---
id: cisco-vulnerability-management
title: Cisco Vulnerability Management
sidebar_label: Cisco Vulnerability Management
description: The Cisco Vulnerability Management app for Sumo Logic helps you monitor and manage software vulnerabilities.
slug: /help/docs/integrations/saas-cloud/cisco-vulnerability-management/
canonical: https://www.sumologic.com/help/docs/integrations/saas-cloud/cisco-vulnerability-management/
---
import useBaseUrl from '@docusaurus/useBaseUrl';
})
The Sumo Logic app for Cisco Vulnerability Management provides insights into your organization's security posture to help you monitor and manage software vulnerabilities. It consolidates information on existing vulnerabilities within the network, assesses their risk levels, and tracks new vulnerabilities over time. This app helps you to understand vulnerability severity, distribution, vendor risks, and Common Vulnerabilities and Exposures (CVE) identifiers.
The app enables security teams to prioritize remediation, ensure compliance, and strengthen defenses against breaches by collating data into a central repository and transforming it into comprehensive visualizations.
:::info
This app includes [built-in monitors](#cisco-vulnerability-management-monitors). For details on creating custom monitors, refer to [Create monitors for Cisco Vulnerability Management app](#create-monitors-for-cisco-vulnerability-management-app).
:::
## Log types
This app uses Sumo Logic’s [Cisco Vulnerability Management source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/cisco-vulnerability-management-source/) to collect the detected open vulnerabilities and active assets from the Cisco Vulnerability Management platform.
### Sample log messages
Open Vulnerabilities
```json
{
"id": 31991700,
"status": "open",
"closed_at": null,
"created_at": "2025-02-11T23:09:41Z",
"due_date": "2025-05-12",
"notes": null,
"port": [],
"priority": 10,
"identifiers": [
"150520"
],
"last_seen_time": "2025-03-25T05:36:13.000Z",
"scanner_score": 2.0,
"fix_id": 2181881,
"scanner_vulnerabilities": [
{
"port": null,
"external_unique_id": "31659968",
"open": true
}
],
"asset_id": 16724801,
"connectors": [
{
"name": "Temp Web Application Scan (WAS) - Applications",
"id": 154040,
"connector_definition_name": "TempWas",
"vendor": "Temp"
}
],
"service_ticket": null,
"urls": {
"asset": "api.kennasecurity.com/assets/16724801"
},
"solution": "Customers are advised to modify the HTTP response header.",
"patch": true,
"patch_published_at": "2022-06-01T09:00:11.000Z",
"cve_id": "Web Server Information Disclosure",
"cve_description": null,
"cve_published_at": null,
"description": "The target application discloses the Web Server software.",
"wasc_id": null,
"severity": null,
"threat": null,
"popular_target": null,
"active_internet_breach": false,
"easily_exploitable": false,
"malware_exploitable": false,
"remote_code_execution": null,
"predicted_exploitable": false,
"platform_types": [
"application",
"hardware",
"operating system"
],
"cvss_v2": null,
"cvss_v3": null,
"custom_fields": [
{
"name": "ServiceNow Ticket for Risk Acceptable or False Positive",
"custom_field_definition_id": 2,
"value": null
},
{
"name": "Due/Review Date",
"custom_field_definition_id": 1,
"value": null
}
],
"first_found_on": "2025-02-11T05:43:31Z",
"top_priority": false,
"risk_meter_score": 35,
"closed": false
}
```
Active Assets
```json
{
"id": 124801,
"created_at": "2025-02-11T23:09:41Z",
"priority": 10,
"operating_system": "Windows Vista / Windows 2008 / Windows 7 / Windows 2012 / Windows 8 / Windows 10",
"notes": null,
"last_booted_at": null,
"primary_locator": "url",
"locator": "https://.vca.inside.org/",
"vulnerabilities_count": 1,
"status": "active",
"last_seen_time": "2025-03-25T05:36:13Z",
"network_ports": [],
"tags": [
"VCA"
],
"owner": null,
"inactive_at": "2025-04-09",
"status_set_manually": true,
"overage": false,
"urls": {
"vulnerabilities": "api.kennasecurity.com/assets/16724801/vulnerabilities"
},
"ip_address": null,
"database": null,
"hostname": null,
"fqdn": null,
"netbios": null,
"application": "VCA - .vca.inside.org",
"file": null,
"mac_address": null,
"ec2": null,
"url": "https://.vca.inside.org/",
"external_id": null,
"image": null,
"container": null,
"ipv6": null,
"risk_meter_score": 350,
"asset_groups": [
{
"id": 7607,
"name": "All Assets"
},
{
"id": 227425,
"name": "pCA"
}
]
}
```
### Sample queries
```sumo title="Total Open Vulnerabilities"
_sourceCategory="Labs/CiscoVulnerabilityManagement" !operating_system
| json "id", "created_at", "due_date", "priority", "last_seen_time", "scanner_score", "asset_id", "urls.asset", "patch", "cve_id", "severity", "threat", "popular_target", "active_internet_breach", "easily_exploitable", "malware_exploitable", "remote_code_execution", "predicted_exploitable", "platform_types", "cvss_v3", "first_found_on", "top_priority", "risk_meter_score","connectors[*].vendor","connectors[*].connector_definition_name","connectors[*].name","scanner_vulnerabilities[*].external_unique_id","scanner_vulnerabilities[*].open" as id, created_at, due_date, priority, last_seen_time, scanner_score, asset_id, urls_asset, patch, cve_id, severity, threat, popular_target, active_internet_breach, easily_exploitable, malware_exploitable, remote_code_execution, predicted_exploitable, platform_types, cvss_v3, first_found_on, top_priority, risk_meter_score, vendors, connector_definition_names,connector_names,scanner_vulnerabilities_external_unique_ids,scanner_vulnerabilities_status nodrop
// global filters
| where isNull(severity) or severity matches "{{severity}}"
| where isNull(priority) or priority matches "{{priority}}"
| where isNull(threat) or threat matches "{{threat}}"
| where isNull(popular_target) or popular_target matches "{{popular_target}}"
| where isNull(active_internet_breach) or active_internet_breach matches "{{active_internet_breach}}"
| where isNull(easily_exploitable) or easily_exploitable matches "{{easily_exploitable}}"
| where isNull(remote_code_execution) or remote_code_execution matches "{{remote_code_execution}}"
| where isNull(predicted_exploitable) or predicted_exploitable matches "{{predicted_exploitable}}"
| where isNull(top_priority) or top_priority matches "{{top_priority}}"
| where isNull(scanner_score) or scanner_score matches "{{scanner_score}}"
| where isNull(patch_deployed) or patch_deployed matches "{{patch_deployed}}"
// panel specific
| count by id
| count
```
```sumo title="Total Assets"
_sourceCategory="Labs/CiscoVulnerabilityManagement" operating_system
| json "id", "created_at", "priority", "operating_system", "primary_locator", "locator", "vulnerabilities_count", "status", "last_seen_time", "tags", "status_set_manually", "ip_address", "application", "url", "external_id", "risk_meter_score", "asset_groups[*].name" as id, created_at, priority, operating_system, primary_locator, locator, vulnerabilities_count, status, last_seen_time, tags, status_set_manually, ip_address, application, url, external_id, risk_meter_score, asset_groups nodrop
// global filters
| where isNull(operating_system) or operating_system matches "{{operating_system}}"
| where isNull(priority) or priority matches "{{priority}}"
| where isNull(primary_locator) or primary_locator matches "{{primary_locator}}"
| where isNull(application) or application matches "{{application}}"
// panel specific
| count by id
| count
```
## Collection configuration and app installation
import CollectionConfiguration from '../../reuse/apps/collection-configuration.md';
:::important
Use the [Cloud-to-Cloud Integration for Cisco Vulnerability Management](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/cisco-vulnerability-management-source/) to create the source and use the same source category while installing the app. By following these steps, you can ensure that your Cisco Vulnerability Management app is properly integrated and configured to collect and analyze your Cisco Vulnerability Management data.
:::
### Create a new collector and install the app
import AppCollectionOPtion1 from '../../reuse/apps/app-collection-option-1.md';
### Use an existing collector and install the app
import AppCollectionOPtion2 from '../../reuse/apps/app-collection-option-2.md';
### Use an existing source and install the app
import AppCollectionOPtion3 from '../../reuse/apps/app-collection-option-3.md';
## Viewing the Cisco Vulnerability Management dashboards
import ViewDashboards from '../../reuse/apps/view-dashboards.md';
### Vulnerabilities
The **Cisco Vulnerability Management - Vulnerabilities** dashboard provides an overview of current security vulnerabilities affecting your organization's network. It tracks outstanding vulnerabilities, their risks, and newly identified issues, categorizing them by criticality levels, such as priority, severity, and scanner scores. The dashboard highlights the most affected vendors and common vulnerabilities, aiding patch management and risk remediation. It also analyzes vulnerabilities using CVSS scores to identify high-risk areas that need immediate attention, offering a focused approach to improving system security.
### Assets Overview
The **Cisco Vulnerability Management - Assets Overview** dashboard provides a snapshot of an organization's assets and their security status. It catalogs all assets, tracks manual status overrides, and shows an average risk meter across the assets. The dashboard highlights asset evolution, operating system prevalence, and geographical distribution, including embargoed regions. It also identifies common tags and applications associated with the assets, aiding patch prioritization and compliance. By focusing on the most vulnerable assets, the dashboard acts as a guide for aligning security resources and efforts towards the most critical areas, ensuring a robust and secure infrastructure.
## Create monitors for Cisco Vulnerability Management app
import CreateMonitors from '../../reuse/apps/create-monitors.md';
### Cisco Vulnerability Management monitors
| Name | Description | Trigger Type (Critical / Warning / MissingData) | Alert Condition |
|:--|:--|:--|:--|
| `Cisco Vulnerability Management - Embargoed Geo Locations of Assets` | This alert is triggered when assets are detected in sanctioned or embargoed regions. This alert monitors and highlights such alerts to maintain adherence to legal and regulatory standards. | Critical | Count > 0 |
| `Cisco Vulnerability Management - Assets with Higher Risk Meter Score` | This alert is triggered when assets are detected that have been assigned a high-risk score, indicating they are more vulnerable to security threats and may require prompt attention. | High | Count > 0 |
| `Cisco Vulnerability Management - Critical Vulnerabilities Detected` | This alert is triggered when there is a presence of security weaknesses classified as critical due to their potential impact on the system. | High | Count > 0 |
| `Cisco Vulnerability Management - High-Risk Vulnerabilities Exceeds SLA` | This alert is triggered when significant security vulnerabilities are not addressed within the agreed-upon service level agreement time frame. | High | Count > 0 |
| `Cisco Vulnerability Management - Actively Exploited Vulnerabilities Detected` | This alert is triggered when vulnerabilities are currently being targeted and exploited in the wild, indicating immediate action is required. | Critical | Count > 0 |
| `Cisco Vulnerability Management - Remote Code Execution (RCE) Vulnerabilities Found` | This alert is triggered when the detected vulnerabilities could potentially allow an attacker to run unauthorized code on the affected system from a remote location. | Critical | Count > 0 |
| `Cisco Vulnerability Management - Malware-Exploitable Vulnerabilities Found` | This alert is triggered when the detected vulnerabilities are known to be or could potentially be exploited by malware to harm the system or network. | High | Count > 0 |
| `Cisco Vulnerability Management - Top Priority Vulnerabilities` | This alert is triggered when most pressing vulnerabilities are detected that have been prioritized for immediate remediation actions. | High | Count > 0 |
| `Cisco Vulnerability Management - Vulnerabilities with High Risk Meter Score` | This alert is triggered when the vulnerabilities detected score high on the risk-meter, signifying a higher likelihood of threat exploitation and impact. | High | Count > 0 |
| `Cisco Vulnerability Management - CVSS Score Exceeds Threshold` | This alert is triggered when the vulnerabilities detected have a Common Vulnerability Scoring System (CVSS) rating that exceeds a specified severity threshold. | High | Count > 0 |
| `Cisco Vulnerability Management - Vulnerabilities Without a Patch Available` | This alert is triggered when the detected vulnerabilities do not have any current fixes or patches, necessitating alternative risk mitigation strategies. | Medium | Count > 0 |
## Upgrading the Cisco Vulnerability Management app (Optional)
import AppUpdate from '../../reuse/apps/app-update.md';
## Uninstalling the Cisco Vulnerability Management app (Optional)
import AppUninstall from '../../reuse/apps/app-uninstall.md';