Business Impact and Priority on Vulnerable Items

Khanna Ji · ‎01-20-2019

Can anybody help me to understand how Business Impact and Priority values are set on Vulnerable items? I do not find any calculator or matrix for this? I can see matrix only for risk calculator of Vulnerable items.

Ragini Kukade · ‎01-20-2019

Hi,

Procedure to create vulnerability calculator:

Navigate to Vulnerability > Administration > Vulnerability Calculator Groups.
Click the name of the group for which you want to create a calculator, or create a new groupand then create a calculator for that group using the following steps.
In the Vulnerability Calculators related list, click New.
Fill in the fields on the form, as appropriate.

Hope the following link will help you:

https://docs.servicenow.com/bundle/london-security-management/page/product/vulnerability-response/task/t_CreateVulnCalculator.html

https://docs.servicenow.com/bundle/london-security-management/page/product/vulnerability-response/concept/c_VulnCalcGroup.html

Mark it as correct/helpful,if it helps for you.

Regards,

Ragini

andy_ojha · ‎01-21-2019

Hi Swathi - Good question and observation here.

The Vulnerable Item 'Priority' is typically calculated from the third-party integration you are working with, so that you can map a 'vulnerability severity or risk rating' from a solution like Qualys, Tenable or Rapid7 to a normalized Vulnerable Item 'Priority' value. It would depend on the third party integration plug-in you are using, some may use a Business Rule to translate the vendor's risk value to a ServiceNow Vulnerable Item Priority, where some may use a Transform Map to do this.

The Vulnerable Item 'Business Impact' is controlled by a Calculator Group called (Risk Score). Within the Calculator Group there is a calculator record that controls how this is computed in the baseline:

Computed Risk Score - Calculator (London)
Basic Risk Score - Calculator (Kingston)

This particular page on the product docs site, describes how the Vulnerable Item's 'Business Impact' value is calculated:

https://docs.servicenow.com/bundle/kingston-security-management/page/product/vulnerability-response/concept/c_VulnCalcGroup.html

The script performs the following functions:
- First, it creates a list of all CIs that are linked to the vulnerable item and any business services that are marked as depending on the CI.
- It queries and gets results of services that have business criticality (where criticality is not null), and orders them with the most critical ones first.
- It gets the choice lists for the vulnerable item and business criticality fields.
- If there are no business services in the list, the criticality is set to the lowest level.
- If there are business services in the list, the business criticality for all services is calculated.
- The weight of each vulnerable item is picked up from its CVSS score and is used to compute the new criticality.

Khanna Ji · ‎01-21-2019

I am pulling the data from Qualys. Can you help me to understand how priority is set for a vulnerability? Does it comes from Qualys itself?

andy_ojha · ‎01-24-2019

Hey Swathi - specifically for the Qualys integration -> there is a business rule called (Map Qualys Values) that handles taking the Qualys severity value provided to ServiceNow, and translating that to Vulnerable Item Priority value.

Note that Qualys rates Severity of 5 as the highest value; so the Qualys Severities are flipped when translated into Priority in ServiceNow - e.g. Qualys Severity of 5 -> ServiceNow Priority of 1 (Critical)...