What's the simplest way to build out Vulnerability Classification Rules?

Dommer
Tera Contributor

Hi all,

We are looking to use VCR rules to classify our vulnerabilities (platform vs application). We want to use the Common Platform Enumeration (CPE) in the VCR rule condition. The following is an example how I want to build out a VCR rule to classify vulnerabilities as an application.

All of these conditions must be met:

CPE           contains           cpe:/a

Set these values:

Classification = Application

Classification Type = Other

Problem is the CPE data doesnt seem to be available to select from in the condition. Am I missing it or is this not an option? I can see the CPE data in the Tenable System Import sets, but CPE is not being populated in the Third-Party vulnerability entry's or anywhere else that I can see. Is this possible?

1 ACCEPTED SOLUTION

Chris McDevitt
ServiceNow Employee
ServiceNow Employee

Sidenote: This is so weird, I have had at least three people ask me about CPE in the last week. Anyways....

The CPE data is on the Third-Party Vulnerability Entry table.

So, the CPE's Vendor and Product are copied over to the Third-Party Vulnerability Entry [sn_vul_third_party_entry] (i.e., your Tenable, Rapid7, Qualys, etc. vul library)... but the "Part" (aka Type: a,h,o) is not.

Vote up this idea so we can get the "Part" included in the TPE.

Until then, you will need customization..... the TenableTPEUtil Script Include. Customization should not be taken lightly and must be accounted for in each release. 

Basic Steps

  • Add a new field to the TPE
  • Modify _processCpeData() (In TenableTPEUtil )
  • the "obj" variable contains the raw CPE data

 

View solution in original post

11 REPLIES 11

Tokyo - Could this be done with 

sn_vul_m2m_entry_software?

lomo1014
ServiceNow Employee
ServiceNow Employee

Quick test is negative.  I'll try again in the morning