Create vulnerable items

Multiple methods create vulnerable items. Most commonly, an integration to a vulnerability scanner is installed and configured to import results nightly. There are cases, like physical security vulnerabilities, when you may want to manually add vulnerable item records.

Before you begin

Role required: sn_vul.vulnerability_write

About this task

If you have enabled SAM NVD vulnerability scanning, vulnerable items are created, automatically when records, downloaded from the NIST NVD or third-party integrations. The records are compared to the software in your CMDB and matches are found with vulnerable software or CIs.

Manually created vulnerable items are automatically added and removed from vulnerability groups, by vulnerability group rules and group conditions, just as automatically added vulnerable items are.

Procedure

  1. Navigate to Vulnerability > Vulnerabilities > Vulnerable Items.
  2. Click New.
  3. Fill in the fields on the form, as appropriate.
    Field Description
    Select security tag If needed, select a Security tag to add metadata to the record or identify who should have access to this security incident record. This field appears only after the vulnerable item has been saved. Available once you submit the record.
    Number The automatically generated vulnerable item number for this record.
    Configuration item Select the affected item or service.
    Business impact Select the business criticality of this incident.
    Risk score From the Basic Risk Score calculator, calculates business criticality and severity of the vulnerable item.
    Note:

    To work properly, this calculator requires the Service Mapping plugin (available as a separate subscription.)

    You can modify Basic Risk Score to calculate a risk score based on whatever risk factors you want.

    For more information, see Vulnerability calculators and calculator groups.

    Priority Select the priority for the incident. The priority determines the sequence in which the vulnerability is addressed based on its impact and urgency.
    Source Scanner that found this vulnerable item.
    State This field defaults to Open, but you can change it to Under Investigation if the vulnerability is ready for immediate remediation.
    Substate The reason applied for closing the issue.
    Source status Enter the status of the last scan.
    Last updated by source Select the date of the last scan.
  4. Enter information in the following tabs, as needed.
    Tab Description
    Vulnerability
    Vulnerability Select or add a vulnerability entry.
    Vulnerable software Add a vulnerability software entry.
    Installation Installation record linking the software to the CI.
    First found Date when first found.
    Last found Date when last found.
    Time found Number of times the scanner found the vulnerability.
    Remediation type [Read only] Type of remediation needed for this vulnerability. Pulled from the vulnerable entry record.
    Public exploit [Read only] Whether there are public exploits of this vulnerability. Pulled from the vulnerable entry record.
    Active exploit [Read only] Whether there is a currently active exploit of this vulnerability. Pulled from the vulnerable entry record.
    Threat Relevant information about the threat. Pulled from the vulnerable entry record.
    Note: Any changes made here update the vulnerable entry record.
    Solution Relevant solution to the threat. Pulled from the vulnerable entry record.
    Note: Any changes made here update the vulnerable entry record.
    Configuration Details
    IP Address IPv4 or IPv6 address. If a CI is not provided, this field is used to look up a matching CI, if one exists.
    DNS name Name of the Domain Name Service name. If a CI is not provided, this field is used to look up a matching CI, if one exists.
    NetBIOS name Name of the NetBIOS. If a CI is not provided, this field is used to look up a matching CI, if one exists.
    Port Address of the port
    Protocol Name of the protocol.
    SSL Choose whether to use SSL encryption or not.
    Notes
    Work notes Any relevant information.
    Activity Only appears when a work note has been created.
    Qualys (only appears when the Qualys plugin is installed)
    Note: This information is imported from Qualys ticketing system and is read-only.
    Ticket number Number of the Qualys ticket
    Ticket State State of the Qualys ticket
    Assignee name Name of person assigned to the ticket
    Assignee email Email address of the person assigned to the Qualys ticket
    Qualys severity Severity rating
  5. Right-click in the form header and click Save.

    The vulnerability group rules evaluate the vulnerable item and add it to an existing group or create a new group. If the evaluation fails, then the vulnerable item is added to Ungrouped Vulnerable Items list.

    If the Calculate Business Impact vulnerability calculator is enabled, when you save the new vulnerable item, it runs on the vulnerable item. It calculates the business criticality based on the item CVSS score and the criticality level of the impacted business services.

  6. You can click any of the following related lists to view additional information.
    Related List Description
    Associated Tasks Tasks associated with this vulnerable item.
    Associated Vulnerability Groups Vulnerability groups associated with this vulnerable item.
    Related IPs [Available if the Qualys plugin is installed]

    IP addresses that are found during de-duplication.

    The following editing and remediation options become available from the header bar:

    • Update — Saves updates to the form.
    • Create Security Incident — Creates a security incident.
    • Close — Closes the item. If all items in its group are closed, the Vulnerability Group automatically closes.
      Note: Vulnerable items are managed at the Group level. This option is not meant for general use.
    • Delete — Removes the vulnerable item.