The Zurich release has arrived! Interested in new features and functionalities? Click here for more

Vulnerability Response Usage Calculation - How does it work?

john_gibbons
ServiceNow Employee
ServiceNow Employee

on ‎02-01-2023 10:09 AM

Vulnerability Response Usage calculations are viewed in a few different areas, Subscription Management and VR Usage summary Report(Starting version v16.5.4). We will discuss how each method calculates usage metrics.

 

The main calculations used for Vulnerability Response Customer usage within the Subscription Overview have the following criteria:

  1. DEFN1005547:  This definition contains the following four definitions to obtain the aggregated usage of Vulnerability Response and Configuration compliance. 
    1. Counts devices in the Discovered Items table from infrastructure scanners such as Qualys,Tenable and Rapid7.
    2. Includes Cloud VMs scanned by Qualys, Tenable, or Rapid7.
    3. Discovered Items with state ‘CI Decommissioned’ for the retired CIs in CMDB not counted.
    1. Counts devices in the Discovered Items table from Cloud Security mis-configuration scanners such as Palo Alto Prisma 
      1. Note:This definition will start collecting the metrics from the May/2022 release with Prisma Cloud and CC integration usage. 
    1. Counts devices in the VR Container table. This table includes the count of running container instances from Container Vulnerability scanners such as Palo Alto Prisma Cloud Compute averaged over 90 days. 
    1. DEFN1005414:  Discovered items scanned in last 90 days.
    2.  DEFN1005382:  Discovered items exclusively identified as a cloud asset and scanned in last 90 days.
    3.  DEFN1005385: Discovered running container instances in last 90 days (with rolling averages).
    4. DEFN1003246: Tenable assets last 90 days.This counts devices in a Tenable Assets table, which is the table where devices scanned by Tenable are stored. For avoidance of doubt, the Tenable Assets table, stores devices used by the Tenable for Vulnerability Response application (built by Tenable). In Jun, 2020, definition was created to capture tenable scanned assets (Existing Definition) 

 

These definitions can be viewed by going to the UA Downloaded Table Stats Definitions(ua_stats_defn).  Look at How Vulnerability Response Calculates Customer Usage for further details.

 

 

The main calculations used for the VR Usage summary Report us the following criteria In Discovered Items:

  1. Compliance Last Scan Date OR Last Scan Date within the last 90 days AND Asset Category is 'Infra' OR is Empty AND Discovered Item State is not 'CI Decommisioned'OR
  2. Non-infra Compliance Last Scan Date OR Non-infra Last Scan Date within the last 90 days OR Non-infra Compliance Last Scan Date OR Non-infra Last Scan Date is Empty AND Asset Category is not 'Infra' AND Discovered Item State is not 'CI Decommisioned'"

Look at VR Usage summary report for further details.

  • 2,444 Views
Comments
OliverJacob12
Tera Contributor
‎03-27-2023 06:05 AM
@john_gibbons wrote:

Vulnerability Response Usage calculations are viewed in a few different areas, Subscription Management and VR Usage summary Report(Starting version v16.5.4). We will discuss how each method calculates usage metrics.

 

The main calculations used for Vulnerability Response Customer usage within the Subscription Overview have the following criteria:

  1. DEFN1005547:  This definition contains the following four definitions to obtain the aggregated usage of Vulnerability Response and Configuration compliance. 
    1. Counts devices in the Discovered Items table from infrastructure scanners such as Qualys,Tenable and Rapid7.
    2. Includes Cloud VMs scanned by Qualys, Tenable, or Rapid7.
    3. Discovered Items with state ‘CI Decommissioned’ for the retired CIs in CMDB not counted.
    1. Counts devices in the Discovered Items table from Cloud Security mis-configuration scanners such as Palo Alto Prisma 
      1. Note:This definition will start collecting the metrics from the May/2022 release with Prisma Cloud and CC integration usage. 
    1. Counts devices in the VR Container table. This table includes the count of running container instances from Container Vulnerability scanners such as Palo Alto Prisma Cloud Compute averaged over 90 days. 
    1. DEFN1005414:  Discovered items scanned in last 90 days.
    2.  DEFN1005382:  Discovered items exclusively identified as a cloud asset and scanned in last 90 days.
    3.  DEFN1005385: Discovered running container instances in last 90 days (with rolling averages).
    4. DEFN1003246: Tenable assets last 90 days.This calorie calculator james smith counts devices in a Tenable Assets table, which is the table where devices scanned by Tenable are stored. For avoidance of doubt, the Tenable Assets table, stores devices used by the Tenable for Vulnerability Response application (built by Tenable). In Jun, 2020, definition was created to capture tenable scanned assets (Existing Definition) 

 

These definitions can be viewed by going to the UA Downloaded Table Stats Definitions(ua_stats_defn).  Look at How Vulnerability Response Calculates Customer Usage for further details.

 

 

The main calculations used for the VR Usage summary Report us the following criteria In Discovered Items:

  1. Compliance Last Scan Date OR Last Scan Date within the last 90 days AND Asset Category is 'Infra' OR is Empty AND Discovered Item State is not 'CI Decommisioned'OR
  2. Non-infra Compliance Last Scan Date OR Non-infra Last Scan Date within the last 90 days OR Non-infra Compliance Last Scan Date OR Non-infra Last Scan Date is Empty AND Asset Category is not 'Infra' AND Discovered Item State is not 'CI Decommisioned'"

Look at VR Usage summary report for further details.

The Solution record Risk score is a weighted calculation based on the vulnerable item Risk score and a count of active vulnerable items with this solution as their Potential Solution. Solution Risk score provides an estimation of the reduction in risk that the solution is expected to accomplish.

Solution record Risk score is calculated as follows:
  • It starts by taking 85% of the highest or maximum Risk score of an active vulnerable item with that potential solution.
  • Solution record Risk score then tabulates the total number of vulnerable items with that potential solution. For each range of the number of vulnerable items, it adds some points and arrives at a total.
    • 0–09 vulnerable items adds no points
    • 10–99 vulnerable items adds 5 points
    • 100–999 vulnerable items adds 10 points
    • 1000 and beyond vulnerable items adds 15 points

    For example, for a vulnerable item Risk score of 80, the Solution record Risk score would start at 68. If there were 200 active total vulnerable items with that potential solution, then the final Solution Risk score would be 78.

The Solution record Risk rating separates the Solution record Risk score into ranges from Critical to None. Solution Risk rating rates the risk reduction for the vulnerable items that this solution remediates.

Risk ratings separate the resulting Solution Risk score into the following ranges:
  • 1 — Critical (90+ Solution Risk score)
  • 2 — High (70-89 Solution record Risk score)
  • 3 — Medium (30-69 Solution record Risk score)
  • 4 — Low (1-29 Solution record Risk score)
  • 5 — None (0 Solution record Risk score)

In my case, Total number of Vulnerability items are 2 with max risk score as 100. So as per above formula, the risk score for solution should be 85% of 100 which is 85 but showing 65.

Can someone please assist.

Thanks.

Regards,

Prabhati

However, most of the literature characterizes vulnerability according to the basic formula: Risk + Response = Vulnerability, or, as articulated in Holzmann et al.'s guidelines on the Household Economy Approach (2008), “Baseline + Hazard + Response = Outcome (v).”

Version history
Last update:
‎02-01-2023 10:09 AM
Updated by:
ServiceNow Employee
Contributors