This widget could not be displayed.
This widget could not be displayed.

Changing the default risk score scale for risk ratings.

Go to solution
dan167
Tera Guru

‎12-17-2024 12:16 PM

Hello,

 

Does anyone know where I would go to adjust the risk score rating scale? Say if my employer want a risk score of 60 and above to be critical (just an example), where would I adjust the scale to say risk score 60-100 should = critical?

0 Helpfuls
  • 1,522 Views
1 ACCEPTED SOLUTION

Go to solution
andy_ojha
ServiceNow Employee
ServiceNow Employee

‎12-18-2024 09:18 AM - edited ‎12-18-2024 09:19 AM

Hey there - Great question.

In earlier releases of VR, the Risk Score -> Risk Rating mapping was hardcoded in a Script Include (VulnerabilityUtils), and modifying that came with tech debt.

Today, you can configure the Risk Score -> Risk Rating mappings, by going to the Risk Score Weight table, filtering on the flavor of VR you want to make this configuration for (e.g. VR, Cloud VR, CC) and updating the ranges.

In the left nav, you would type [sn_sec_cmn_risk_score_weight.list] to get to the table, then filter the "Type" as needed (e.g. Vulnerability Response Risk Rating).

 

The "Weights" would be the Risk Score (0 - 100) Ranges, and the "Value" would be the outcome, i.e. the Risk Rating (1 - Critical, 2 - High, 3 - Medium, 4 - Low, 5 - None).

 

If you really needed to adjust the Risk Score -> Risk Rating scale, you would update the Weight values for the ranges you have in mind (e.g. lowering the threshold for Risk Rating of Critical, to start at 80 instead of 89).

Keep in mind, these baseline values do reflect the same flavor of mappings as seen in CVSS v3,/v4 Scores to Severity ratings, as a starting point:
https://nvd.nist.gov/vuln-metrics/cvss

 

andy_ojha_1-1734542336927.png

 

Reference:

https://www.servicenow.com/docs/bundle/xanadu-security-management/page/product/container-vulnerabili...

View solution in original post

6 REPLIES 6

Go to solution
andy_ojha
ServiceNow Employee
ServiceNow Employee
In response to dan167

‎12-18-2024 11:55 AM

I see -- You need to be careful here though...

Risk Score and Risk Rating, live in other areas beyond just the Vulnerable Item, these values are also rolled up to and computed in records like Vulnerability Entry, Remediation Task, Remediation Effort, Vuln Solutions and a few more...

 

In theory though, if you have added the appropriate Choice (sys_choice) to the Risk Rating field on the Vulnerable Item (with the corresponding Value); it should work out.  However, you'd have some tech debt to account for as the Risk Rating field exists on many tables, it'd be a bit cumbersome to maintain the Choices on them potentially.

 

As an alternative - is there a way we could influence Risk Score of 100, in our Calculator Rules to only be applied in that extreme circumstance?  I recognize, it'd still have a Risk Rating of Critical (across that Risk Score Range) - but we could have special filters, reporting, etc. for VITs with a Risk Score of 100.

0 Helpfuls

Go to solution
dan167
Tera Guru
In response to andy_ojha

‎12-19-2024 05:57 AM

I see... so we might want to do something like if risk score is 100 it would still have critical rating but maybe add another field that says it is a zero day so we don't have to change the rating itself. Just add needed functionality to update the added field if risk score = 100.

 

I dont really have clear direction from my team on what they want to = a zero day, I will discuss options with them.

 

Appreciate you taking the time to answer my questions.

0 Helpfuls