Starting with v13.0 of Configuration Compliance, you can customize the criteria for the default risk rule. Use risk scores provided by third-party vendors like Qualys and Tenable for risk score calculations.

Third-party vendors, like Qualys and Tenable, provide their own scores. These scores are populated in the Criticality field on the sn_vulc_test table. Use this field for risk score calculations. To use this score to compute the risk score, follow the procedure:

Add source criticality as a criterion for a risk rule

Use scores based on criticality provided by third-party vendors to compute risk scores.

Before you begin

Role required: sn_vulc.admin

About this task

Third-party vendors, like Qualys and Tenable, provide their own risk scores. These scores are populated in the Criticality field on the sn_vulc_test table. Use this field for risk score calculations and computing the risk score.

Procedure

  1. Navigate to All > Configuration Compliance > Administration > Risk Calculators.
  2. Navigate to the Risk rule form.
  3. Clear the Active check box, to deactivate the rule.
  4. Click Add Criteria.
  5. From the Choose reference table list, select Test Result.
  6. From the Field list, select Test.Criticality.
  7. In the Weight field, specify the relative importance of this field.
    The value must be an integer from 0 through 100.
  8. In the Define Value Weightages section, add field values, and assign a weightage percentage to the fields.
    Source Criticality for risk calculation
  9. Click Submit.

Add business criticality as a criterion for a risk rule

Specify a criticality value to business services and use the business criticality to compute the risk scores.

Before you begin

Role required: sn_vulc.admin

About this task

Assuming your organization has many business services and a configuration item (CI) is being used by the following services:
Table 1. Criticality of the business services
Business Service Criticality

Cloud Management

1 - Most critical

E-commerce

2 - Somewhat critical

Client services

3 - Less critical

Travel and Expense

4 - Not critical
The mapping between the CI and services is stored in the Services [cmdb_ci_services] table. When a CI does not pass a Configuration Test, a Test Result (TR) is created. You can use the value of the business criticality from the affected services to compute the risk score for this TR. Follow the procedure to use the criticality value of these services to compute the risk score.

Procedure

  1. Navigate to All > Configuration Compliance > Administration > Risk Calculators.
  2. Navigate to the Risk rule form from the Calculator Rules section.
  3. Clear the Active check box, to deactivate the rule.
  4. Click Add Criteria.
  5. From the Choose reference table list, select Configuration Item Reference Table.
  6. From the Table list, select Service [cmdb_ci_service].
  7. From the Field list, select Business Criticality.
  8. In the Aggregation field, select Minimum to retrieve the most critical service for this use case (1- Most critical value) or Maximum to retrieve the least critical service for this use case (4 – Not critical value).
  9. In the Weight field, specify the relative importance of this field.
    The value must be an integer from 0 through 100.
  10. In the Define Value Weightages section, add field values and assign weightages.
    Figure 1. Custom business criticality risk rule weightage
    Custom business criticality risk rule weightage
  11. Click Submit.

Add conditional criterion to the risk calculator

Use custom conditions to the risk rule for risk score calculation.

Before you begin

Role required: sn_vulc.admin

About this task

Assuming that your organization has multiple configuration items (CIs), of which only a few can be accessed by an external user. Users can add risk score weightages for these outward-facing CIs.
Note: You can identify these CIs by their name. The names start with 'external'.

Procedure

  1. Navigate to All > Configuration Compliance > Administration > Risk Calculators.
  2. Navigate to the Risk rule form.
  3. Clear the Active check box, to deactivate the rule.
  4. Click Add Criteria.
  5. From the Choose reference table list, select Custom Conditions.
  6. From the Condition table list, select Configuration Item.
  7. In the Field Name field, enter CI Exposure.
  8. In the Weight field, specify the relative importance of this field.
    The value must be an integer from 0 through 100.
  9. In the Condition field, select Name > starts with, specify the value as external.
    Figure 2. Custom conditions for new risk rule
    Custom conditions for new risk rule
  10. Click Submit.

Risk score calculation example for Configuration Compliance

Determine the risk score calculators to generate risk scores that use the test and asset data specific to your organization.

Example of determining risk rule calculators scores

The following example demonstrates how scores for risk rule calculators are determined. Assume that a risk rule calculator is configured with the fields in this table.
Table 2. Determine risk rule calculator scores
Field Weightage Weight breakdown
Control.Criticality 50

Default: 0

Minor: 20

Low: 30

Moderate: 50

High: 70

Critical: 100
Business_Criticality 50

Default: 0

Minor: 20

Low: 30

Moderate: 50

Hight: 70

Critical: 100
Assume that the Test Results that are shown in this table are present in the system.
Table 3. Test Results mapping
ID Business Criticality Control Criticality
CTR0000001 1 – Most Critical Minor
CTR0000002 1 – Most Critical Low
CTR0000003 2 – Somewhat Critical Minor
CTR0000004 2 – Somewhat Critical Moderate
CTR0000005 3 – Less Critical Low
The risk score calculation for the test result is calculated based on the formula:

Risk Score = (W(control.criticality) * FV (control.criticality). + W(business_criticality) * FV(business_criticality)) / 100 where W is the weight and FV is the weight percentage of the field value.

The resulting risk score for these test results is as described in this table:
Table 4. Risk score based on Test results
ID Business Criticality (50%) Control Criticality (50%) Resultant risk score
CTR0000001 1 – Most Critical (50% x100) Minor (50% x 20) 60
CTR0000002 1 – Most Critical (50% x 100) Low (50% x 30) 65
CTR0000003 2 – Somewhat Critical (50% x 70) Minor (50% x 30) 45
CTR0000004 2 – Somewhat Critical (50% x 70) Moderate (50% x 50) 60
CTR0000005 3 – Less Critical (50% x 50) Low (50% x 30) 40
If the weightage percentage is changed for one of the field values, see this table for the results:
Table 5. Results for changed weightage percentage
Field Weightage Weight breakdown
Control.Criticality 50

Default: 0

Minor: 20

Low: 30

Moderate: 60

Hight: 70

Critical: 100
Business_Criticality 50

Default: 50

1 – Most Critical: 100

2 – Somewhat Critical: 70

3 – Less Critical: 20

4 – Not Critical: 30
The risk score for the test results after reapplying the calculator is shown in this table:
Table 6. Risk score for TR on reapplying calculator
ID Business Criticality (50%) Control Criticality (50%) Resultant risk score
CTR0000001 1 – Most Critical (50% x 100) Minor (50% x 20) 60
CTR0000002 1 – Most Critical (50% x 100) Low (50% x 30) 65
CTR0000003 2 – Somewhat Critical (50% x 70) Minor (50% x 30) 45
CTR0000004 2 – Somewhat Critical (50% x 70) Moderate (50% x 60)

*Revised value

 65

*Revised value
CTR0000005

3 – Less Critical (50% x 20)

*Revised value

 Low (50% x 30) 25

*Revised value

Risk rollup calculation example for Configuration Compliance (prior to v15.0)

The following example demonstrates how scores for risk rollup calculators are determined.

For the following remediation task rollup calculator, the formula for calculating the Remediation Task Risk Score is:

(Maximum risk score/100) * 85 + (factor * 15).

The factor in the previous equation is determined by the number of test results as shown in the following table.
Test result count Factor
<10 0.2
10-99 0.4
100-1000 0.6
1001-9999 0.8
>10000 1
For the following Remediation Task, TRG0003066, with three test results Risk scores, the maximum score is 90.
Number Risk score Remediation task Result Status
CTR000123 90 TRG0003066 Failed Open
CTR000124 70 TRG0003066 Failed Open
CTR000125 40 TRG0003066 Failed Open

For the Remediation Task, TRG0003066:

The Risk Score is 79, (90/100) * 85 + 0.2 * 15 = Math.floor (76.5 +3) =79.

The historical risk score is null, because the Remediation Task is still 'Open'.

After the data ingestion, the test results are 'Passed', and the Remediation Task transitions to 'Closed' as shown in the following table.

Number Risk score(Prior to v15.0) Remediation task Result Status
CTR000123 0 TRG0003066 Passed Closed
CTR000124 0 TRG0003066 Passed Closed
CTR000125 0 TRG0003066 Passed Closed

Test results History is displayed in the following table.

Number Risk score Latest result Result
CTRH000111 90 CTR000123 Failed
CTRH000112 70 CTR000124 Failed
CTRH000113 40 CTR000125 Failed

The Risk Score is zero, because there are no active test results in the Remediation Task.

For the Remediation Task, TRG0003066:

The Historical Risk Score is 79: (90/100) * 85 + 0.2 * 15 = Math.floor (76.5 +3) =79.

Risk rollup calculation example for Configuration Compliance (v15.0 and later)

The following example demonstrates how scores for risk rollup calculators are determined.

For the following remediation task rollup calculator, the formula for calculating the Remediation Task Risk Score is:

(Maximum risk score* 80/100) + (Average risk score* 5/100) + (Factor * 15)

Where, the weights are as follows:

  • Maximum risk score: 80
  • Average risk score: 5
  • Factor: 15

The default weight of the Average risk score is 0. For more information on how to set the weights, see Edit risk rollup calculators for Configuration Compliance.

The factor in the previous equation is determined by the number of test results as shown in the following table.
Test result count Factor
<10 0.2
10-99 0.4
100-1000 0.6
1001-9999 0.8
>10000 1
For the following Remediation Task, TRG0003066, with three test results Risk scores, the maximum risk score is 90 and the average risk score is 66.67.
Number Risk score Remediation task Result Status
CTR000123 90 TRG0003066 Failed Open
CTR000124 70 TRG0003066 Failed Open
CTR000125 40 TRG0003066 Failed Open

For the Remediation Task, TRG0003066:

The Risk Score is 81, (90* 80/100) + (66.67* 5/100) + (0.2 * 15) = Math.floor (78.3 +3) = 81.

The historical risk score is null, because the remediation task is still 'Open'.

After the data ingestion, the test results are 'Passed', and the Remediation Task transitions to 'Closed' as shown in the following table. Starting with v15.0 of Configuration Compliance, the Risk Score of a passed test result is populated to determine the risk mitigated.

Number Risk score Remediation task Result Status
CTR000123 90 TRG0003066 Passed Closed
CTR000124 70 TRG0003066 Passed Closed
CTR000125 40 TRG0003066 Passed Closed

Test results History is displayed in the following table.

Number Risk score Latest result Result
CTRH000111 90 CTR000123 Failed
CTRH000112 70 CTR000124 Failed
CTRH000113 40 CTR000125 Failed

The Risk Score of the Remediation Task is zero, because there are no active test results in the Remediation Task.

For the Remediation Task, TRG0003066:

The Historical Risk Score is 81: (90* 80/100) + (66.67* 5/100) + (0.2 * 15) = Math.floor (78.3 +3) = 81.