How to Export Vulnerability Findings for a Specific Asset in Cortex Cloud
350
Created On 09/09/25 11:39 AM - Last Modified 02/13/26 22:42 PM
Objective
- How can I export a complete list of vulnerability findings for a single asset from Cortex Cloud? The UI views under Posture management > Vulnerability Management > All Vulnerability Findings do not currently offer a direct "Download" or "Export" button. A method is needed to extract this data for reporting or analysis.
Environment
- Cortex Cloud
Procedure
- The recommended method for exporting vulnerability data for a specific asset is to use an XQL query in the Query Builder. This approach allows you to retrieve the complete, enriched data that matches what is displayed in the "All Vulnerability Findings" UI.
- Follow these steps to export the data:
- Get the Asset ID: Navigate to the asset you want to investigate within the Cortex Cloud UI. Locate and copy its Asset ID.
- Open the Query Builder: Navigate to Investigation & Response > Query Builder.
- Construct the XQL Query: In the XQL query tab, paste the following query. This query uses the uvm_findings dataset, which is the authoritative source for enriched vulnerability data.
dataset = uvm_findings | filter vulnerability_id != null and asset_id = "<PASTE YOUR ASSET ID HERE>" | fields vulnerability_id, cve_description, cvss_score, cvss_severity, epss_score, exploitable, fix_available, fix_versions, cve_risk_factors, affected_software, asset_name, first_observed, last_observed -
Add the Asset ID: Replace the placeholder text
<PASTE YOUR ASSET ID HERE>with the Asset ID you copied in step 1. -
Run the Query: Execute the query. The results table will display all vulnerabilities associated with the specified asset.
-
Export the Results: Once the query is complete, click the Download icon above the results table to save the data as a TSV file.
- Follow these steps to export the data:
Additional Information
- It is critical to use the uvm_findings dataset for this task. It contains the complete and processed vulnerability information, correlating raw findings with threat intelligence to provide a full picture. Using other datasets like findings will yield incomplete results that do not match the UI.