Vulnerability Items Count for all Approved Exceptions with Deferral details

ThomaS62 · ‎09-02-2022

We use Vulnerability Response for Exception management. Vulnerabilities are submitted for approval as individual VI and VUL (Remediation task). This created VCA (Vulnerability State Change Approvals) record which has Detail, Additional Information, Desired State, Desired Substate, Record Reference (VI or VUL) etc. submitted by the requester - this is the information used as approval justification.

Now I am trying to report on all approved Deferred Vulnerable items with Priority count - as how many VIs are deferred with Details and Additional information as why they ended up being Deferred.

The problem is that:

sn_vul_change_approval gives me VCA number, Details, Additional Details, and Until (date) - exactly what I need though there is no way to lookup sn_vul_vulnerable_item.priority

sn_vul_vulnerable_item table fives me count of all 1 - Critical, 2 - High, 3 - Medium, 4 - Low, 5 - Very Low with State of Deferred but there is no way to look up the VCA Details, Additional Details, Until or Approver.

I am using Reports to view in in Multi-level Pivot table and tried sysapproval_approver, sn_vul_change_approval, sn_vul_vulnerable_item, sn_vul_vulnerability and sn_vul_m2m_vul_group_item. None of them allows me to link these fields.

Is there another table where I can create this report?

There is no currently a link between sn_vul_change_approval and sn_vul_vulnerability or sn_vul_vulnerable_item - is there a way to link these or find other way to present all VI linked to VCA?

andy_ojha · ‎09-07-2022

Hey there - interesting reporting use-case.

Native baseline - the Details and Additional Info would be mandatory and presented in a string field for either a Remediation Task or Vulnerable Item that is either (In Review or Deferred).

What types of reports are you trying to build:
- "Show me VIs that are Deferred, where the Additional information | IS | [xxx]" -- Grouped by Priority?"
- "Show me VIs that are Deferred, where the Additional information | CONTAINS | [yyy]" -- Grouped by Priority?"

Both the Remediation Task and Vulnerable Item have a reference field that point back to the related "State Change Approval" (VCA) .. it's called "Change approval" - but this will only be reliable for Remediation Task (assuming your users primarily request Exceptions thru Remediation Task) - the value does not trickle down to the Vuln Items once Deferred in a way you could leverage here for the report or query.

The item that is likely going to be the best bang for buck in your scenario - is that fact that the "Additional Information" from the "State Change Approval" is present on both the Remediation Task and Vulnerable Item -> check the field called "Deferral notes" on those two tables (will appear once the VI or RT is Deferred, sort of like a copy and paste of the same text).

Perhaps you can shift your query to leverage the "Deferral notes" against those records already in a State = Deferred for your reporting - just keep in mind querying against these types of string fields in large volumes will have some negative performance experience (especially with CONTAINS).

Hopefully this helps and you get a win - if you can share a bit more about the end result you are after, might be able to drum up a cleaner approach.

ThomaS62 · ‎09-19-2022

Thanks Andy,

I was able to use the sn_vul_m2m_vul_group_item to get to this:

It's not ideal as it pull VUL Title rather than VCA Title, Additional details but at least it quantifies amount of VI in Deferred state.