Endpoints Overview

The SP360 Endpoints Dashboard offers significant functionality for continuous monitoring of Endpoint vulnerabilities. It enables you to get deep insights into different Key Performance Indicators (KPIs) for your external, internal, and AWS Endpoints, by offering numerous filters to configure the view of your vulnerability data. The Endpoint dashboard displays data through various charts that can be filtered and tailored as detailed in this help section.

This dashboard enables you to focus on the vulnerabilities that are most important for your organization. In addition to illustrating the “current state” of vulnerabilities, it also provides significant insight into the historical “trending” so you can see the progress your organization is making in addressing any and all outstanding vulnerabilities.

Filtering Chart Content

For ease of use, the dashboard has options/buttons at the top of the dashboard that can be used to filter the chart information. In addition, the last section of the dashboard (i.e., the Endpoint list) allows you to include or exclude the Endpoints that contribute to the vulnerability data.

Note: When multiple types of Endpoints are included in the display, hovering the cursor over the chart shows the breakdown of vulnerabilities between external, internal, and AWS Endpoints, as shown above.

Options/Buttons	Descriptions
Severity	From this drop-down you can select one or more severities of interest to alter the charts accordingly. The severity of each vulnerability is classified as Urgent, Critical, Serious, Medium and Minimal.
	By clicking this button, you can filter (limit) all of the available vulnerability information to only external Endpoints. All the charts will be modified to show entries specific to external Endpoints.
	By clicking this button, you can filter (limit) all the available vulnerability information to only internal Endpoints. In order to gather information about internal Endpoints, an additional Qualys appliance needs to be purchased and installed.
	By clicking this button, you can filter (limit) all the available vulnerability information to only those from AWS Endpoints.In order togather information about AWS Endpoints, an additional Qualys appliance needs to be purchased and installed.
Duration	Using this control, you can establish the time-period the chart covers. The available options are 4 weeks, 3 months, 6 months or 1 year.
Interval	Using this control, you can establish the period of time each data point represents. The available intervals are 1 week, 4 weeks, 3 months, 6 months or 1 year. This option allows you to view the trending over the desired time periods; for example, month-over-month, or quarter-over-quarter.
	To view the vulnerability counts for each interval in all the charts you can use this toggle button, which removes the need to hover over the chart.

The Endpoints dashboard provides information in three sections:

Vulnerabilities Trending History
Current Vulnerabilities (i.e., current counts)
Vulnerability Metrics

Vulnerabilities Trending History

Vulnerability Trending History (which is a collapsible section) provides you with an overall trending of vulnerability counts, so that you can observe progress made over time. The data is represented in charts (as shown above) and segmented with a separate chart for:

Total Number of Vulnerabilities
New Vulnerabilities
Reopened Vulnerabilities
Fixed Vulnerabilities
Ignored Vulnerabilities

Note: In the lower four Trending Charts, you will find two annotations. The annotation displayed on top shows the number of vulnerabilities by type (i.e., New, Reopened, Fixed or Ignored) discovered since the completion of the last Interval chosen, so it represents a partial Interval. The period covered increases by a day, each day, until the Interval is completed and a new one starts.

The annotation displayed on the bottom shows the vulnerabilities discovered during the last full Interval retroactively from today, such as 1-week, 4-weeks, and so on. This is a sliding interval that shifts each day. When selecting a 1-week Interval, both annotations are “drillable”, allowing you to see the corresponding vulnerabilities. For Intervals other than 1-week, only the second annotation is “drillable”.

Total Number of Vulnerabilities

The trending of all existing vulnerabilities (i.e., New, Reopened, Fixed, or Ignored) and is filtered according to the controls discussed above. Often organizations will be most interested in the highest severity vulnerabilities and will limit the charts to Urgent and Critical vulnerabilities.

New Vulnerabilities

This chart provides you with insight into “new” vulnerabilities, meaning those vulnerabilities that were discovered for the first time within the chosen interval. For example, if you chose an interval of one week, the chart would show how many new vulnerabilities were found for each complete week, for the entire chosen duration.

Reopened Vulnerabilities

This chart provides you with insight into “reopened” vulnerabilities, meaning those vulnerabilities that were previously remediated, but re-discovered within each chosen interval and for the duration. In general, “reopened” vulnerabilities should be rare.

Fixed Vulnerabilities

This chart provides you with insight into those vulnerabilities that have been remediated within each chosen interval for the duration. Most organizations find this insightful and will correlate these numbers to their most recent development or IT efforts.

Ignored Vulnerabilities

This chart provides you with insight about the “ignored” vulnerabilities for the chosen interval. Vulnerabilities may be manually ignored by users, or the application may “auto-ignore” any vulnerability that is associated with an Endpoint that was not reachable (scannable) in the past 30 days. You may choose to ignore a vulnerability if it is associated with a piece of equipment (e.g., a router) that you know is about to be taken out of service, and therefore you do not want to clutter the dashboard with vulnerabilities that do not need to be explicitly addressed.

Current Vulnerabilities

Current Vulnerabilities (which is a collapsible section) provides you with charts that show the current vulnerability counts in the following categories:

By Severity – allows you to quickly focus on the most severe vulnerabilities.
Patchable – to highlight those vulnerabilities that can be easily remediated by applying the latest available vendor patches.
By Status – to easily discern all vulnerabilities (i.e., current and historical) and their statuses.
Obsolete Vulnerability Groups – to identify vulnerabilities that can be easily remediated by upgrading to newer, vendor-supported versions; in other words, these vulnerabilities are being generated by end-of-life unsupported software. Using unsupported software is a dangerous practice since the vendor is no longer providing updates to protect against new security threats. Since all vulnerabilities of this type are considered “Urgent” this chart shows the vulnerabilities groups by type.
Group by QID – shows your vulnerabilities in groups. Groups allow you to easily understand the types of vulnerabilities that are most common and that by addressing their underlying root cause can, enable you to address multiple vulnerabilities at a time.

For the Severity, Patchable, and By Status bar charts, the data is displayed in four bars: one representing the total count, and three others broken down by External, Internal, and AWS Endpoints. If you choose to view only the Internal, External, or AWS Endpoints, the chart simplifies to a single bar for each selected category.

By default, these counts are represented as bar charts. If you prefer to see the counts expressed as percentages and in a pie chart format, click the action icon to the right of the Current Vulnerabilities heading, as shown above.

The two “grouping” charts, Top 10 Obsolete Vulnerability Groups and Top 10 Groups by QID provide powerful additional functionality.

By clicking the action icon in the upper-right corner of those charts, you can view a pop-up (shown below) that lists all groups (not just the Top 10) and provides additional information, as well as the ability to apply bulk functions, such as ignoring all the vulnerabilities in that group. The action icon allows you to see each vulnerability in the group, whereas allows multiple vulnerabilities (with the same QID) to be ignored more conveniently with a single request.

Vulnerability Metrics – Severity

Vulnerability Metrics (which is a collapsible section and is by default collapsed) provides insight into how long your open vulnerabilities have been open, and how long it took to close remediated vulnerabilities. Often organizations have Service Level Agreements (SLAs) that commit them to addressing vulnerabilities (especially Urgent and Critical) within a given timeframe. This information helps you understand how well you are adhering to your SLAs.

The Vulnerability Metrics are presented in one of two formats, that can be toggled by clicking the icon on the upper-right hand portion of this section. By default, the Severity-based format is shown, which contains the following two bar charts.

Days (Average Time Open)

This bar chart shows the total number of open vulnerabilities (upper right) and the average number of days (upper left) that the vulnerabilities have been open. Hovering over each bar in the bar chart will show how many vulnerabilities were considered for the metric calculations.

Days (Average Time to Closure)

This bar chart shows the number of vulnerabilities closed in the specified time frame (upper right) and the average number of days (upper left) that the vulnerabilities were open before being closed.

Clicking on the action icon to the far right of the Vulnerability Metrics header displays a “Timeband” label, and breaks down the number of vulnerabilities by ranges of days, for example, those open less than three days, or between three and seven days. This data is presented in pie chart format.

Notice that the icon used to toggle between Severity-based and Timeband-based formats changes depending on which format is currently displayed.

Endpoint (Asset) List

The last sub-section of the dashboard lists all the Endpoints that contribute to the vulnerability data, and allows users to tailor the vulnerability metrics being shown by including or excluding specific Endpoints. To better understand the operational details, let’s breakdown the key features this sub-section offers.

The upper left corner of the Endpoint (Asset) List contains a blue box with the number of assets meeting your selection criteria. Users can select the Endpoints of interest by clicking the associated checkbox, which will be noted in the Selected count, as shown below.

Note: The purpose of selecting the checkboxes on the far left is to filter the data to display only the assets you are interested in. As the boxes are checked, a “Selected” counter is updated, and the graph icon becomes active, but the dashboard will not reflect the changes until the graph icon is clicked. To return to the default state, click the icon.

Action Icons and Filtering Options

To the right of the endpoint count, the Endpoint (Asset) List offers four action icons, two dropdown filters, and a search bar.

Action Icons	Function
	You can limit the Endpoints being considered. This is accomplished by selecting the Endpoints of interest and then clicking the update action icon. For example, if you know that an Endpoint is being retired (i.e., taken out of service) sometime soon and you do not want the dashboard cluttered by that Endpoint’s vulnerabilities, you can exclude that Endpoint from the dashboard by not selecting it.
	Clicking on this icon results in resetting the dashboard to its default state.
	Clicking on this icon presents two options: “Export Endpoints” – downloads (in CSV format) all details for all/filtered list of Endpoints. “Export Alias” – downloads (in CSV format) a subset of details for all/filtered Endpoints identifying each asset (by its IP address) and providing the associated alias (if any). This export is typically a prerequisite for the “Import” functionality described below, saving you time by creating the file that will be used for that import. You would then only be required to edit the generated CSV file by adding the Aliases you wanted to define.
	You can “Import” a CSV file to add/edit multiple aliases by clicking this action icon. This is a useful and more efficient way for users to assign aliases to multiple assets in a single action, as compared to doing this one at a time via the UI.

Filtering Options

The two filter bars allow you to select which Endpoints to display based on the following attributes.

Filter Type

Definition

Endpoint Asset Type

This filter allows you to select Endpoints based on asset type. Available types are:

All: All of the existing Endpoints, regardless of asset type.
Internal: Includes internal Endpoints only, which requires the installation of a Qualys appliance for those internal Endpoints to be visible.
External: Includes external public Endpoints only.
AWS: Includes AWS Endpoints only, which requires the installation of a separate Qualys appliance for those AWS Endpoints to be visible.

Aging Status

This filter allows you to select Endpoints based on their aging status. If an Endpoint is inaccessible and hasn’t been scanned for 30 consecutive days, SP360 will automatically “age-out” (remove) that Endpoint and its associated vulnerabilities. This will be a “soft delete” within SP360, and a “hard delete” within Qualys.

Using this drop-down filter, you can view Endpoints based on the following three options:

“Active” - the default view which shows all active Endpoints, including those that are in the aging process but haven’t been aged-out (or deleted) yet.
“In Aging-Out Process” - displays only assets that have 20 or less days left before they age out. Since there may be many assets and only a small subset may be in the process of aging out, this filter option provides a consolidated view so the aging assets can be seen together. The “Last Scanned Date” will be shown in amber when the asset has 20 or less days before it ages out, and it is shown in red when it has 10 or less days.
“Deleted (Aged-Out or Manual)” – displays all deleted assets, whether they have gone through the aging process or have been manually deleted.

Search Bar

This search bar filters the Endpoint list based on the value entered. For example, if the end user wants to search for particular Endpoints in an IP range, typing the value in the upper part of the range (e.g., "172.93") in the search bar will list all the Endpoints within that range.

The Endpoint grid includes the following fields by default, however, users can customize the grid to add, remove, or re-arrange fields to meet their needs by clicking the action icon, explained here.

Column Headers	Definition
Host	The IP Address of the Endpoint.
Alias	The assigned alias of that Endpoint, if any.
Asset Name	It is possible to assign an “Asset name” to an endpoint in AWS. If that has been done, the Asset Name will be shown here.
VULN COUNT	The total number of vulnerabilities associated with that Endpoint.
Created At	The date on which the Endpoint was first detected (scanned).
Last Scanned At	The date a scan of this Endpoint was last attempted.

To learn more about the optional fields that can be added, removed, or re-arranged in the Cloud Agent grid, click here.

Each Endpoint has three available icons on the right side of each line.

Icons	Definition
	Clicking on this icon allows editing of the alias for the specific Endpoint, which could be to create it, change it, or remove it. Aliases are useful because a meaningful name is easier to remember than the complex numeric IP address that was assigned to the Endpoint. Aliases are included in searches.
	Clicking on this icon displays all vulnerabilities associated with that Endpoint. For more information about the Vulnerabilities page, click here
	Clicking on this icon displays detailed information about that Endpoint. The details page has two tabs to organize the data into logically related groups, one of which is shown below.
	Clicking on this icon initiates a manual scan of the Endpoint. A confirmation page is first displayed to confirm the request. To cancel a manual scan, click on the revolving “scan in progress” icon. A confirmation page is first displayed to confirm the cancellation request.