Skip to content

Criteria for Important CVE (Priority Filter)#

You can pre-configure conditions for vulnerabilities that are considered high-risk. When a new vulnerability that meets these conditions is detected, it will be sorted into the "Important CVE" tab, allowing you to prioritize remediation. You can review the configured conditions using the "Check \"Important CVE\" conditions" button.

The following conditions are set by default. Adjust them to match the vulnerabilities your organization considers critical.

image.png

Permissions to Modify the Priority Filter

Only Group Admins can change the conditions for sorting vulnerabilities into the "Important CVE" tab. You can change these settings from Group Settings > Advanced Settings > Important CVE Conditions.

Priority Filter Criteria#

You can set conditions based on "SSVC Priority," "Vulnerability Priority," or "Vulnerability Characteristics." Vulnerabilities that meet any of the following conditions will be sorted into "Important CVE."

flowchart TD
    A["Detected Vulnerability"] --> B{"Meets SSVC Priority<br>criteria?"}
    B -- Yes --> R["Important CVE"]
    B -- No --> C{"Meets Vulnerability Priority<br>criteria?"}
    C -- Yes --> R
    C -- No --> D{"Meets Vulnerability<br>Characteristics criteria?<br>CVSS Score / Vector / Exploit Code / Advisory Information"}
    D -- Yes --> E{"Meets exclusion criteria?<br>Low Reliability / Unknown Windows Patch"}
    E -- Yes --> F["Other Unresolved CVE"]
    E -- No --> R
    D -- No --> F
Criteria Options Effect
SSVC Priority Not selected Does not include SSVC Priority as a condition.
immediate Vulnerabilities whose highest SSVC Priority is 'immediate' will be included.
out of cycle Vulnerabilities whose highest SSVC Priority is 'out of cycle' or higher will be included.
Vulnerability Priority Not selected Does not include Vulnerability Priority as a condition.
high Vulnerabilities with a Vulnerability Priority of 'high' will be included.
medium Vulnerabilities with a Vulnerability Priority of 'medium' or higher will be included.
CVSS Score CVSS v2, v3, v4 Vulnerabilities whose highest published CVSS score meets or exceeds this value will be included.
Red Hat, Microsoft Vulnerabilities where the CVSS score provided by Red Hat or Microsoft (the maximum of v2 / v3 / v4) is greater than or equal to this value will be included.
CVSS v3 Vector AV/AC/PR/UI/S/C/I/A Vulnerabilities matching at least one of the specified CVSS v3 vector metrics, from any data source (e.g., NVD or OVAL), will be included.
Reliability of published Exploit Code Not selected Does not include the presence of exploit code as a condition.
High Vulnerabilities with HIGH-reliability published exploit code (Metasploit-Framework, or verified, highly reliable exploit code) will be included.
Low Vulnerabilities with LOW-reliability or higher published exploit code (Metasploit-Framework, Exploit-DB, etc.) will be included.
Severity of published security advisories Not selected Does not include the presence of security advisories as a condition.
High Vulnerabilities with advisories from KEV sources (CISA KEV, VulnCheck KEV, ENISA KEV) will be included.
Low Vulnerabilities with advisories from KEV sources or JPCERT/CC-Alerts will be included.
Vulnerabilities with unreliable detection Do not include in the target Excludes vulnerabilities that meet the following conditions from "Important CVE":
・Vulnerabilities detected without CPE version information.
・Vulnerabilities detected only by JVN, not by NVD.
Include in the target Does not include detection reliability as a condition.
Vulnerabilities without information on Windows patch availability Do not include in the target Excludes vulnerabilities that meet the following conditions from "Important CVE":
・Vulnerabilities detected in Windows (particularly Edge) for which the applicable KB patch or build number is unknown.
Include in the target Does not include whether Windows patch availability is unknown as a condition.