Prerequisites
- User role with security.view permission for viewing CVEs, dashboard, and host vulnerabilities
- User role with security.manage permission for accepting risk, triggering sync, and triggering matching
- Hosts must have agent-reported software inventory (via fingerprint scan or host-info sync) for matching to work
- NVD API key recommended for faster sync -- configure in your environment settings
Permission name.
The permission is security.view / security.manage, NOT "vulnerabilities.view" / "vulnerabilities.manage".
NVD and CISA KEV sync
The vulnerability database is populated from two data sources that sync automatically and can be triggered manually.
Data sources
| Source | Description | Sync behavior |
|---|---|---|
| NVD | National Vulnerability Database. Primary CVE source with CVSS scores, CPE data, and CWE classifications. | Paginated at 200 CVEs per request. Full initial sync fetches last 2 years. Rate limited: 6s between requests without API key, 0.6s with key. Aborts after 5 consecutive errors. |
| CISA KEV | Known Exploited Vulnerabilities catalog. Actively exploited vulnerabilities with remediation deadlines. | Single JSON download. Fast sync (seconds). Marks matched CVEs as CISA KEV with exploits available. |
Initial setup
- Navigate to Vulnerability Management > Data Sources tab.
- Click Sync All Sources to populate the database. CISA KEV syncs first (fast), then NVD (may take several minutes).
- After sync, the Data Sources table shows status (
completed,error, oridle), items synced, and last sync timestamps.
Automated sync schedule
- Daily sync: Fetches new and updated CVEs from NVD and CISA KEV automatically.
- Incremental: After the first full sync, subsequent syncs only fetch CVEs modified since the last sync cursor.
Manual sync triggers
- Sync specific source: Click the sync button next to NVD or CISA KEV in the Data Sources tab.
- Sync all: Click "Sync All Sources" on the Overview or Data Sources tab.
- By source: Select the specific source (NVD or CISA KEV) when triggering sync.
NVD sync runs inline.
The sync runs in the request thread, not as a background job. NVD sync can take minutes. Avoid triggering it from timeout-sensitive contexts.
Vulnerability matching
The matcher compares installed software on each host against the CPE data in the CVE database.
How matching works
- The engine loads all installed software records for the host.
- For each CVE with CPE data, it extracts the product name from the CPE string and tokenizes it.
- Product matching: Checks if all product tokens appear as whole words in the software name (case-insensitive). "ssh" does NOT match "sshfs".
- Version range check: If the product matches and the CPE has version bounds, checks whether the installed version falls within the affected range.
- Matching CVEs create host vulnerability records with status "affected".
- Resolution pass: Existing "affected" vulnerabilities that no longer match are automatically set to "patched".
- Risk acceptance preserved: Vulnerabilities with status "accepted" are NOT re-opened by the matcher.
Triggering matching
- Automated: Runs every 6 hours via the scheduler. Matches all hosts with software inventory.
- Single host: Click Run Matching on the host's vulnerability tab -- useful after patching a host.
- All hosts: Click Run Matching on the Overview tab.
Software inventory requirement
Matching requires installed software records for each host. These are populated by:
- Agent host-info sync (automatic on heartbeat when software inventory changes).
- Fingerprint scan jobs (manual trigger from host detail page).
If matching returns "No hosts have software inventory yet", run fingerprint scans on target hosts first.
Viewing vulnerability results
Overview dashboard
Navigate to Vulnerability Management > Overview.
Stats gridTotal CVEs in database, affected hosts, critical/high/medium severity counts, CISA KEV count.
Top CVEsTable of the 10 most widespread vulnerabilities across your hosts, ordered by affected host count.
Status breakdownProgress bars showing affected / patched / mitigated / accepted counts.
Severity breakdownCount of critical/high/medium/low among currently affected host-vulnerability pairs.
CVE database browser
Navigate to Vulnerability Management > CVE Database.
Filter by:
- Search: CVE ID, title, or description text (e.g., "CVE-2024-1234", "openssl", "buffer overflow").
- Severity: Critical, High, Medium, Low.
- CISA KEV only: Checkbox to show only actively exploited vulnerabilities.
- With affected hosts: Checkbox (on by default) to show only CVEs affecting your hosts.
Each CVE row shows: CVE ID, title, severity badge, CVSS score, affected host count, flags (KEV, Exploit, Patch), and published date. Click a row to expand and see: full description, CWE classifications, CISA KEV due date, and a table of affected hosts with hostname, affected package, installed version, fixed version, status, and detected date.
Per-host vulnerability view
Navigate to a host's detail page > Vulnerabilities tab to see its vulnerabilities. Optionally filter by status. Results are ordered by CVSS score (highest first).
Risk acceptance
When a vulnerability cannot be patched immediately (business-critical system, no fix available, etc.), you can formally accept the risk with an audit trail.
- Find the CVE in the CVE Database or per-host view.
- Click Accept Risk on the CVE detail or per-host vulnerability view.
- Enter a reason explaining why risk is accepted (required).
- Optionally set an expiration date -- after this date the vulnerability reverts to "affected" on the next matching run.
- Optionally scope the acceptance to a single host. Without scoping, it accepts for ALL affected hosts of this CVE.
Accepted vulnerability behavior
- Shows status "accepted" (yellow badge) instead of "affected" (red badge).
- Preserved across re-matching -- the matcher does NOT re-open accepted vulnerabilities.
- Records who accepted (IDP user or legacy user) and logs an audit entry.
- Temporal expiry: when the expiration date passes, status reverts to "affected" on the next matching run.
Expired acceptances revert automatically.
If the expiration date passes, the vulnerability returns to "affected" status on the next matching run. Re-accept with a later expiry or no expiry if needed.
Certificate monitoring
The fingerprint system's "certificates" category (Tier 3) tracks SSL/TLS certificates installed on hosts. When combined with alert rules, this provides certificate expiry monitoring.
How it works
- Create a fingerprint policy with the certificates category enabled.
- Capture a baseline for the host -- the agent collects certificate details including expiry dates.
- Subsequent fingerprint checks detect certificate changes (new certs, removed certs, expiry date changes) as drift events.
- Certificate drift events include the certificate subject, issuer, and expiry date in the change details.
Certificate alerts
To get notified about expiring certificates:
- Fingerprint drift events for the certificates category will fire when certificates change.
- Configure alert rules scoped to certificate-related metrics if available.
- Review drift events in Fingerprints > Drift Events filtered by the "certificates" category.
Vulnerability dashboard
The dashboard provides aggregated vulnerability posture for your account, optionally filtered by organization.
- Navigate to Vulnerability Management > Overview.
- Optionally select an organization to narrow the view.
Dashboard data
Total CVEsTotal CVE definitions in the database (global, not tenant-scoped).
Affected HostsCount of distinct hosts with at least one "affected" vulnerability.
Severity BreakdownCount of critical/high/medium/low among affected host-vulnerability pairs.
Status CountsCounts grouped by status: affected, patched, mitigated, accepted.
CISA KEV CountCount of distinct CISA KEV vulnerabilities affecting your hosts.
Top 10 CVEsMost widespread CVEs ordered by affected host count.
Monitoring sync health
Check the Data Sources tab regularly for sync issues.
| Indicator | What to check |
|---|---|
| Error status | Indicates sync failures (network issues, API rate limits, NVD outages). Check error details. |
| Last Successful Sync | If stale (more than 24 hours), investigate. NVD and CISA KEV should sync daily. |
| Items Synced | Should increase after each successful sync. A zero count on incremental sync is normal if no CVEs were updated. |
| Consecutive Errors | NVD sync aborts after 5 consecutive request failures within a single run. Retries automatically on the next scheduled run. |
Permissions reference
| Action | Permission |
|---|---|
| View vulnerability dashboard, CVE list, host vulnerabilities, sync status | security.view |
| Accept risk, trigger manual sync, trigger manual matching | security.manage |
Navigation reference
| Feature | Location |
|---|---|
| CVE Database | Vulnerability Management > CVE Database -- browse and search CVEs |
| Dashboard | Vulnerability Management > Overview -- aggregate posture and top CVEs |
| Host Vulnerabilities | Host detail page > Vulnerabilities tab -- per-host view |
| Risk Acceptance | CVE detail or host vulnerability view > Accept Risk |
| Data Sources | Vulnerability Management > Data Sources -- sync status and manual triggers |
| Matching | Vulnerability Management > Overview > Run Matching |
Troubleshooting
| Symptom | Cause | Fix |
|---|---|---|
| "No vulnerability data loaded yet" | CVE database is empty | Trigger sync from Data Sources tab. Initial sync takes several minutes. |
| "No CVEs match your filters" with affected hosts on | No hosts have matching software, or matching has not run | Uncheck "With affected hosts" to browse all CVEs. Run matching if hosts have software inventory. |
| "No hosts have software inventory yet" | Agents have not reported installed software | Run fingerprint scans on hosts. Check agent connectivity and heartbeat. |
| NVD sync slow (minutes) | Rate limiting without API key | Configure an NVD API key in your environment. Without key: 6s delay. With key: 0.6s. |
| NVD sync errors > 5 | NVD API outage or network issue | Check NVD status page. Sync retries automatically on the next scheduled run. |
| CVE shows 0 affected hosts but host has vulnerable software | Product name mismatch in CPE matching | Token-based matching requires product tokens to appear as whole words. Verify the installed software name matches the CPE product field. |
| Vulnerability reappears after patching | Software inventory not updated | Verify the patch was installed. Check installed version vs fixed version. Run a fingerprint scan to refresh inventory. |
| Risk acceptance disappeared | Acceptance expiration date passed | Re-accept with a later expiry or no expiry. |
| Sync trigger returns HTTP 400 | Unimplemented source requested | Only "nvd" and "cisa_kev" are implemented. USN, RHSA, and MSRC are planned for future releases. |
| High total vulnerabilities but few affected hosts | Many vulnerabilities per host | Normal -- a single host can have dozens of vulnerable packages. Focus on critical/high severity. |