Endpoints Overview

The SP360 Endpoints Dashboard offers significant functionality for continuously monitoring your network as part of your Vulnerability Management regime. It enables you to get deeper insights into different Key Performance Indicators (KPIs) for your external, internal, and AWS Endpoints, by offering numerous filters to configure the view of your vulnerability data.

This dashboard enables you to focus on the vulnerabilities that are most important for your organization. In addition to illustrating the “current state” of vulnerabilities, it also adds significant insight into the historical “trending” so you can see the progress your organization is making in addressing any and all outstanding vulnerabilities.

Filtering Chart Content

For ease of use, the dashboard has options/buttons at the top of the dashboard that can be used to filter the chart information. In addition, the last section of the dashboard (i.e., the Endpoint list) allows you to include or exclude the Endpoints that contribute to the vulnerability data.

Options/Buttons	Descriptions
Severity	From this drop-down you can select one or more severities of interest to alter the charts accordingly. The severity of each vulnerability is classified as Urgent, Critical, Serious, Medium and Minimal.
	By clicking this button, you can filter (limit) all the available vulnerability information to only external Endpoints. All the charts will be modified to show entries specific to external Endpoints. When multiple types of Endpoints are included in the display, hovering the cursor over the chart shows the breakdown of vulnerabilities between external, internal, and AWS Endpoints, as shown above.
	By clicking this button, you can filter (limit) all the available vulnerability information to only internal Endpoints. In order to gather information about internal Endpoints, an additional Qualys appliance needs to be purchased and installed.
	By clicking this button, you can filter (limit) all the available vulnerability information to only those from AWS Endpoints.In order togather information about AWS Endpoints, an additional Qualys appliance needs to be purchased and installed.
Duration	Using this control, you can establish the time-period the chart covers. The available options are 4 weeks, 3 months, 6 months or 1 year.
Interval	Using this control, you can establish the period of time each data point represents. The available intervals are 1 week, 4 weeks, 3 months, 6 months or 1 year. The intent is to enable you to view the trending over the desired time periods; for example, month-over-month, or quarter-over-quarter.
	To view the vulnerability counts for each interval in all the charts you can use this toggle button, which removes the need to hover over the chart.

The Endpoints dashboard provides information in three sections:

Vulnerabilities Trending History
Current Vulnerabilities (i.e., current counts)
Vulnerability Metrics

Vulnerabilities Trending History

Vulnerability Trending History (which is a collapsible section) provides you with an overall trending of vulnerability counts, so that you can observe the progress made over time. The data is represented in charts (as shown above) and segmented with a separate chart for:

Total Number of Vulnerabilities
New Vulnerabilities
Reopened Vulnerabilities
Fixed Vulnerabilities
Ignored Vulnerabilities

Note: In the lower four Trending Charts, you will find two annotations. The annotation displayed on top shows the number of vulnerabilities (i.e., New, Reopened, Fixed or Ignored) discovered since the completion of the last Interval chosen, so it represents a partial Interval. The period covered increases by a day, each day, until the Interval is completed and a new one starts.

The annotation displayed on the bottom shows the vulnerabilities discovered for the last full Interval retroactively from today, such as 1-week, 4-weeks, and so on. This is a sliding interval that shifts each day. When selecting a 1-week Interval, both annotations are “drillable”, allowing you to see the corresponding vulnerabilities. For Intervals other than 1-week, only the second annotation is “drillable”.

Total Number of Vulnerabilities

The trending of all existing vulnerabilities (i.e., New, Reopened, Fixed, or Ignored) and filtered according to the controls discussed above. Often organizations will be most interested in the highest severity vulnerabilities and will limit the charts to Urgent and Critical vulnerabilities.

New Vulnerabilities

This chart provides you with insight into “new” vulnerabilities, meaning those vulnerabilities that were discovered for the first time within the chosen interval. For example, if you chose an interval of one week, the chart would show how many new vulnerabilities were found for each complete week, for the entire chosen duration.

Reopened Vulnerabilities

This chart provides you with insight into “reopened” vulnerabilities, meaning those vulnerabilities that were previously remediated, but re-discovered within each chosen interval and for the duration. In general, “reopened” vulnerabilities should be rare.

Fixed Vulnerabilities

This chart provides you with insight into those vulnerabilities that have been remediated within each chosen interval for the duration. Most organizations find this insightful and will correlate these numbers to their most recent development or IT efforts.

Ignored Vulnerabilities

This chart provides you with insight about the “ignored” vulnerabilities for the chosen interval. Vulnerabilities may be manually ignored by users, or the application may “auto-ignore” any vulnerability that is associated with an Endpoint that has not been reachable (scannable) in the past 30 days. You may choose to ignore a vulnerability if it is associated with a piece of equipment (e.g., a router) that you know is about to be taken out of service, and therefore you do not want to clutter the dashboard with vulnerabilities that do not need to be explicitly addressed.

Current Vulnerabilities

Current Vulnerabilities (which is a collapsible section) provides you with charts that show the current vulnerability counts in the following categories:

By Severity – which allows you to quickly focus on the most severe vulnerabilities.
Patchable – to highlight those vulnerabilities that can be easily remediated by applying the latest available vendor patches.
By Status – to easily discern all vulnerabilities (i.e., current and historical) and their statuses.
Obsolete Vulnerability Groups – to identify vulnerabilities that can be easily remediated by upgrading to newer, vendor-supported versions; in other words, these vulnerabilities are being generated by end-of-life unsupported software. This is a dangerous practice since the vendor is no longer providing updates to protect against new security threats. Since all these vulnerabilities of this type are considered “Urgent” this chart shows the vulnerabilities groups by type.
Group by QID – another grouping chart that shows your vulnerabilities in groups. Groups allow you to easily understand the types of vulnerabilities that are most common and that by addressing their underlying root cause can, enable you to address multiple vulnerabilities at a time.

For the Severity, Patchable and By Status bar charts, the counts are presented by four bars; in total, and then broken out by External, Internal, and AWS Endpoints. If you opt for just internal, external or AWS Endpoints, the chart is reduced to a single bar for each category.

By default, these counts are represented as bar charts. If you prefer to see the counts expressed as percentages and in a pie chart format, click the action icon to the right of the Current Vulnerabilities heading, as shown above.

The two “grouping” charts, Top 10 Obsolete Vulnerability Groups and Top 10 Groups by QID provide powerful additional functionality.

By clicking the action icon in the upper-right corner of those charts, you can view a pop-up (shown below) that lists all groups (not just the Top 10) and provides additional information, as well as the ability to apply bulk functions, such as ignoring all the vulnerabilities in that group. The action icon allows you to see each vulnerability in the group, whereas allows multiple vulnerabilities (with the same QID) to be ignored more conveniently with a single request.

Vulnerability Metrics – Severity

Vulnerability Metrics (which is a collapsible section and is by default collapsed) provides insights into how long your open vulnerabilities have been open, and how long it took to close your remediated vulnerabilities. Often organizations have Service Level Agreements (SLAs) that commit them to addressing vulnerabilities (especially Urgent and Critical) within a given timeframe.

The Vulnerability Metrics are presented in one of two formats, that can be toggled by clicking the icon on the upper-right hand portion of this section. By default, the Severity-based format is shown, which contains the following two bar charts.

Days (Average Time Open)

This bar chart shows the total number of open vulnerabilities (upper right) and the average number of days (upper left) that the vulnerabilities has been open. Hovering over each bar in the bar chart will show how many vulnerabilities were considered for the metric calculations.

Days (Average Time to Closure)

This bar chart shows the number of vulnerabilities closed in the specified time frame (upper right) and the average number of days (upper left) that the vulnerabilities were open before being closed.

Clicking on the action icon to the far right of the Vulnerability Metrics header displays a “Timeband” label, and breaks down the number of vulnerabilities by ranges of days, for example, those open less than three days, or between three and seven days. This data is presented in pie chart format.

Notice that the icon used to toggle between Severity-based and Timeband-based formats changes depending on which format is currently displayed.

Endpoint (Asset) List

The last sub-section of the dashboard lists all the Endpoints that contribute to the vulnerability data, and allows users to tailor the vulnerability metrics being shown by including or excluding specific Endpoints. To better understand the operational details, let’s first breakdown the key features this sub-section offers.

The upper left corner of the Endpoint (Asset) List contains a blue box with the number of assets meeting your selection criteria. Users can select the Endpoints of interest by clicking the associated checkbox, which will be noted in the Selected count, as shown below.

Action Icons and Filtering Options

The upper right corner of the Endpoint (Asset) List offers four action icons, two dropdown filters, and a search bar.

Action Icons	Function
	You can limit the Endpoints being considered. This is accomplished by selecting the Endpoints of interest and then clicking the update action icon. For example, if you know that an Endpoint is being retired (i.e., taken out of service) sometime soon and you do not want the dashboard cluttered by that Endpoint’s vulnerabilities, you can exclude that Endpoint from the dashboard (by not selecting it).
	Clicking on this icon results in resetting the dashboard to its default state.
	Clicking on this icon presents two options: “Export Endpoints” – downloads (in CSV format) all details for all/filtered list of Endpoints. “Export Alias” – downloads (in CSV format) a subset of details for all/filtered Endpoints identifying each asset (by its IP address) and providing the associated alias (if any). This export is typically a prerequisite for the “Import” functionality described below, saving you time by creating the file that will be used for that import. You would then only be required to edit the generated CSV file by adding the Aliases you wanted to define. Note: In Qualys, user-friendly names, serve an equivalent function to aliases, and can be assigned to AWS and Internal Endpoints. If these names are assigned, SP360 will display them below the Endpoint IP address, enclosed in parenthesis and labelled as “Asset Name,” as shown below. In cases where both a user-friendly name and alias coexist, both will be displayed in a consistent manner.
	You can “Import” a CSV file to add/edit multiple aliases by clicking this action icon. This is a useful and more efficient way for users to assign aliases to multiple assets in a single action, as compared to doing this one at a time via the UI.

Filtering Options

These two filter bars allows you to select which Endpoints to display based on the following attributes.

Filter Type

Definition

Endpoint Asset Type

This filter allows you to select Endpoints based on asset type. Available types are:

All: All of the existing Endpoints, regardless of asset type.
Internal: Includes all internal Endpoints only, which requires the installation of a Qualys appliance for those internal Endpoints to be visible.
External: Includes all external public Endpoints only.
AWS: Includes all AWS Endpoints only, which requires the installation of a separate Qualys appliance for those AWS Endpoints to be visible.

Aging Status

Using this drop-down filter, the end user can view Endpoints based on the following three options:

“Active” - the default view which shows all active Endpoints, including those that are in the aging process but haven’t been aged-out (or deleted) yet.
“In Aging-Out Process” - displays assets in the aging process that have 20 or less days left before they age out. Since there may be many assets and only a small subset may be in the process of aging out, this filter option provides a consolidated view so the aging assets can be seen together.
“Deleted (Aged-Out or Manual)” – displays all deleted assets, whether they have gone through the aging process or have been manually deleted.

This filter allows you to select Endpoints based on their aging status. If an Endpoint is inaccessible and hasn’t been scanned for 30 consecutive days, SP360 will automatically “age-out” (remove) that Endpoint and its associated vulnerabilities. This will be a “soft delete” within SP360, and a “hard delete” within Qualys.

On this “Aging Status” view, the “Last Scanned Date” column shows the most recent date the Endpoint was scanned. The date will be shown in amber when it has less than 20 days left before it is aged-out, and in red when it has less than 10 days.

Search Bar

This search bar will filter the Endpoint list based on a value entered. For example, if the end user wants to search for particular Endpoints in an IP range, typing the value in the upper part of the range (e.g., "172.93") in the search bar will list all the Endpoints within that range.

The Endpoint list includes the following details:

Attributes	Definition
Qualys ID	The unique ID number assigned to each Endpoint by Qualys.
IP	The IP Address of the Endpoint. Additionally, if the Endpoint has had an alias defined within SP360 or has a user-friendly name in Qualys that is shown as well.
Type	The Endpoint type (i.e., External, Internal, or AWS).
Vulnerability Count	The total number of vulnerabilities associated with that Endpoint.
Created Date	The date on which the Endpoint was first detected (scanned).
Modified Date	The date on which the Endpoint was last detected as having changed state.
Last Scanned Date	The date on which the Endpoint was last attempted to be scanned.

Each Endpoint has three available icons on the right side of each line.

Icons	Definition
	Clicking on this icon allows editing of the alias for the specific Endpoint, which could be to create it, change it, or remove it. Aliases are useful because a meaningful name is easier to remember than the complex numeric IP address that was assigned to the Endpoint. Aliases are included in searches.
	Clicking on this icon displays all vulnerabilities associated with that Endpoint. For more information about the Vulnerabilities page, click here
	Clicking on this icon displays detailed information about that Endpoint, as shown below.