Applicable to Entuity v22.0 GA upwards
To disable vulnerability monitoring for a device or devices
To add/assign CPEs to a device or devices
To view further details of a device
To replace a CPE Name
To remove CPE Name(s) from a device
To export CPE Names
Introduction:
From the Device Management tab you can view and configure devices for vulnerability monitoring. This tab has two tables, Devices table and CPEs table. By default, the Devices table lists all the devices in your network that are managed by Entuity. When you select a device in the Devices table, the CPEs table will be populated with the CPE Names assigned to the selected device.
From this tab, you can enable and disable vulnerability monitoring for a selected device or devices, and assign CPEs to a selected device or devices. There are no restrictions on which CPEs you may manually assign to a device (including custom devices and ping-only devices), meaning you can scan for potential vulnerabilities relating to e.g. hardware, OS/firmware, and applications.
You can also add CPEs (either individually or in bulk), which is useful if you cannot find it via CPE Search in the CPE Dictionary, or if you already know which CPE Names you wish to add.
You can also see here the CPE candidates that have been discovered through the use of CPE mapping rules. CPE candidates are only discovered for devices that have vulnerability monitoring enabled. Candidates are displayed in the CPEs table.
By default, devices are disabled for vulnerability monitoring.
This tab is applicable only to servers, not configuration sets.
CPE structure:
A CPE is an identifier used to match a vulnerability against hardware, an OS, or an application.
Entuity uses the CPE v2.3 Naming Specification for CPE names. The structure of CPE Names is as follows:
cpe:2.3:<part>:<vendor>:<product>:<version>:<update>:<edition>:<language>:<sw_edition>:<target_sw>:<target_hw>:<other>
where:
Attribute | Description |
---|---|
part |
|
vendor | product vendor/manufacturer. |
product | product title or name. |
version | vendor-specific alphanumeric string of the product release version. |
update | vendor-specific alphanumeric string of the product update, service pack, or point release. |
edition | (deprecated field - only required for backwards compatibility with CPE v2.2) edition-related terms applied by the vendor to the product. |
sw_edition | product market or end user class. |
target_sw | software computing environment on which the product operates. |
target_hw | instruction set architecture (e.g. x86) on which product operates. |
language | language supported in the product UI. Must be valid language tags as defined by RFC 5646. |
other | other vendor- or product-specific descriptive or identifying information that does not logically fit any other attribute above. |
Devices table:
The Devices table lists all devices under management by Entuity. This table displays the following information:
Column Name | Description |
---|---|
Asset Name | device name, as taken from Asset Management. |
IP Address | device's IP address, as taken from Asset Management. This column is hidden by default. |
Type | device type, as taken from Asset Management. This column is hidden by default. |
Vendor | device's manufacturer, as taken from Asset Management. This column is hidden by default. |
Model | device's model, as taken from Asset Management. This column is hidden by default. |
Version | device's version, as taken from Asset Management. This column is hidden by default. |
Description | device's description, as taken from Asset Management. This column is hidden by default. |
Polled Name | device's polled name, as taken from Asset Management. This column is hidden by default. |
Enabled | if vulnerability monitoring has been enabled for this device. |
CPE Count | total number of CPEs belonging to the device. |
Hardware CPE Count | total number of Hardware CPEs belonging to this device. Indicated by the CPE part 'h' (please see this article for help and information on CPE structure). This column is hidden by default. |
OS CPE Count | total number of Operating System CPEs belonging to this device. Indicated by the CPE part 'o' (please see this article for help and information on CPE structure). This column is hidden by default. |
Application CPE Count | total number of Application CPEs belonging to this device. Indicated by the CPE part 'a' (please see this article for help and information on CPE structure). This column is hidden by default. |
Deprecated CPEs | total number of deprecated CPEs assigned to a device. A CPE is deprecated if it is listed as being deprecated in the CPE Dictionary. If incidents and events are enabled for Entuity vulnerability monitoring, they will still be raised against deprecated CPEs. This column is hidden by default. |
Unresolved Candidates |
total number of new, unresolved candidate CPEs on this device. Unresolved candidate CPEs are potential CPEs that require confirmation before they are considered for vulnerability monitoring scans. For further information, see the section below on resolving unresolved candidates. |
Open Vulnerability Incidents |
count of all open Potential Vulnerability incidents currently raised against the device. |
Potential Vulnerabilities | total number of potential unique vulnerabilities raised against all the CPEs belonging to this device, found during the vulnerability monitoring scans. Note that closing Potential Vulnerability incidents will not alter this value, but will alter the value of the Open Vulnerability Incidents column. |
CPE Status |
CPE status of the device, from one of the following:
|
To enable vulnerability monitoring for a device or devices:
- Navigate to the Device Management tab of the Vulnerability Monitoring page.
- From the Devices table, select the device(s) that you wish to enable for vulnerability monitoring and click Enable at the top of the table (or via the Overflow Menu or right-click Context Menu).
To disable vulnerability monitoring for a device or devices:
- Navigate to the Device Management tab of the Vulnerability Monitoring page.
- From the Devices table, select the device(s) that you wish to disable from vulnerability monitoring and click Disable at the top of the table (or via the Overflow Menu or right-click Context Menu).
- A confirmation dialog will open to prevent accidental disabling.
To add/assign CPEs to a device or devices:
- Navigate to the Device Management tab of the Vulnerability Monitoring page.
- From the Devices table, select the device to which you would like to assign a CPE and click Add CPEs at the top of the table (or via the Overflow Menu or the right-click Context Menu).
- The Add CPEs form will open on the right of the page.
From this form, you can individually or bulk add CPE Names to the CPEs list that exists on the current server. You can remove a CPE or CPEs from this list via Remove CPEs.
When you are ready to add a CPE or CPEs to the selected device, select the desired CPE Names from the list and click Done in the top right of the form, otherwise click Cancel.
Add CPE:
Click to add a single new CPE. You can add a new CPE via Text Input or Attribute (from the Input Method field:
- Text Input: manually specify the CPE Name. You can paste in a CPE Name from the clipboard.
- Attribute: The CPE Name will be created from the input fields below, each corresponding to a specific attribute for the CPE Name. Empty fields will default to ANY, which will then be formatted as a * wildcard in the CPE Name.
The fields can be completed in any order, although it is recommended that you complete the Part, Vendor and Product fields first to narrow down the suggestions provided for the subsequent fields.
- When you click Done to add your new CPE, Entuity will validate the CPE against the local CPE Dictionary with the following potential warnings:
- '[CPE] was not found in the local CPE Dictionary. Do you still wish to add this CPE?' - Yes adds CPE, No resumes form.
- '[CPE] is potentially too vague. [X] matching CPE(s) found! Thi smay significantly increase scan times. Do you still wish to add this CPE?' - Yes adds CPE, No resumes form.
- '[CPE] has been deprecated by [Updated CPE]. Do you wish to add the updated CPE instead?' - Yes adds updated CPE, No adds original outdated CPE.
- Any CPE Name added here will then populate the list on the original Add CPEs form, like so:
Bulk Add:
Click to add multiple CPEs.
Enter a list of CPE Names, separated by either commas or new lines. You can directly paste in the CPE names that have been added to your clipboard via the Copy CPE Name(s) to Clipboard or Export options from the CPE tables of both the Device Management tab or the CPE Management tab (see this section below for Device Management or this section for CPE Management).
CPE Names added here will then populate the list on the original Add CPEs form, like so.:
Add Existing CPEs: Click to add CPE Names that already exist on this server to the Add CPEs form.
The Add Existing CPEs form lists the CPE Names already existant on this. Select the CPE Names that you wish to add, and click Done in the top right.
CPE Names added here will then populate the list on the original Add CPEs form, like so.:
To view further details of a device:
- Navigate to the Device Management tab of the Vulnerability Monitoring page.
- From the Devices table, select the device for which you would like to view further details and right-click to open the Context Menu.
- Click Explore Device. This will open the Summary dashboard for that device.
CPEs table:
This table displays the following information:
Column Name | Description |
---|---|
CPE Name | full CPE Name. |
Title | CPE's title/description, polled from NIST. |
Official ID | CPE's official ID, if applicable, polled from NIST. This column is hidden by default. |
Part | specific product part. This column is hidden by default. |
Vendor | product vendor/manufacturer. This column is hidden by default. |
Product | product title or name. This column is hidden by default. |
Version | vendor-specific alphanumeric string of the product release version. This column is hidden by default. |
Update | vendor-specific alphanumeric string of the product update, service pack, or point release. This column is hidden by default. |
Edition | (deprecated field - only required for backwards compatibility with CPE v2.2) - edition-related terms applied by the vendor to the product. This column is hidden by default. |
Language | language supported in the product UI. Must be valid language tags as defined by RFC 5646. This column is hidden by default. |
SW Edition | product market or end user class. This column is hidden by default. |
Target SW | software computing environment on which the product operates. This column is hidden by default. |
Target HW | instruction set architecture (e.g. x86) on which product operates. This column is hidden by default. |
Other | other vendor- or product-specific descriptive or identifying information that does not logically fit any other attribute above. This column is hidden by default. |
NVD Last Modified | CPE's last modified date, polled from NIST. |
Deprecated Status | if the CPE is deprecated. This column is hidden by default. |
Deprecated By | the CPE to which this selected CPE has been updated, or the CPE by which this selected CPE has been deprecated. |
Assignment Method |
method by which the CPE was created/added, from one of the following:
|
Devices | device(s) to which this CPE Name is assigned, a comma-separated list if assigned to more than one device. This column is hidden by default. |
Status |
status of individual CPE, either no status, Deprecated, or Unrecognized.
|
To resolve unresolved CPE candidates:
Unresolved CPE candidates are CPE Names that have been discovered via CPE Mapping Rules (managed under the CPE Mapping Rules tab). Unresolved CPE candidates are listed in the CPEs table with the Status 'Unresolved Candidate'. The total count of unresolved CPE candidates for a device can be found on the Devices table under the Unresolved Candidates column.
By default, unresolved candidates are not scanned. You can edit this through the Scan Unresolved Candidates option on the Edit Global Settings form. Any candidate generated must match the rule specifications.
If you resolve an unresolved CPE candidate, it is added to the device(s) for the next scan. It loses its 'Unresolved Candidate' status and will be considered during scans (i.e., the Scan Unresolved Candidates global setting is no longer applicable).
- Navigate to the Device Management tab of the Vulnerability Monitoring page.
- From the Devices table, select the device containing the unresolved CPE candidates.
- From the CPEs table, select the unresolved CPE and click Resolve Candidates at the top of table (or via the Overflow Menu or right-click Context Menu). Note, you can only resolve one CPE at a time.
To replace a CPE:
You can select a single CPE Name in the CPE table and replace it with another. The previous CPE Name is deleted from the server, and replaced with the new CPE Name. The new CPE Name is a new object. Any existing device associations are retained.
Note, you cannot replace multiple CPE Names at the same time. But if the CPE Name you wish to replace is assigned to multiple devices, you can select one or more of those devices in order to replace that CPE Name on those multiple devices.
- Navigate to the Device Management tab of the Vulnerability Monitoring page.
- From the Devices table, select the device(s) to which is assigned the CPE Name that you wish to replace.
- From the subsequently populated CPEs table, select the CPE Name you wish to replace, and click Replace CPE above the table (or via the Overflow Menu or right-click Context Menu).
- The Replace CPE form will open on the right of the window. This is the same form as the Add CPE form (see above).
- Once you have specified your new CPE Name, click Done in the top right to add the new CPE Name, otherwise click Cancel.
- Once added, the new CPE Name will appear in the CPE table in place of the existing CPE Name.
To remove CPE Names from a device:
You can remove a CPE Name from a device via the Remove CPEs button. You can remove more than one CPE Name at a time, and can remove either resolved CPE Names or unresolved CPE candidates.
- Navigate to the Device Management tab of the Vulnerability Monitoring page.
- From the Devices table, select the device to which is assigned the CPE Name that you wish to remove.
- From the subsequently populated CPEs table, select the CPE Name(s) you wish to remove from the device, and click Replace CPE above the table (or via the Overflow Menu or right-click Context Menu).
- A confirmation dialog will open. Click Yes to confirm.
To export CPE Names:
From the CPE table, you can select one or more CPEs to export. There are two ways by which this is possible:
Copying to clipboard:
- From the CPEs table, select the CPE Names you wish to copy/export.
- Right-click to open the Context Menu. Click Copy CPE Name(s) to Clipboard.
This will copy the selected CPE Name(s) to your clipboard as a comma-separated list, which means you can paste them in this format where needed, e.g. when adding CPE Names in bulk (see above).
Table export:
- From the CPEs table, select the CPE Names you wish to copy/export (no selection needed if you are exporting the entire table)
- From the Overflow Menu, click Export.
- The Export Table Content form will open on the right. Specify your export parameters and click Done in the top right.
- From the resultant .csv file, you can copy the CPE Name column and paste it where needed, e.g. when adding CPE Names in bulk (see above).
Comments
0 comments
Please sign in to leave a comment.