What's the simplest way to build out Vulnerability Classification Rules?

Dommer
Tera Contributor

Hi all,

We are looking to use VCR rules to classify our vulnerabilities (platform vs application). We want to use the Common Platform Enumeration (CPE) in the VCR rule condition. The following is an example how I want to build out a VCR rule to classify vulnerabilities as an application.

All of these conditions must be met:

CPE           contains           cpe:/a

Set these values:

Classification = Application

Classification Type = Other

Problem is the CPE data doesnt seem to be available to select from in the condition. Am I missing it or is this not an option? I can see the CPE data in the Tenable System Import sets, but CPE is not being populated in the Third-Party vulnerability entry's or anywhere else that I can see. Is this possible?

1 ACCEPTED SOLUTION

Chris McDevitt
ServiceNow Employee
ServiceNow Employee

Sidenote: This is so weird, I have had at least three people ask me about CPE in the last week. Anyways....

The CPE data is on the Third-Party Vulnerability Entry table.

So, the CPE's Vendor and Product are copied over to the Third-Party Vulnerability Entry [sn_vul_third_party_entry] (i.e., your Tenable, Rapid7, Qualys, etc. vul library)... but the "Part" (aka Type: a,h,o) is not.

Vote up this idea so we can get the "Part" included in the TPE.

Until then, you will need customization..... the TenableTPEUtil Script Include. Customization should not be taken lightly and must be accounted for in each release. 

Basic Steps

  • Add a new field to the TPE
  • Modify _processCpeData() (In TenableTPEUtil )
  • the "obj" variable contains the raw CPE data

 

View solution in original post

11 REPLIES 11

Ashutosh Munot1
Kilo Patron
Kilo Patron

HI,

You will find this in proof field on detections linked to VITS.

 

Thank you,

Ashutosh

Chris McDevitt
ServiceNow Employee
ServiceNow Employee

Sidenote: This is so weird, I have had at least three people ask me about CPE in the last week. Anyways....

The CPE data is on the Third-Party Vulnerability Entry table.

So, the CPE's Vendor and Product are copied over to the Third-Party Vulnerability Entry [sn_vul_third_party_entry] (i.e., your Tenable, Rapid7, Qualys, etc. vul library)... but the "Part" (aka Type: a,h,o) is not.

Vote up this idea so we can get the "Part" included in the TPE.

Until then, you will need customization..... the TenableTPEUtil Script Include. Customization should not be taken lightly and must be accounted for in each release. 

Basic Steps

  • Add a new field to the TPE
  • Modify _processCpeData() (In TenableTPEUtil )
  • the "obj" variable contains the raw CPE data

 

@Chris McDevitt - Are there any updates on future releases of VR supporting the "Part" included in the TPE? Thanks.

Shelby Descotea
Kilo Explorer

Is the CPE data only there is you imported the CPE library from the NVD? I do not see anything for CPE in the vulnerable items table or sn_vul_third_party_entry