Current Identities for Applications and Operating Systems
The current identity for an application or an operating system on a host is the identity that the system finds most likely to be correct.
The system uses the current identity for an operating system or application for the following purposes:
-
to assign vulnerabilities to a host
-
for impact assessment
-
when evaluating correlation rules written against operating system identifications, host profile qualifications, and compliance allow lists
-
for display in the Hosts and Servers table views in workflows
-
for display in the host profile
-
to calculate the operating system and application statistics on the Discovery Statistics page
The system uses source priorities to determine which active identity should be used as the current identity for an application or operating system.
For example, if a user sets the operating system to Windows 2003 Server on a host, Windows 2003 Server is the current identity. Attacks which target Windows 2003 Server vulnerabilities on that host are given a higher impact, and the vulnerabilities listed for that host in the host profile include Windows 2003 Server vulnerabilities.
The database may retain information from several sources for the operating system or for a particular application on a host.
The system treats an operating system or application identity as the current identity when the source for the data has the highest source priority. Possible sources have the following priority order:
1. user
2. scanner and application (set in the network discovery policy)
3. managed devices
4. NetFlow records
A new higher priority application identity will not override a current application identity if it has less detail than the current identity.
In addition, when an identity conflict occurs, the resolution of the conflict depends on settings in the network discovery policy or on your manual resolution.