you add technologies in this asset, all relevant CVEs are automatically extracted and imported, in addition to alerts being created. You can also import a CPE file into this asset.
If you remove technologies from the asset, their CVEs (but not alerts) will be removed, too.
For more information about this asset, see Technologies in use.
- Upload using the Threat Command API
Download CVEs from any vulnerability management system, then use the Threat Command API to push them to Threat Command.
For more information, see the Threat Command API documentation, which can be downloaded from the administrator Settings > Subscription tab.
- Added from the Rapid7 Extend browser extension Click + on a CVE from Rapid7 Extend, and the CVE is added to the VRA. The Origin field of CVEs populated this way will display "Browser extension."
View CVE details
You can view the details of the listed CVEs.
To view CVE details:
- From the Threat Command main menu, select Risk Analyzer.
The Vulnerabilities page is displayed.
- (Optional) You can filter the displayed CVEs list.
See a filter description in Filter the VRA page.
- The Vulnerabilities page displays each CVE in a separate row.
To see CVE details, click a CVE.
The Vulnerabilities page shows the following information per CVE.
|The CVE number, as registered in NVD.
If the CVE is trending, is displayed.
|The technologies to which the CVE relates. If the technology is followed by "(+X)" that indicates that the CVE affects multiple technologies. The CVE CPEs tab shows all affected technologies, or you can hover to see a quick list.
If CPEs are imported from the Technologies in use asset (and sometimes from a Tenable or Qualys integration), and the CPE information is available, the tooltip will differentiate between Your CPEs (related to your environment) and General CPEs. For example:
This is also shown in detail in the CPEs tab).
|A targeted, enriched score that takes into account:
- Trends and findings by non-malicious actors (security experts, IT personnel).
- Trends and findings by hackers and malicious actors (dark web, hacker forums, social media, etc.).
- Exploits found and the ease of use of these exploits. If a POC is found that is not yet an exploit, that will also increase the score.
- Scoring over time, i.e. the proximity of mentions to the current date.
- CVSS score.
|Times that the CVE is mentioned across all searched areas. Mentions are a very strong sign of a potential threat.
|How many hosts are affected.
Available when configured with the Tenable and Qualys integrations at the Automations > Integrations > Cloud tab.
|CVSS score, from NVD.
|Date that the CVE was first reported, from NVD. This is the default sort field.
| - CVE is trending
- CVE has an available exploit
- CVE has a related cyberterm
|Click to see the vulnerability in the Alerts page. Only alerts that were elevated with the Alert Profiler can become alerts.
You can view the rest of the CVE details as described in CVE Details.
Filter the Vulnerability Risk Analyzer page
You can filter the page so the results are more relevant. The following table shows the filters that you can use:
|To filter by CVEs that match this
|Use this filter
|CVEs with a specific CWE
|Vulnerability Type - Type a Common Weakness Emuneration.
|A technology product family (like Google Chrome)
|Product - After you type the first few letters, you can select from the displayed list.
|Hostname (This filter is available only if host information collection is enabled in Tenable.io or Qualys integrations.)
|Hostname - After you type the first few letters, you can select from the displayed list.
|A technology with a specific version (like Google Chrome x.x.x.x)
|CPE - After you type the first few letters, you can select from the displayed list.
|A known exploit exists
|Exploit Availability - Choose from Exploit, POC, or None.
|CVEs scored by Rapid7
|IntSights Score - Select scores to match.
|CVEs that are trending
|Trending CVEs - Select Show only Trending CVEs.
|CVEs in a specific score range
|CVSS Score - Select scores to match.
|Reported on a certain date
|Report Date - Select a date range.
|Published on a certain date
|Publish Date - Select a date range.
|Updated on a certain date
|Update Date - Select a date range.
|CVEs that have a related alert
|Alerts - Select Show only CVEs with related alert.
|CVEs with a related Threat Library cyberterm
|Cyberterms - Type cyberterms to match.
|CVE origin (for example, Tenable.io Browser extension)
|Vulnerability Origin - Select desired origins.
|Scanned hosts operating systems (This filter is available only if host information collection is enabled in Tenable.io or Qualys integrations.)
|Operating System - Select operating system.
|Scanned hosts with tags (This filter is available only if host information collection is enabled in Tenable.io or Qualys integrations.)
|Tags - Select tags.
Vulnerabilities remain in Threat Command until they are no longer relevant, determined by their source of origination:
- Originated in CVE integrations (like InsightVM or Tenable) - These CVEs are synced every few hours and are constantly updated based on the vulnerability management integrated solution. When a CVE stops being relevant to an account (like when the vulnerability was patched), it will not be sent in the next sync and is removed from the VRA environment.
- Originated in ‘Technologies in use’ assets - These vulnerabilities are synced against NVD every few hours. When a CVE stops being relevant to any of the user’s CPEs, the CVE will remain in the VRA environment for 21 days, and then it will be removed, as a means of precaution. A CVE can stop being relevant due to updates made by NVD (like removing the linkage between a CPE the account is using and a CVE), deletion of an asset, or other reasons.