Recently, I was asked about VR license calculation and realized that the documentation only scratches the surface. Let's dive into the logic behind it!
Before we start I want to say that I really love that ServiceNow hasn't made the logic protected and you can transparently see what and how they are doing their calculations.
That being said, let’s start with the deep-dive:
The calculation is triggered by 2 Scheduled jobs:
- VR Asset Usage Counter [sysauto_script_ 42fbfa0c5b800110a3b798ea0a81c725] - triggers collection of different scores (based on asset type and source)
- Usage Aggregator [sysauto_script_ 3e5bac105b080110a3b798ea0a81c7be] - triggers aggregation of results created by the previous job. This job is planned (OOB) to run at time of VR Asset Usage Counter + 1 hour, so all the non-aggregated scores are already collected
Whole logic is in one Script Include AssetUsageCalculation [sys_script_include_817c724c5b800110a3b798ea0a81c723].
Three tables where data are store:
- Usage by CI classes [sn_vul_licensing_usage_by_ci_classes] - Records for every day / CI class can be found here.
- Asset Usage Counts [sn_vul_licensing_asset_usage_counts] - Records for every day / Source (Integration) can be found here. Notice the aggregate boolean field, which says whether the result is aggregated (ie. Tenable in Image 2) or not. The aggregate results are created by scheduled job Usage Aggregator [sysauto_script_ 3e5bac105b080110a3b798ea0a81c7be]
- License Usages [sn_vul_licensing_usage] - Final usage records are stored here for every day
How is the Final Usage counted?
Let’s look at the function populateFinalUsage of Script Include AssetUsageCalculation. On row 302 we can see the formula:
var finalUsage = dedupedUsageAcrossScanner + dedupedUsageFromServiceNowVR + usageForDiscoveredImagesScanners + othersUsage;
Here is breakdown of variables:
dedupedUsageAcrossScanner - Gets Discovered Items [sn_sec_cmn_src_ci] of Infra and Cloud asset categories where CI is NOT decommissioned and Source (integration) is not from Excluded Sources and last scan was within the last 3 months.
dedupedUsageFromServiceNowVR - Gets records from Vulnerable Items [sn_vul_vulnerable_item] table where source is ServiceNow VR and last found is within last three months or empty and Configuration Item is not empty and Configuration Item life cycle stage status is not retired nor empty and doesn’t have Discovered Item with same rule as dedupedUsageAcrossScanner
usageForDiscoveredImagesScanners - Gets records from Asset Usage Counts [sn_vul_licensing_asset_usage_counts] which were created today and aggregate is true and product category is VR and Source is one of Prisma Cloud Compute,Wiz Container Integration
othersUsage - Gets records from Asset Usage Counts [sn_vul_licensing_asset_usage_counts] which were created today and aggregate is true and product category is VR and Source is Others.
Sum of these is then inserted as a Final Usage to the License Usages [sn_vul_licensing_usage] record.
Want to know more? Check out the Vulnerability Response Licensing and Usage [sn_vul_licensing] plugin and the VR and Cloud Security Usage dashboard for insights.
Safe Harbor - Please note, that all testing and screenshots are from Zurich PDI and your instance and/or plugin version may differ. I took the best effort to simplify the logic, but using these pieces of information is at your own risk and I will not take any responsibility for potential costs caused.
#VulnerabilityResponse
