Assignment Rules and Classification Rules in Vulnerability Response
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 hours ago
We have an instance where our Assignment Rules have conditions that are dependent on our Classification Rules and it is either creating a Race Condition or I am simply too inexperienced to understand what is going wrong.
Context:
- 2 Classification Rules: OS (order:100) and APP (Order:200). OS has several conditions like "Summary contains Mozilla", "Summary contains Microsoft Office" etc. Not good practice, I am aware, but this is an old instance that the customer does not want to change. APP has no conditions at all, so anything that isn't picked up by OS, gets picked up by APP.
- Several Assignment Rules. One of them has a condition "Vulnerability. Classification Rule is App". Now naturally this evaluates to true if the Classification Rule is APP for said vulnerability.
Issue:
This aforementioned Assignment Rule is evaluating to True on Vulnerabilities that have their Classification Rule set to OS, not APP, which makes no sense. Sadly there is no auditing on Vulnerabilities, so I cannot check its history to see if the Rule was flip-flopping on said vulnerability. This obviously leads to some issues where Vulnerable Items (VITs) are created where the wrong Assignment Rule is being used and thus being assigned to the wrong group. What is interesting is that if this VIT is closed and then reopened, suddenly the correct rule is applied to the VIT and then it also gets the correct assignment group. This is done because the state of the VIT changed and thus the assignment rules were re-evaluated (I assume).
What I do not understand is how the Assignment Rule is evaluating this to True in the first place. Clearly the vulnerability at some point will have been given the APP Classification Rule (incorrectly) and then just moments later been given the correct OS Classification Rule. But I thought when third-party vulnerability providers gave us data dumps of vulnerabilities it would process all this data once, create the needed vulnerabilities that are not already in the system, and apply the Classification Rules in order from lowest to highest order, which means some of these Vulnerabilities in our system shouldn't flip flop between OS and APP.
Any help would be appreciated.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2 hours ago
Hi @KristofferB
This sounds like a timing race condition rather than an issue with the Assignment Rule itself.
Please check few things like:
- whether the Assignment Rules run before the Classification Rules finish updating the vulnerability.
- Check for any Business Rules, Flows, or imports that update the Classification after assignment.
- Confirm the execution order of Classification Rules and Assignment Rules during vulnerability import.
- Enable Debug Business Rules or review import logs to see the sequence of updates.
The fact that reopening the VIT assigns it correctly suggests the Classification is correct by then and the Assignment Rule works as expected.
Please Accept the solution if it assisted you with your question & Mark this response as Helpful.