The vulnerability analysis report answers the question, what vulnerabilities pose the greatest risk to my environment? By default, the main page of the vulnerability analysis report shows the top 100 vulnerabilities that carry the most risk in your environment. This can be filtered down to your liking (as described in the previous section) and clicking on any of the vulnerability items in the report will bring you to the detail page for that vulnerability.
Each report offers various filters to help narrow down the results that are visible. At the very least, you can narrow down the number of results you are viewing (100, 50, 25, and 10) But most reports have much greater filtering capability. Some filters are present on the screen at all times, but most of the more advanced filters for a report can be accessed by clicking the "filters" button in the top bar of the screen. Doing so will open up the advanced filter form and depending on the report, it will look something like the following:
Altering any of the values in the filter form and clicking "Apply" will refresh the data and show the applied filter at the top of the screen in the applied filters bar.
The applied filters will stack and can be removed en masse or one at a time.
The vulnerability Instances report has some other clever ways of adding and removing filters as well. Because the visual on the page is an icicle chart, clicking on any of the categories within the chart, will also apply that category as a filter that can be removed by clearing it out of the applied filters bar. Additionally, it is possible to group your results in the instances report by host, patch, vulnerability, or scanner signature and then further filter your results by clicking on the green filter button in the far right of any result row in the table below the icicle chart.
In the following example, the results were grouped by patch and then filtered down further by clicking on the add filter button on a specific row of the table. Once clicked, the data refreshed and the patch was added to the applied filter bar at the top of the screen. The resulting table also changed, the specific row that was added as a filter now shows a red remove filter button (clicking on it will remove the filter) and in this case, any rolled up patches that also include the patch that you are filtering on.
Saving Filters: If at any time you would like to be able to easily get back to a particular filtered state, it is very easy to save a currently filtered report. Simply open up the filter form by clicking the "+ Filter" button and click on the "Saved Filters" dropdown in the top right. Select the "Save Current Filters" option and give the filters a name. The filtered report will now be saved in the saved filters list until it has been cleared out.
Any report can be exported as an Excel spreadsheet or PDF. For more information on exporting, see the Reporting Exports Section of the help documentation.
With the exception of Vulnerability Instances, each report has a detail view of each item in the report. To view the details of a given host/patch/vulnerability/user you can click on either the line representing the item in the bar chart at the top of the screen or by clicking on the right arrow at the end of a row in the lower table. Regardless of the method of getting there, a detail view will look something like the following:
The previous example is of a host detail view, but a lot of the same elements and sections appear on the detail view for all report types. The detail view can be broken down into the following 4 main sections:
1. The Overview Header: At the top of the page you will see the header for the selected item. The header contains glanceable statitistics and information relevant to the item. This is meant to be a quick way to assess the item and not an exhaustive repository of all the information DeepSurface has on the item. Depending on the specific report, the overview header will contain slightly different information. For Hosts, Patches, and Vulnerabilities, the Overview header will contain a high-level breakdown of prioritized vulnerability instances, risk information, statistics related to associated host/patch/vulnerability counts and a high-level breakdown of all of the exploit status of all vulnerabilities associated with this item. The users report is a bit more sparser and will only contain the name of the given user, risk information and other relevant high-level statistics. For detailed information, refer to the following sections:
2. Critical Paths and Sensitive Assets: The most dominant element on the screen is the critical paths visualizer. The purpose of this section (along with the associated critical sensitive assets section on the right) answers the question What is the problem? On page load, the visualizer will show the top 3 critical paths associated with this item. If the item is a host, it will show the paths that pass through this host. This does not necessarily mean that the path begins or ends with a given host, but just that the host is part of the path. For vulnerabilities, the paths shown will show the top 3 paths that exploit the given vulnerability somewhere along the path. Likewise, for a patch, the top 3 paths show where a given path is possible becuase the patch has not been applied. Mousing over any section of the path visualizer will highlight the entire path to help really see a particular path easier and clicking on any segment or node in the path will bring up a modal with more information about that part of the path (discussed in a moment). To the right of the critical paths is a list of all critical sensitive assets that are exposed as a result of this item. If the item happens to be a host, this list will also show any sensitive assets that are directly on the given host in addition to any assets that are left exposed as a result of exploitable vulnerabilities on the host.
As mentioned above, clicking on a given segment or node of a path will bring up a wealth of further information about the item clicked on. When clicking on a node of the path, a smaller modal will show anything interesting about the node, such as impact score, password information, user activity, etc.
Clicking on a segment is a much more detailed experience. If a given segment has a color-coding in the path, then this specific part of the path has some level of criticality that should be addressed. Clicking into an orange segment, for example, might show you something like the following:
At first, the interface shows you an overview of the segment that was clicked and a quick summary of what the segment represents in the path, followed by all of the known vulnerabilities that allow this segment to exist in the path. The vulnerabilities are ranked by risk criticality and clicking on any of the vulnerabilities in the list will expand the modal to full-width and show you all of the information that DeepSurface has about a given vulnerability. The first section of the expanded content will show all of the information that DeepSurface received from your vulnerability scanner, followed by additional vulnerability information and DeepSurface ratings. Clicking "More Information" in the Vulnerability Information section will open up a new tab and bring you to the details page for that vulnerability.
3. Remediation Information: Below the Path and Sensitive asset sections on the page is the Remediation Information section of the interface. The uppper section of the page answers the question What is the problem?, and this lower section answers the question What can I do to fix it?. For a given report (Host/Patch/Vulnerability), this section will show several collapsible sections, 2 of which will always be open by default on page load. If the report is a host, the open sections will be "Missing Patches" and "Vulnerabilities". For a patch the sections will be "Affected Hosts" and "Vulnerabilities Addressed", and for a vulnerability the sections are "Affected Hosts" and "Missing Patches". Below is what this section might look like for a host detail page:
Below these open sections will be other sections that may or may not be open by default on page load. The contents of these sections will vary depending on the report type and will be discussed in further detail below. Above these open sections are 2 buttons. The "View Instructions" button will bring up a modal showing all the things needed to remediate a given item. This modal will have a "Print/Save" button that will allow you to quickly export this information as a pdf and send it to whoever needs to take action.
The other button in this section is the "Add to Plan" button. Clicking on this will allow you to add the item to either a remediation or accepted risk plan. These choices are discussed in much greater detail in the respective sections of this documentation.
Related Scan Signatures: For Hosts, Patches, and Vulnerability detail pages, the remediation information section will always contain any related scan signatures from your configured vulnerability scanner(s). Clicking on any of the scan signature buttons will open up a modal that gives you all of the information that DeepSurface uses from your vulnerability scanner, as well as any additional analysis that DeepSurface provides (if available). The information and layout in this modal is nearly identical to the one that appears when clicking on a segment in the critical paths section above. This interface can be useful to see and compare all of the information that DeepSurface is able to gather, combine, and report back to you related to each signature from your scanner.
4. Additional Information: The final section on the page is the "Additional Information" section in the lower right of the screen. This section will include any additional information that will help you to understand what exactly this item is. For hosts and patches, a CVSS breakdown chart is included, along with any descriptions and/or pertinent information. A vulnerability will show the full description and any external links etc.
Each report type has additional sections in the remediation information area that are specific to a given report.
Affected Hosts: A list of all the hosts that this vulnerability effects. The top 200 are listed below, and clicking on any of them will bring you to the corresponding host detail page. If there are more than 200 hosts that this vulnerability effects, the interface will provide a link that will redirect to the hosts report, filtered down by this specific vulnerability so that you can page through all of the results.
Missing Patches: A list of all the patches available that could fix a given vulnerability that have not been applied. The top 200 are listed below, and clicking on any of them will bring you to the corresponding patch detail page. If there are more than 200 patches that this vulnerability could be fixed by, the interface will provide a link that will redirect to the patches report, filtered down by this specific vulnerability so that you can page through all of the results.