You can modify the default vulnerability risk score calculations. For the Entity Criticality Factor, you can change the formula used to calculate the Entity Criticality Factor result, including modifying the formula to add custom attribute variables and mapping numerical values to string values. For example, you could have a custom attribute for whether an entity is in scope for PCI, with a "yes" string value could be equal to 2 and a "no" to 1, such that the risk score would be twice as high if an entity was in scope for PCI.
There are two files involved in the calculation of the Entity Criticality Factor. These are as follows:
- Vulnerability Risk Score Entity Criticality Factor Formula Definition - This file is used to define the formula used to calculate the Entity Criticality Factor. Please see the next section for the instructions to modify this file.
- Vulnerability Risk Score Entity Criticality Factor Attribute Mappings - This file is used to map integer values to string values for custom attributes. It is only required if your vulnerability risk score equation uses custom attributes that have string values. Adding and modifying data in this file will be discussed later in this guide.