Forum Discussion
High values CVE's not showing on High priority observations
Hi,
I need some help to understand this logic on Defender EASM. For example, on my "High priority observations", I've got 6 observations, all of those for 1 domain, which is fine.
But then if I go to my inventory and select one other domain, I can see on that host, some CVE's with High priority. Screenshot bellow:
So, why arent' this results being shown on the list of "High priority observations" if they are ranked with High priority. Is there a logic for this?
Thanks
This is the key to your question. A CVE might have a "High" or "Critical" CVSS score, but it may not be flagged as a "High Priority Observation" for several reasons:
- Lack of Known Exploitation: The CVE might be theoretical or require complex, local access to exploit. The "Observations" dashboard prioritizes vulnerabilities that are being actively exploited in the wild.
- Mitigating Factors: The specific way the technology is configured on your host might make the CVE non-exploitable in your environment. EASM's intelligence may recognize this.
- Not a "P1" Priority for Microsoft's Security Team: Microsoft curates the observations list. They focus on what they classify as "P1" (Priority 1) issues—the absolute most critical things you should fix right now. A high-severity CVE might be a "P2" or "P3" in their triage system.
- Focus on Systemic Risk: The "Observations" dashboard is designed to highlight patterns. The 6 observations you see for that one domain might represent a more significant, systemic risk (e.g., an entire subdomain running outdated, vulnerable infrastructure) than a single CVE on an otherwise isolated host.
1 Reply
This is the key to your question. A CVE might have a "High" or "Critical" CVSS score, but it may not be flagged as a "High Priority Observation" for several reasons:
- Lack of Known Exploitation: The CVE might be theoretical or require complex, local access to exploit. The "Observations" dashboard prioritizes vulnerabilities that are being actively exploited in the wild.
- Mitigating Factors: The specific way the technology is configured on your host might make the CVE non-exploitable in your environment. EASM's intelligence may recognize this.
- Not a "P1" Priority for Microsoft's Security Team: Microsoft curates the observations list. They focus on what they classify as "P1" (Priority 1) issues—the absolute most critical things you should fix right now. A high-severity CVE might be a "P2" or "P3" in their triage system.
- Focus on Systemic Risk: The "Observations" dashboard is designed to highlight patterns. The 6 observations you see for that one domain might represent a more significant, systemic risk (e.g., an entire subdomain running outdated, vulnerable infrastructure) than a single CVE on an otherwise isolated host.