Using Vulnerability Intelligence
Vulnerability Intelligence in Alert Manager Enterprise (AME) gives security teams centralized visibility into detected vulnerabilities (CVEs) and their realizations on observables (assets, endpoints, containers, etc.) in your environment.
Use this module to:
- Track vulnerability detection and realization trends over time
- Prioritize remediation based on severity, exploitability, and business impact
- Search and filter realizations by time, status, observable, and CVE attributes
- Manage realization rules, suppression/exclusion rules, and CVE metadata overrides
Dashboard Tabs
The main navigation contains the following tabs:
- Overview — View and filter realized vulnerabilities
- Staged Overview — Inspect pending/staged vulnerability data that could not be matched
- CVEs — Browse the indexed CVE catalog with enrichment details
- Realization Rules — Define rules that trigger events from vulnerability realizations
- Realization Exception Rules — Define suppression rules to exclude known false positives or accepted risks
- CVE Overwrites — Customize CVE metadata (severity, priority, etc.) for your environment
- Reporting — Create and export vulnerability reports
- Configuration — Module-wide settings and integration options
For detailed configuration of rules, overwrites, and reporting, see the Configuration guide.
Realization Overview
A realization occurs when a known vulnerability (CVE) is detected on a specific observable (host, endpoint, container, cloud resource, etc.).
The Overview tab displays all matching realizations. Without any filters applied, up to 10,000 results are shown.
Single Value Indicators
Single Value indicators display the count of open realizations grouped by CVSS severity. Each card includes a 7-day trend line.
Search filters do not affect these indicator values.
Search & Filter Controls
Refine the displayed realizations using these controls:
- Add filter — Create conditions based on realization fields, CVE attributes, observable metadata, or observable data
- State dropdown — Filter by realization status: All, Open, Fixed
- Time Field — Select the time dimension: First Seen, Last Seen, Fixed At
- Time Range — Choose predefined ranges (Last 7 days, Last 30 days, etc.) or a custom interval
- Find Realizations button — Run the query
Example filter panel:
Realizations Table
The results table shows up to 10,000 realizations with the following default columns:
| Column | Description |
|---|---|
| First Seen | Timestamp when the vulnerability was first detected on this observable |
| Last Seen | Timestamp of the most recent detection |
| Published | Official CVE publication date |
| CVE | CVE identifier (e.g., CVE-2025-21391) |
| Title | Short descriptive title of the vulnerability |
| CVSS Score | CVSS v3/v4 base score |
| CVSS Severity | Derived severity level (LOW, MEDIUM, HIGH, CRITICAL) |
| UID | Unique identifier of the observable (hostname, IP, FQDN, container ID, …) |
| Criticality | Business criticality of the affected observable (custom or derived) |
| Detail | Link to the full realization detail view |
Table Controls
- Pagination
- Rows per page (10, 25, 50, …)
- Processing time indicator
- CSV export (current page or all matching results)
- Column visibility and order configuration
Realization Detail View
Click the Detail link in any row to open the realization detail panel.
Overview Tab
Shows CVE information, realization timeline, and key metadata.
Click the book icon to open external references (NIST NVD, cve.org).
Realization Rules Tab
Lists all realization rules that matched for this observable/CVE combination.
Events Tab
Shows all AME events generated from this realization. Click any event to jump to the Event Overview.
Observable Tab
Displays general information about the affected observable.
Staged Overview
The Staged Overview tab lists vulnerability data that was ingested but could not be matched to:
- an indexed observable (unknown asset/endpoint), or
- an indexed CVE
Use the Filter dropdown to narrow down by CVE or other attributes.
The Clean button lets you remove staged entries (by CVE or by value). Note that cleaned items may reappear if the underlying data is still being ingested.
CVEs
The CVEs tab displays the full catalog of indexed CVEs. Use the search bar or filters to find specific entries.
Click the book icon on any row to open external references (cve.org, NIST NVD).
Next Steps
- Learn how to create reports
- Learn how to create scheduled reports
- Configure rules and settings in the Configuration guide