Vulnerability Assessment
Through the integration with Cyber Insight, you can use your LOGINventory data for vulnerability assessment and automatically identify which vulnerabilities exist on which devices and in which software packages. Each vulnerability is assigned a risk assessment that provides dynamic, context-based data tailored to your organization. Additionally, you will receive information on how to remediate the vulnerability.
Use this feature to identify security gaps in your network early and take appropriate action. The integration allows you, in combination with the customizability of all queries and the creation of tasks, to automatically detect when action is required and what needs to be done. Manual reconciliation with CVE databases is a thing of the past.
Setup
Cyber Insight Account
To use the vulnerability analysis, you need an account with Cyber Insight. There, you can register and, after clicking on your profile name, generate an API key (Access Token), which must later be stored in LOGINventory for data synchronization.
Create Script-Based Inventory
First, the prerequisites for Script-Based Inventory must be met.
Specifically, various files from our GitHub repository (https://github.com/loginventory/custom-scan-scripts/) need to be downloaded. The easiest way is to download the complete current repository as a ZIP file via this link:
https://github.com/loginventory/custom-scan-scripts/archive/refs/heads/main.zip
Afterward, extract the ZIP file to a temporary location and move the "include" folder (including its files) into the (if necessary, newly created) "Agents" folder of the Script-Based Inventory, e.g., %programdata%\LOGIN\LOGINventory\9.0\Agents.
Tip
Even if you have used scripts from the repository in the past, you should always update the "include" folder to the latest version, as it contains important helper functions used by various scripts. This ensures that the scripts function correctly.
PowerShell Core (version 7 or higher) is not required for these scripts, as the scripts use the LOGINventory PowerShell to access queries in the LOGINventory tree structure.
This completes the general prerequisites for Script-Based Inventory.
In the next step, the files required for integration with Cyber Insight must be copied from the previously extracted repository into the "Agents" folder of the Script-Based Inventory.
- Copy the
CyberInsight.ps1file to the "Agents" folder of the script-based inventory, e.g.,%programdata%\LOGIN\LOGINventory\9.0\Agents. - Copy the "CyberInsight" folder containing the files
Get-CyberInsightData.ps1,Post-CyberInsightLiData.ps1, andcyberinsight-common.ps1to the "Agents" folder of the script-based inventory.
Tip
It is recommended to regularly check the files for updates to benefit from improvements and new features. Subscribe to the GitHub repository to stay informed about changes.
Now, create a new definition of the type Script-based Inventory in the Remote Scanner.
Select the CyberInsight.ps1 file from the dropdown menu and assign a suitable name, e.g., "Cyber Insight POST."
Switch to the parameter tab and enter the following two parameters:
| Parameter | Value |
|---|---|
| Action | Post |
| Engine | psc.exe |
This definition is responsible for transmitting data to Cyber Insight.
Next, create a second definition for retrieving data from Cyber Insight. For example, you can clone the existing definition.
Change the name to something like "Cyber Insight GET" and adjust the parameters as follows:
| Parameter | Value |
|---|---|
| Action | Get |
| Engine | psc.exe |
Info
It is possible to pass the parameters CyberInsightApiKey, CyberInsightCompanyName, CyberInsightEndpoint, CyberInsightKeyProperty, CyberInsightCriticality, CyberInsightExportQuery, and CyberInsightSyncQuery via the parameter tab for both definitions. However, this is not necessary as these values are partially optional (with defaults) and can also be stored in the LOGINventory.config file, allowing them to be entered only once in a central location (see next section).
Store Credentials and Settings
In the LOGINventory.config file located in %programdata%\LOGIN\LOGINventory\9.0\, the following values must be stored. Open the file with a text editor (e.g., Notepad) and add the following lines:
<setting name="CyberInsightApiKey" serializeAs="String">
<value>Your API KEY</value>
</setting>
<setting name="CyberInsightCompanyName" serializeAs="String">
<value>Your CyberInsight Companyname</value>
</setting>
For CyberInsightApiKey, enter the API key (Access Token) generated in your Cyber Insight account. For CyberInsightCompanyName, enter the company name under which you want the data to appear in Cyber Insight.
This ensures that the definitions created in the Remote Scanner automatically retrieve the API key and company name from the configuration file.
These values are also used to display details about vulnerabilities in the Info Widget (see Analysis).
Optional settings can also be added to the LOGINventory.config file as needed:
<setting name="CyberInsightEndpoint" serializeAs="String">
<value>https://ci-gateway-5j2lrwe9.nw.gateway.dev</value>
</setting>
<setting name="CyberInsightKeyProperty" serializeAs="String">
<value>Name | InventoryNumber</value>
</setting>
<setting name="CyberInsightCriticality" serializeAs="String">
<value>high|medium|low</value>
</setting>
<setting name="CyberInsightExportQuery" serializeAs="String">
<value>Vulnerability Assessment\Vulnerability Export</value>
</setting>
<setting name="CyberInsightSyncQuery" serializeAs="String">
<value>Vulnerability Assessment\All Vulnerabilities per Software Package</value>
</setting>
The value of CyberInsightEndpoint is the URL to which data is transmitted. The default value is https://ci-gateway-5j2lrwe9.nw.gateway.dev and only needs to be adjusted if Cyber Insight provides you with a different URL.
The value of CyberInsightKeyProperty defines which device properties are used for unique identification. Options include Name and InventoryNumber. If not set, the default is the device name (Name). If a device is renamed between transmission and retrieval, using Name may cause issues. If your database contains multiple devices with the same name, consider using InventoryNumber (see Manage Inventory Numbers.
The value of CyberInsightCriticality defines which vulnerability severity levels are retrieved. Possible values are low, medium, and high. Multiple values can be separated by a pipe symbol (|). If not set, the default is to retrieve only high and medium severity levels. Severity levels are defined as follows:
| Score | Severity Level |
|---|---|
| > 7.5 | high |
| 7.5 - 4.2 | medium |
| < 4.2 | low |
The value of CyberInsightExportQuery defines which query from the LOGINventory tree structure is used to export data to Cyber Insight. The default value is Vulnerability Assessment\Vulnerability Export (always use the English name of the node—if unsure, use the LOGINventory PowerShell to navigate the tree structure with dir and cd commands to find the correct name). Instead of selecting a different query, you can also adjust the default query (see next section). If you use the default value, the "Vulnerability Export" query in the "Vulnerability Assessment" folder is used.
The value of CyberInsightSyncQuery defines which query from the LOGINventory tree structure is used for synchronizing vulnerability data from Cyber Insight. The default value is Vulnerability Assessment\All Vulnerabilities per Software Package (see below). This is necessary to ensure that vulnerabilities that no longer exist are removed. Typically, it is not necessary to adjust this value.
Info
Each of these values can also be passed directly via parameters in the Remote Scanner to the respective definitions. However, this is unnecessary if the values are stored in the LOGINventory.config file.
Optional: Adjustment of the "Vulnerability Export" Query
LOGINventory only sends the data to Cyber Insight that is included in the "Vulnerability Export" query in the "Vulnerability Assessment" folder.
By default, all devices with at least one installed software package are listed. The default data transmitted includes: device name, inventory number, and information about installed software packages (name, version, manufacturer, platform).
Currently, the Cyber Insight API does not process other data, so adding additional columns is not useful. However, you can adjust the query using the Query Editor to, for example, only transmit data for specific devices (e.g., only servers or only clients) or exclude test machines. Customize the query to suit your needs.
Transmit Data to Cyber Insight
Run the "Cyber Insight POST" definition created earlier in the Remote Scanner to transmit data to Cyber Insight. You can monitor progress in the Job Monitor. After successful completion, the data will be analyzed by Cyber Insight. Depending on the data volume, this may take several hours.
Retrieve Data from Cyber Insight
Run the "Cyber Insight GET" definition created earlier in the Remote Scanner to retrieve vulnerability data from Cyber Insight. You can monitor progress in the Job Monitor. After successful completion, the data will be available in LOGINventory.
Tip
To ensure vulnerability data is always up-to-date, consider automating the data synchronization by creating jobs with schedules in the Remote Scanner.
Automation
Create two jobs in the Remote Scanner: one for the "Cyber Insight POST" definition and one for the "Cyber Insight GET" definition. Set appropriate schedules for both jobs, e.g., daily or weekly. Ensure the "Cyber Insight POST" job runs before the "Cyber Insight GET" job to ensure data is current. Additionally, allow sufficient time between the two jobs for Cyber Insight to analyze the data (several hours depending on data volume). For example, schedule a daily POST job in the evening and a GET job the following morning.
Info
Please note that deleting / archiving assets between a POST and GET will result in the corresponding assets being recreated / reactivated during the GET.
Analysis
The retrieved vulnerability data is available in LOGINventory through various queries, dashboards, and widgets.
The Combined Vulnerability Score per Software Package query lists all software packages, regardless of whether a vulnerability was found. For each package with a detected vulnerability, a "VulnerabilityScore" is provided, representing the sum of the risk assessments of all vulnerabilities in that software package. The "Vulnerabilities.Count" value indicates how many distinct vulnerabilities were found for the software package. This allows you to quickly identify which software packages are particularly critical. The "SoftwarePackageInfos.Count" column shows how many devices have this software package installed. Using the Related Data Widget, you can view the affected devices.
The Vulnerability Catalog query lists all detected vulnerabilities with details and shows how many devices and software packages are affected. Using the Related Data Widget, you can display the affected devices.
Example
This screenshot shows a "DeviceVulnerabilityInfos.Count" of 12 and a "SoftwareVulnerabilityInfos.Count" of 4 for the selected vulnerability. This means that the "Vulnerability Details" query contains 12 rows for this vulnerability, representing 12 combinations of devices and software packages. The "Software Vulnerabilities" query contains 4 rows for this vulnerability, representing 4 software packages where this vulnerability was found.
To see which devices are affected by the vulnerability, you can use the Related Data Widget. In this case, there were 8 different devices.
Additionally, vulnerabilities can be assigned properties using the Custom Properties Widget. For example, you can assign a processing status, further categorize vulnerabilities, or assign responsible personnel.
The All Vulnerabilities per Software Package query lists all detected vulnerabilities for each software package.
A software package may have multiple vulnerabilities, and a vulnerability may appear in multiple software packages.
When the Info Widget is open and a result row is selected, the widget displays details about the vulnerability in Cyber Insight, including risk assessment, messages related to the vulnerability, and recommendations for remediation.
Alternatively, you can click Show Vulnerability Details in the ribbon menu to open a browser window that navigates directly to the corresponding vulnerability page in Cyber Insight. The content of the Info Widget and the browser page are identical.
Tip
After a certain period, you will be automatically logged out of Cyber Insight, so it may be necessary to reopen the widget (by switching to another vulnerability and back) or the browser link to display the details again.
Info
The "All Vulnerabilities per Software Package" query is used in the GET script for synchronizing vulnerability data and should not be modified, i.e., no columns should be removed or filters applied.
The All Vulnerabilities per Software Package and Device query lists all detected vulnerabilities with details for each device, including risk assessments.
Here, too, you can use the Info Widget or the button in the ribbon menu to access the detailed page in Cyber Insight.
The two Newly Found Vulnerabilities per Software Package and Newly Found Vulnerabilities per Software Package and Device queries list only the vulnerabilities that were retrieved for the first time in the last 7 days. This allows you to quickly identify whether there are new vulnerabilities in your environment. You can adjust the queries to change the time frame. Additionally, it may be useful to create a Task based on these queries to, for example, automatically send an email notification when new vulnerabilities are detected.
The Vulnerabilities per Device and Operating System dashboard displays various charts to visualize vulnerability data. For example, you can see how many vulnerabilities of each severity level exist per operating system. Additionally, pie charts visualize various properties of the vulnerabilities.
By clicking on an element in the chart, you can filter by it. Holding the Ctrl key allows you to select multiple elements within a chart.
FAQs
How does billing work, and what are the costs? You need an account with Cyber Insight and pay the costs directly to Cyber Insight. Prices depend on the number of devices whose software data is analyzed. You can request detailed pricing information from Cyber Insight.
What data is transmitted to Cyber Insight? Device name, inventory number, and information about installed software packages (name, version, manufacturer, platform) are transmitted.
Is the data transmitted automatically? No, the transmission must be explicitly activated. You need an account with Cyber Insight and must generate an API key there. This API key must then be stored in LOGINventory, and the appropriate Script-based Inventory must be created and configured.
Can I configure which devices' data is sent to Cyber Insight? Yes, you can easily adjust the "Vulnerability Export" query in this folder. For example, filter for only servers if you want to transmit data only from servers, or exclude test machines! By setting appropriate filters, you can freely configure what is transmitted.
What happens to my data at Cyber Insight? Cyber Insight's "DARA" engine analyzes the transmitted data. Through LOGINventory, DARA can recognize the organization's structure and assign relevant CVEs to your devices and software.
Where are the servers, and who has access to them? The servers are securely located in Germany, and only specifically authorized personnel from Cyber Insight have access to them.