How Cisco Vulnerability Management Normalizes Vulnerability Data from Multiple Sources

Why are there a different number of vulnerabilities in Cisco Vulnerability Management than in my scanner?

After bringing in your vulnerability data from various connector sources, you may be wondering why you see a different amount of vulnerabilities in Cisco Vulnerability Management than you do in your source tools. 

Cisco Vulnerability Management normalizes the vulnerability data by the CVE, CWE or WASC identifier. This is how we are able to ingest data from many different sources and represent it across multiple tools. Individual scanning tools may normalize in other ways and this can lead to a difference in counts between the tools.

A scanning tool may represent vulnerabilities based on their unique vulnerability signature or unique identifier. When that data comes into Cisco Vulnerability Management, we normalize it based on the CVE/CWE/WASC. Below are some common examples that we've observed.

Qualys and QIDs

Qualys uses a QID as their unique identifier. A single QID can represent a vulnerability check for 1 CVE or multiple CVEs. When that is normalized in Cisco Vulnerability Management, a QID that spans 4 CVEs, will be listed as 4 vulnerabilities on the Cisco Vulnerability Management side and 1 vulnerability on the Qualys side. See the example below:


Prisma and ALAS Findings

Similar to QIDs, Amazon Linux (ALAS) findings can have a one to many relationship with CVEs. If you import ALAS findings via any Prisma connector, we will create separate vulnerabilities for each CVE associated to the ALAS finding.


How can I tell which scanner reported which vulnerability?

Each scanner that brings in a vulnerability has a Scanner ID number. You can use the Scanner ID column (shown on image above) on the Vulnerabilities tab to see the source’s unique identifier. You can also filter on a particular scanner to see all the associated vulnerabilities should you need to do any cross-referencing.

If you have multiple connectors that are bringing in data for the same subset of assets, you will also see that Cisco Vulnerability Management creates separate tabs seen in the vulnerability details section. These are called “scanner vulns”. Keep in mind that we will not close a vulnerability until the vulnerability is reported closed from ALL original sources.

The image below shows the vulnerability details page and the separate tabs for each connector name that brought in that vulnerability.





Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request



Please sign in to leave a comment.