What's the simplest way to build out Vulnerability Classification Rules?

Dommer
Tera Contributor

Hi all,

We are looking to use VCR rules to classify our vulnerabilities (platform vs application). We want to use the Common Platform Enumeration (CPE) in the VCR rule condition. The following is an example how I want to build out a VCR rule to classify vulnerabilities as an application.

All of these conditions must be met:

CPE           contains           cpe:/a

Set these values:

Classification = Application

Classification Type = Other

Problem is the CPE data doesnt seem to be available to select from in the condition. Am I missing it or is this not an option? I can see the CPE data in the Tenable System Import sets, but CPE is not being populated in the Third-Party vulnerability entry's or anywhere else that I can see. Is this possible?

1 ACCEPTED SOLUTION

Chris McDevitt
ServiceNow Employee
ServiceNow Employee

Sidenote: This is so weird, I have had at least three people ask me about CPE in the last week. Anyways....

The CPE data is on the Third-Party Vulnerability Entry table.

So, the CPE's Vendor and Product are copied over to the Third-Party Vulnerability Entry [sn_vul_third_party_entry] (i.e., your Tenable, Rapid7, Qualys, etc. vul library)... but the "Part" (aka Type: a,h,o) is not.

Vote up this idea so we can get the "Part" included in the TPE.

Until then, you will need customization..... the TenableTPEUtil Script Include. Customization should not be taken lightly and must be accounted for in each release. 

Basic Steps

  • Add a new field to the TPE
  • Modify _processCpeData() (In TenableTPEUtil )
  • the "obj" variable contains the raw CPE data

 

View solution in original post

11 REPLIES 11

CPE data ALSO comes in with the Vendor (Qualys, Tenable, Rapid7, etc.) Vulnerability Library (if available) during import. The CPE data is added to the Third-Party Vulnerabilities Entries table in the Vendor and Product fields.

Dommer
Tera Contributor

Thanks all. Hope this becomes available in near future. This is really key to distinguishing os layer vs app layer vulns etc.

@Chris McDevitt - Thanks for this information and I hope this gets enough votes. I know you provided basic steps, but is there a more user friendly version (detailed) for us that are not fluent in Service-Now scripting? Or are we talking professional service hours here?

Hi,

You do not need to be an expert in SN scripting to implement this, but you should know what you are doing..... 😉 

I am going to assume that you will start in the Dev environment and test, test, and retest. Then promote it through your normal stack and normal testing procedures. I am going to assume that you know about Scoped Apps and Script Includes.

I have done all of the engineering work to figure this out... and it is just two steps:

1. On the table Third-Party Vulnerability Entry [sn_vul_third_party_entry] create a new field called Part [u_part]

2. In the Script Include TenableTPEUtil in the method: _processCpeData add this line to the script:
vulnerabilityObj["u_part"] = obj["part"];
 
It will look like this:
find_real_file.png
 
Make sure you comment your code so you can find it again!
 
If this is implemented by ServiceNow in the future:
1. Revert the Script Include to the Store Version
2. Upgrade the Tenable plugin to the latest version with this change.  If you revert to the Store Version before you upgrade, then the new changes are implemented, and the Script Include is not skipped.
 
 

nitin54
Giga Contributor

@Chris McDevitt Do you know which script do I need to modify for Qualys VR  in order to use the classification rule to find the type (application ,Os and etc)  or other? I am also trying to build my VCR rules based on CPE.

I can't find that information on the table by dot walking to Third-Party Vulnerability Entry but i do see the fields like vendor, product which I can use but would be difficult to build out the conditions using these two attributes. Also, i cant rely on summary because it may contain multiple keywords.

Your suggestion would be greatly appreciated!

 

@Nitin 

You will need to add the 'Third-Party Vulnerability Entry' table to the Classification Group form:

find_real_file.png

 

The 'Third-Party Vulnerability Entry' table is where the Vendor and Product fields live.

How to:

1. Edit the System Property:

sn_sec_cmn.classificationTables

2. Add this table to the Value Field:

sn_vul_third_party_entry

It should look like this:

find_real_file.png