Thank you for your feedback.
Form temporarily unavailable. Please try again or contact docfeedback@servicenow.com to submit your comments.

Vulnerability calculators and vulnerability calculator rules

Log in to subscribe to topics and get notified when content changes.

Vulnerability calculators and vulnerability calculator rules

Vulnerability calculators automate calculating initial values for the fields on vulnerable items. The condition for each calculator is evaluated in order, and the first matching calculator is used.

Vulnerability Calculators

The Vulnerability Response base system includes two vulnerability calculators that set the base Risk Score on the vulnerable item.
  • Default Risk Calculator
  • Vulnerability Severity

Vulnerability calculators can be built to prioritize and rate the impact of vulnerable items based on any criteria by using condition filters. Whether it is the business impact of the vulnerability, the class of the configuration item (CI), or the age of the vulnerable item, you can create additional vulnerability calculators to set other fields on vulnerable items. Or you can customize the existing vulnerability calculators. A calculator can be written to reflect any set of priorities. See Create a vulnerability calculator and and Filtering within Vulnerability Response for more information.

Each calculator contains a list of calculator rules, with a condition determining when to apply it. When the calculator is run, the condition for each calculator rule is evaluated in order, and the first matching calculator rule is used.

The Vulnerability Severity calculator calculates Risk Score for vulnerable items using the normalized vulnerability severity.
Note: Only one calculator per target field (Risk Score) can be active at a time. Vulnerability Severity is disabled by default.

All enabled vulnerability calculators set the selected fields each time a vulnerable item is created or reopened after being closed, or when the Calculate Risk Score related link in a vulnerable item is used.

From an existing vulnerable item, if you click the Calculate Risk Score related link and either of the calculators is enabled, the Risk Score field in the vulnerable item is updated.
Note: The Calculate Risk Score related link is only visible when at least one vulnerability calculator is enabled.

Vulnerability Calculator Rules

The base system Default Risk Calculator calculator contains the Default Risk Rule rule, a specialized vulnerability calculator rule called a Risk Rule. It calculates Risk Score based on multiple values:
  • Vulnerability severity
  • Exploit information,
  • Criticality
  • External exposure of the CI with the vulnerability
You can adjust the values to use in the Default Risk Rule and how much weight to give each of these values. Weights are used to adjust how much each element counts when setting the base Risk Score.

Each rule has an Order setting however, the first one to match the conditions updates the Risk score field in the vulnerable item. For more information on vulnerability calculator rule settings, see Create a vulnerability calculator. Non-scripted calculator rules typically create less of a performance impact than scripted calculator rules.

The base system Vulnerability Severity calculator contains calculator rules that assign each level of severity (None to Critical) a value (0-100) for Risk Score based on severity. Unknown Severity is automatically assigned a risk score of 100. These values can be adjusted and, like Default Risk Calculator, new calculator rules or new risk rules can be created.

Feedback