Reading vulnerability data on QRadar Vulnerability Insights dashboard

View the vulnerability status of your network from multiple perspectives on the QVI tab.

Each area of the dashboard presents a unique look at the vulnerabilities in your network. The arrows next to the displayed numbers show the relative increase or decrease since the last time your vulnerability status was polled from QRadar®. For example, an upwards pointing arrow represents an increase in the instance of that vulnerability status when you compare it with the data from the previous poll.

Dashboard

The following image is an example of the visualization of the vulnerability data that is queried from the QRadar asset database.

Figure 1. Vulnerability Insights
qvi graph

By default, all networks that are configured in your QRadar deployment are represented. You can filter the view by a specific network on the All_Networks menu, which is based on your network hierarchy configuration.

In the top row of the graph, the following data is referenced. To view more details, click the numbers that are associated with each category.

Active instances
Represents all instances of active vulnerabilities (vulnerabilities that are not remediated). The count of vulnerability instances is typically greater than the unique vulnerability count because the same vulnerability that is present on two assets is counted as two vulnerability instances.
Remediated (90 days)
Represents the number of vulnerabilities that are remediated in the last 90 days.
Patched
Represents the number of vulnerabilities for which a software fix is applied to fix those vulnerabilities.
Note: The Patched dashboard item is based on the "Patch Status equals Fixed" search parameter, which requires integration with IBM BigFix. The integration allows both products to share vulnerability, and asset / patch management data. For more information about integration with BigFix, see IBM BigFix Integration.
Exploited
Exploited vulnerabilities are vulnerabilities that are compromised in some way.
Note: The Exploited dashboard item is based on the "Days since Last Exploited" default search, which correlates the known IPS and IDS vendor signatures that can detect or protect against the vulnerability data. To perform the correlation on whether an exploit attempt was executed, you must create a custom rule based on IPS or IDS events with the following parameters:
  • Add to a Reference Map of Sets
  • CorrelatedAttackMap
  • Destination IP as the key
  • QID as the value
Figure 2. Custom rule example
Custom rule example

The following images show the vulnerability data views of the Dashboard:

Easy to Exploit

Vulnerabilities that are easy to exploit have the following characteristics:
  • Access complexity is low (vulnerabilities are easy to access).
  • The vulnerabilities are attacked through the network and without authentication.
Figure 3. Easy to exploit vulnerabilities
Easy to exploit vulnerabilities

Trending Vulnerabilities

Trending vulnerabilities are vulnerabilities that are reported recently in the news. If you enter your IBM® X-Force® Exchange API Key and Password, the Trending vulnerabilities list is dynamically populated from the X-Force Exchange data correlated with your QRadar Vulnerability Manager vulnerability data.

Figure 4. Trending vulnerabilities
Trending vulnerabilities

High Risk

Vulnerabilities are categorized as high risk or critical risk.

Instances indicates the total count of the vulnerability occurrence, even when the same vulnerability impacts more than one system.

Figure 5. High risk vulnerabilities
High risk vulnerabilities

Affected Assets

The number of assets that are affected by the detected vulnerabilities.

The following metrics are represented:

Exploitable Assets
Assets that can be exploited because a vulnerability is present on the asset.
Exploited Assets
Assets that are exploited or compromised in some way.
Worst Affected
Any asset that has an aggregate risk score that is equal to 90 percent or higher of the risk score of the asset with the highest aggregate risk score in your network.
Figure 6. Assets affected by vulnerabilities
Assets affected by vulnerabilities

Distinct Vulnerabilities

The count of unique vulnerabilities that are found.

The following metrics are represented:

  • Exploitable Vulnerabilities are vulnerabilities that can be exploited.
  • Exploited Vulnerabilities are vulnerabilities that are exploited.
  • Recently Published represents vulnerabilities that were published in the last 30 days.
Figure 7. Distinct vulnerabilities
Distinct vulnerabilities

Explore Visualization

Click the graph to view a graphical representation of the vulnerability status of your network.

Figure 8. Visualization of vulnerabilities
Visualization of vulnerabilities

Filter your vulnerabilities on networks, by state, severity, or Operating System.

The following image shows the Explore Visualization page where you can filter by network and other filters.

Figure 9. Explore Visualization graphs
Visualization of vulnerabilities

Patch Unavailable

A software update is not available to fix this vulnerability. A software update might not be available because the software update is not available yet or a software update can't be used to fix this vulnerability such as a weak default password. QRadar receives BigFix content updates on a daily basis.

Figure 10. Patches unavailable
Patches unavailable

Default Passwords

Vulnerabilities are described as logins and are configured with known default passwords.

Figure 11. Default passwords
Default passwords

New Early Warnings

New vulnerabilities that are published in the last 30 days and are detected in your network.

Figure 12. New early warnings
New early warnings