Vulnerability Calculators

Vulnerability calculators can be built to prioritize and rate the impact of vulnerable items based on any criteria by using condition filters. Whether it is the business impact of the vulnerability, the class of the configuration item (CI), or the age of the vulnerable item, you can create additional vulnerability calculators to set other fields on vulnerable items. Or you can customize the existing vulnerability calculators. A calculator can be written to reflect any set of priorities. See Create a Vulnerability Response calculator and Filtering within Vulnerability Response for more information.

Each calculator contains a list of calculator rules, with a condition determining when to apply it. When the calculator is run, the condition for each calculator rule is evaluated in order, and the first matching calculator rule is used.

All enabled vulnerability calculators set the selected fields each time a vulnerable item is created, when an associated CI or vulnerability changes, or when the Calculate Risk Score related link in a vulnerable item is used. As an example, the Risk Score is automatically updated on vulnerable item records when the severity value is updated on a vulnerability that is imported. After a vulnerability import has updated a vulnerability score, the recalculate flag is enabled for that vulnerability. The risk scores for the vulnerable items that have the recalculate flag enabled (true) with that vulnerability are recalculated.

Vulnerability Calculator Rules

Each rule has an Order setting however, the first one to match the conditions updates the Risk score field in the vulnerable item. For more information on vulnerability calculator rule settings, see Create a Vulnerability Response calculator. Non-scripted calculator rules typically create less of a performance impact than scripted calculator rules.

The base system Vulnerability Severity calculator contains calculator rules that assign each level of severity (None to Critical) a value (0-100) for Risk Score based on severity. Unknown Severity is automatically assigned a risk score of 100. These values can be adjusted and, like Default Risk Calculator, new calculator rules or new risk rules can be created.

Tenable Vulnerability Integration and the Tenable Risk Rule

Starting with v12.1 of Vulnerability Response, the Tenable Risk Rule is available. The Vulnerability Priority Rating (VPR) is an attribute from the Tenable product that is imported and used with a new default risk calculator in Vulnerability Response. The Tenable Risk Rule is installed with the Tenable Vulnerability Integration application as part of the Default Risk Calculator in the Vulnerability Calculators from Vulnerability Response.

This risk rule is disabled by default. See Configure the Tenable Vulnerability Integration using Setup Assistant.

Vulnerability Response Rollup Calculators

Configure how the cumulative risk score is computed for vulnerability groups and imported vulnerabilities with the vulnerability rollup calculators.