Rapid7 Vulnerability Integration and Risk Score

Lord Omicron · ‎06-10-2019

Rapid7's Nexpose scan generates a risk score for vulnerabilities. ServiceNow also has vulnerabilities risk scores.The risk score from the integration is not loaded instead, the SN risk score (default 50) is what is showing (see second image). How do you override it so that the imported risk score from the integration is what's used instead of SN's?

The score is available in the Rapid7 Vulnerabilities import set as shown in first image but it is not mapped to any field in SN tables. I believe I can add the field mapping to the related transform map but I'd rather verify that there is an OOTB configuration available. Any insights you can provide would be much appreciated.

Thanks!

jing3 · ‎06-11-2019

You could map the "Risk score" over to Vulnerability (third party vulnerability entry) as below. You can then use it later via the Vulnerability Calculator Group rules. I had a request to configure a rule to set the state of all VIT that matching a given vulnerability to "Close". Using Calculator Group rule to do that is pretty easy.

View solution in original post

Lord Omicron · ‎06-10-2019

OK so the risk score in SN is calculated from the business impact (ci criticality) and the vulnerable item severity as pulled by the integration (sn_vul_third_party_entry.severity). My followup question is where do I find the Normalized_Index information? There appears to be a table with source and its appropriate index score that is used with the severity to created a normalized value that is then computed with the business impact to arrive at the risk score. Since all the VIs show up with a score of 50, I suspect there isn't a built-in setting for Rapid7 or there is someplace that I need to configure this. Thoughts?

Lord Omicron · ‎06-10-2019

So answering my own question (I did this already but it appears it didn't post), I found the entry for Rapid7 in the Normalized_Index array. However, it appears that while the script is looking for a source called Rapid7 Nexpose, the actual source value is simply Rapid7. This looks like a mistake or bug in the integration script. The end result is that the same value is being returned for any and all VI severity scores which in turn gives use a risk score of 50 for all CIs (since I haven't configured CI criticality yet).

jing3 · ‎06-11-2019

Scoring is done via Vulnerability Calculator. "Risk score" is the OOB calculation rule which is based on Business Impacts on the Configuration Item (CI), and various attributes on Vulnerability (from the Rapid 7 Integrations). One can modify this OOB calculation or add more customized calculation rules. Please note that OOB "Risk score" requires CI relationships which are from Service Mapping. Without CI relationships, OOB "risk score" will not be very useful.

Lord Omicron · ‎06-11-2019

Hi jing! Thanks for replying. Yes, I figured that out and found a bug in the calculation script in the process (ha!). I would have to write a different scoring script to replace the OOTB setup if we push forward with using Nexpose's scoring metric.

Have you run across different configurations that required that kind of a change? If so, anything I need to look out for?