how is the risk rating field calculated in VR?

Kruthik M Shiva · ‎07-13-2022

Hi all,
how is the risk rating field calculated in VR? any pointers on this please provide,
Thanks in advance.

Fatih Karacaer · ‎07-14-2022

Hi Kruthik,

On top of the detailed information Gaurav mentioned above I can say that Risk Rating is calculated by 2 business rules for both Vulnerable Items and Remediation Tasks.

And the business rule executes the script include below:

And the getRiskRatingFromRiskScore function is as below:

Please mark it as helpful if it is!

Fatih.

View solution in original post

Gaurav Kedari · ‎07-14-2022

Hi,

Vulnerable Item Risk Scoring:

Vulnerable Items are evaluated against configurable Vulnerability Calculators to determine a Risk score (0 – 100) and corresponding Risk Rating (Critical, High, Medium, Low, None) value.

A Vulnerable Item’s Risk Score / Risk Rating is generally calculated with context of the vulnerability’s severity and context of the Configuration Item (as in asset or host that the vulnerability was identified on), such as business criticality, Internet facing exposure, etc.

We have risk roll-up feature which influences the overall Risk Score / Risk Rating of a single Vulnerability Group, with many associated Vulnerable Items. This is based on weighted calculation of the Risk Score values across those Vulnerable Items that are associated to the Vulnerability Group.

Calculated Risk Score ranges, are then mapped to specific Risk Rating values at both the Vulnerable Item and Vulnerability Group layers:

Vulnerability Response, Risk Score to Risk Rating Mappings

Sample: Basic Vulnerability Calculator

Vulnerability Calculators can be tuned to meet organizational standards and policies, such that Remediation Teams have a simplified user experience when prioritizing what activities to work on first.

As represented in the sample Vulnerability Calculators above, Risk Scores can be leveraged to drive granular layers of Risk Rating values. This greatly helps Remediation Teams further dial into determining which Vulnerable Items and Vulnerability Groups should be prioritized.

Fatih Karacaer · ‎07-14-2022

Hi Kruthik,

On top of the detailed information Gaurav mentioned above I can say that Risk Rating is calculated by 2 business rules for both Vulnerable Items and Remediation Tasks.

And the business rule executes the script include below:

And the getRiskRatingFromRiskScore function is as below:

Please mark it as helpful if it is!

Fatih.

PhillipC · ‎08-08-2024

Hi Kruthik, I know this question has been here a while, but I had the same issue, so maybe what I found may help someone in the future.

There are 2 Business Rules (which call Script Includes) that are used to calculate the Risk Rating in Vulnerability Response.

1) Calculate risk score - After I followed all the logic and rabbit holes, the Script Include (VulnerabilityCalculatorCommonBase) is what uses the calculator that you've configured to come up with the Risk Score (a lot of logic to wrap your head around, but it uses the following inputs:

targetRecord, showMessage, updateTarget, optGroupTable, optCalcTable, optAdditionalCalcCriteria
and then uses the calculate() function to know which calculator to use and updates the records.

2) Update Risk Rating from Risk Score - The Risk Rating is calculated using the Risk Score and here the type is vr_risk_rating (which identifies the numeric values to use in this table: sn_sec_cmn_risk_score_weight). An example, we have an input of a VIT with a risk score of 20. This is fed into the possible categories of risk ratings, whatever category it happens to be in is returned, so this example is a Low.