Target Remediation rules

Ravali · ‎11-01-2022

This is related to Vulenrability Response and Target Remediation Rules.
We have some rules already in place. In the past, whenever we have modified this rules, we have 'done Apply Changes' so it reevaluates the 'target date' on the existing VITs as well. Also we understand, there is a acheduled job 'Eavulate Target rules' that rules every night to update the 'date', 'status' on active (not deferred/resolved) VITs.
We are looking for best practise recommendations for deactive/modify the rules but only apply the changes on newly created VITs after the cutover (change made).
Appreciate the guidance.

andy_ojha · ‎11-04-2022

Hey there,

I don't believe that is possible - as the Scheduled Job (daily) "Evaluate remediation targets" - will still evaluate existing Active VIs against Remediation Target Rules.

It would depend on the type of adjustments you made to the Remediation Target Rules, but Rules with a lower "Target (days)" value will still re-eval on Vulnerable Items previously stamped with a Remediation Target Rule having a higher "Target (days)". Essentially that daily job looks to validate / evaluate if a lower order Remediation Target Rule (based on Target days) should be applied.

Suppose you could add some Dates into the Remediation Target Rule conditions - but that would defeat the purpose of the job and cause issues with consistency and reporting. You also would want to keep your Remediation Target Rules limited and simple, so adding a Date field like (Created after) is asking for trouble.

Hope this helps clarify.

Ravali · ‎11-07-2022

Thanks Andy for the response. We have a task to rewrite the rules. We are thinking of deactivating the existing rules, and sees like there is a 'reapply' flag set on the rules could be set 'false' so they dont apply on already existing VITs, but I guess what you are saying it is not possible, as it defends the purpose. So what should be the right approach to modify the rules and the change will always apply on all right?

Joe Kline · ‎11-07-2022

Ravali,

May be that I am not fully understanding your situation, but isn't that what the "Active" field is for? Set a Rule to Active = False and it no longer gets used?

Good luck on rewriting,

Joe

andy_ojha · ‎11-07-2022

Hey there - I see what you mean.

The daily job, would continuously evaluate Vulnerable Items against the current rules, to see if a more aggressive (lower count in days) rule should win - rather than the currently applied rule. That could potentially include, some, of the updated rules.

In your scenario, for the broader update aka "re-write of the rules" or overhaul --> you might have Vulnerable Items with an aggressive rule applied, but perhaps you overhauled the rules in a manner where the more appropriate rule that should win, actually has more "days" on it, for a particular set of target Vulnerable Items. In that case, you'd have to leverage the "Reapply" feature, as the daily job would not handle that.

It would sort of depend on the updates you plan to make to the Remediation Target rules - but knowing that the daily job could update the applied Remediation Target Rule on existing Vulnerable Items based on your change (the Target Days is lower on the new rule) .... you may also similarly want to update the Applied Remediation Target Rule on existing Vulnerable Item if the number of Target Days should be greater than what is currently set (via the applied rule). This way, you achieve consistency - in that all of your enhanced rules apply to the existing Vulnerable Items -- rather than just rules where the Target Days are lower - it'd be best to re-evaluate the current Active records against the updated rules regardless of whether the appropriate rule that should be applied has a higher or lower count of Target (Days).

As always, ensure we test this out in SUBPROD - as we could see some performance issues depending on the Remediation Target Rules (total count), conditions on the rules, volume of existing Vulnerable Items to retrofit via the Reapply, etc.