Vulnerability Assignment Based on Proof
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-08-2022 07:44 PM
Using the Qualys vulnerability scan integration (and I’m unsure if this is agnostic across scanners), we have certain vulnerabilities where the only data that discerns what team is responsible for remediation is the proof of the detection.
Here are two examples of the issue:
- Apache Log4j
The Qualys Log4j scan utility vulnerabilities will display proof data containing the path where Log4j was found. For example, one computer will report Log4j with proof being in a Jenkins folder, while another computer with proof being in a Tableau folder.
In both detections, Tableau and Jenkins, my use case is to assign to Tableau or Jenkins teams specifically (meaning not anything that could be determine just from the vulnerability being Log4j, and nothing from the CI - only the proof says Tableau vs. Jenkins).
- Cisco Webex and Jabber
Qualys rolls up vulnerabilities for both Webex and Jabber (single published advisory from Cisco, but two different products), into a single vulnerability. The vulnerable item then doesn’t discern whether the vulnerability should be assigned to Jabber or Webex support teams - again only in the proof column of the detection.
How have other teams handled situations like this and distributing these vulnerabilities at scale in VR? We end up manually splitting remediation tasks and reassigning ownership.
My first thought was to customize the VI to also capture the proof column, so that it could be parsed by VI assignment rules. Reading documentation, it seems to indicate that Rapid7 will natively display proof on the VI (under step 2 of procedure in the linked doc) Am I interpreting that right, and is there a reason that the Qualys integration does not put proof on the VI (VI granularity, etc)? Would there be a better recommendation than perhaps adding this additional field to the VI?
- Labels:
-
Vulnerability Response
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-02-2022 06:40 AM
Hi Zach,
I was wondering if you had got any further with this as I am now coming up against the same problem. From Qualys, it is only the proof that will help us determine the correct group for remediation on some vulnerabilities. Was wondering if you had managed to get an assignment rule utilising the proof of the detection?
Thanks
Sam
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-03-2022 08:17 AM
Hi,
I was pointed out that in our environment the "Description" column was populated based on the proof of the detection from Qualys. I was a bit confused if this was OOTB or not, since it seemed to contradict what the docs said, but it solved the issue for me.
Thanks,
Zach
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-08-2022 05:58 AM
Hi Zach,
Cheers for this, I've checked and the description is also populated with the proof details in our instance too, so I'm guessing this is OOB.
That's helped me on the script I needed
Thanks
Sam
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-16-2024 09:02 AM
Thanks Zach - confirming this Description field also populates data from the proof associated with a Detection from Tenable. This will certainly be helpful for the creation of assignment rules.