Define fields and weights for the risk rule for Vulnerability Response Risk Calculators

Xanadu Security Management

Release

xanadu

ft:locale

en-US

ft:publication_title

Xanadu Security Management

ft:clusterId

security

bundleId

security

workflow

Technology

Define fields and weights for the risk rule for Vulnerability Response Risk Calculators

Release version: Xanadu

Updated August 1, 2024

7 minutes to read

Customize the parameters and weights for the risk rule so that you can generate risk scores that use the vulnerability and asset data that are unique to your organization. By selecting the fields that are included in the risk rule, you can define an effective risk scoring framework.

Before you begin

Additionally, you can use attributes in the configuration_item [cmdb_ci] in the Configuration Management Database (CMDB) to help you create logic for your Vulnerability Response risk calculators. If, for example, you determine that CIs that are external-facing in your organization are more vulnerable and might require immediate remediation, you can assign attributes such as Internet Facing for these CIs. This attribute, and others, are listed in the Common Service Data Model release notes for the Orlando family release. For current information and guidance on the CMDB, see the following topics:

Role required: sn_vul.manage_risk_score_configuration

Procedure

Navigate to All > Vulnerability Response > Administration > Vulnerability Calculators.
On the Vulnerability Calculators page, select Default Risk Calculator.
Navigate to Vulnerability Calculator page > Vulnerability Calculator Rules tab > Default Risk Rule.
Optional: In the Risk Calculator Criteria section of the Vulnerability Risk Rule page, set the weight for each criterion according to its importance in the overall risk score calculation.
To deactivate the rule, you must clear the Active check box.
To add risk rule fields to the Risk Calculator Criteria, select Add criteria.

On the form, fill in the fields.

Table 1. Risk rule field form
Field	Description
Choose reference table	Table that you use to define the risk score weightage. You can select one of these options: Vulnerable Item: Add fields that are directly dot-walkable from the vulnerable item (VI). Vulnerable Item - Configuration Item: Add dot-walkable fields that are part of the base table extensions, such as the Hardware table. These fields aren’t part of the base table (cmdb_ci). Vulnerable Item - Vulnerability: Add dot-walkable fields that are part of the tables that extend the base table, for example, Third-party Entry. These fields aren’t part of the Vulnerability Entry base table. Vulnerable Item Reference Table: Add fields that are a part of the Related tables (m2m) or tables that have a reference to the vulnerable item. These fields aren’t directly dot-walkable from the VI. Configuration Item Reference Table: Add fields that are a part of the Related tables (m2m) of cmdb_ci or tables that have a reference to cmdb_ci. These fields aren’t directly dot-walkable from the VI. Vulnerability Reference Table: Add fields that are a part of the Related tables (m2m) of sn_vul_entry or tables that have a reference to sn_vul_entry. These fields aren’t directly dot-walkable from the VI. Custom Conditions: Use this option to assign weights to the rule by evaluating the condition. For example, the Internet-facing filter determines if a configuration item (CI) is external or internal.
Table	Field that appears only when one of the following options is selected from the Choose reference table: Vulnerable Item -> Configuration Item Vulnerable Item -> Vulnerability Vulnerable Item Reference Table Configuration Item Reference Table Vulnerability Reference Table
Field	Field to be used for risk score calculation for this rule.
Aggregation	Field that appears only when a reference table is selected from the Choose reference table. Select the minimum or maximum value to be considered for calculations when Field is selected from the Related tables (m2m).
Weight	Weightage of this field within the risk rule. The value must be an integer from 0 through 100.
Define Value Weightage	Component to assign weights to each field value. For numeric fields, field values can be defined as a range (for example, 1–5). The weights must be integer between 0–100. Note: This field doesn’t appear if the Custom Conditions option is selected from the Choose reference table.
Condition table	Field that appears only when Custom conditions is selected from the Choose reference table. Select a condition from the list.
Field name	Field that appears only when Custom conditions is selected from the Choose reference table. Enter a name for the risk criteria.
Condition	Field that appears only when Custom conditions is selected from the Choose reference table. Preview the items in this table that match the defined conditions.

Select Submit.
In the Rule page, activate and reapply the rule to reevaluate the risk score on the active vulnerable items.
Note:
Starting with version 23.0 of Vulnerability Response, in case of:
- Default Risk Calculator rule: Whenever the risk score on a vulnerable item (VIT) changes, the following details are documented in the Notes section of the VIT:
  
  Calculator group name
  
  Calculator name
  
  Field values that have a weightage greater than 1 and their risk score contribution.
  
  Final risk score
- Vulnerability Severity risk rule: Whenever the risk score is updated on a VIT, the Notes section is updated with the following details:
  
  Calculator group name
  
  Calculator name: Depending on whether the calculator rule is based on a template or a script, the name is appended with the details in brackets. To modify or view the basis of the calculator rule, select any rule and select the Advanced view check box. From the Value type drop-down box, select the required option. If Template is selected, the risk score is updated according to the specified condition in the rule. If Script is selected, you can either add or update the existing script.

Example

Example 1: Add a source severity as a criterion for a risk rule.

Use case: Third-party vendors, like Qualys and Tenable, provide their own scores. These scores are populated in the Source Severity field on the sn_vul_entry table. Use this field for risk score calculations. To use this score to compute the risk score, do the following:

Navigate to the Risk rule page.
To deactivate the rule, clear the Active check box.
To add risk rule fields to the Risk Calculator Criteria, select Add criteria.
From the Choose reference table list, select Vulnerable item.
From the Field list, select Vulnerability.Source Severity.
In the Weight field, enter the relative importance of this field within the risk rule. The value must be an integer from 0 through 100.
In the Define Value Weightage section, add field values, and assign a weight to them.
Figure 1. Vulnerable item table
Select Submit.

Example 2: Add a business criticality as a criterion for a risk rule.

Use case: Let's assume your organization has many business services. The configuration item (CI) LINUX-SF-6381 is being used by the following services:

Table 2. Criticality of the business services
Business service	Criticality
Cloud Management	1 - Most critical
E-Commerce	2 - Somewhat critical
Client services	3 - Less critical
Travel and Expense	4 - Not critical

The mapping between the CI and services is stored in the Related Services [sn_vul_m2m_ci_services] table. When a vulnerability is found in the asset LINUX-SF-6381, a vulnerable item (VI) is created. You can use the value of the business criticality from the affected services to compute the risk score for this VI. To use the criticality value of these services to compute the risk score, do the following:

Navigate to the Risk rule page.
To deactivate the rule, clear the Active check box.
To add risk rule fields to the Risk Calculator Criteria, select Add criteria.
From the Choose reference table list, select Configuration Item Reference Table.
From the Table list, select Related Services [sn_vul_m2m_ci_services].
From the Field list, select Service.Business criticality.
In the Aggregation field, select Minimum to retrieve the most critical service for this use case (1- Most critical value) or Maximum to retrieve the least critical service for this use case (4 – Not critical value) for this use case.
In the Weight field, enter the relative importance of this field within the risk rule. The value must be an integer from 0 through 100.
In the Define Value Weightages section, add field values, and assign a weight to them.
Figure 2. Configuration item reference table
Select Submit.

Example 3: Add a conditional criterion to the risk calculator.

Let's assume that an organization has multiple configuration items (CIs), of which only a few can be accessed by an external user. Users can add risk score weightages for these outward-facing CIs.

Note:

You can identify these CIs by their name. The names start with 'external'.

To add a conditional criterion to the risk rule, do the following:

Navigate to the Risk rule page.
To deactivate the rule, clear the Active check box.
To add risk rule fields to the Risk Calculator Criteria, select Add criteria.
From the Choose reference table list, select Custom conditions.
From the Condition table list, select Configuration item.
In the Field name field, enter the name CI Exposure.
In the Weight field, enter the relative importance of this field within the risk rule. The value must be an integer from 0 through 100.
In the Condition field, select Name > starts with and enter the value external.
Figure 3. Custom conditions for the new risk rule
Select Submit.
Note:
Adding conditional criteria to your risk rule might degrade performance.