If you use custom attributes in the vulnerability risk score equation, there is a good chance that these custom attributes will have string values, such as “yes’ and “no” for PCI. Because the vulnerability risk score equation requires numerical values, these string values must be mapped to numerical values. The Vulnerability Risk Score Entity Criticality Factor Attribute Mappings file provides a way to do this.
The Vulnerability Risk Score Entity Criticality Factor Attribute Mappings file allows you to assign numerical values to string values. It has the following four columns:
- String number, which is the string number in the spreadsheet. Since there can be a maximum of 4 strings, then the string number should not exceed 4. If criticality is being used in the Entity Criticality Factor, then there can be a maximum of 3 strings.
- String value, such as “yes” or “no”. This is the attribute value that will appear in the RiskVision user interface.
- Integer value that equates with each string value, such as 1 or 2. This will be the number used to calculate the Entity Criticality Factor for entities when the entity’s string has that value.
- User friendly name, such as PCI, DEV_STATUS, or INTERNET_FACING. Typically, this would be the label associated with the custom attribute location. You can use any name you would like for this field since the field exists for your convenience, and is not used in the risk score calculation or the RiskVision user interface. RiskVision recommends that you use the name that appears for the field in the RiskVision user interface.
- Number of the custom string attribute that represents this attribute. In the below example, String1 is used for PCI, String3 for DEV STATUS, and String 7 for INTERNET_FACING.
Following is an example of some values that you might populate in the CSV file:
The maximum character length for the above fields is 20 characters. All fields are case-insensitive.
Obtaining the Files
You can download the files two files from the Administration module in the Server Administration > Documentation tab, they are as follows:
- Vulnerability Risk Score Entity Criticality Factor Formula Definition
Vulnerability Risk Score Entity Criticality Factor Attribute Mapping
Uploading Files
To have the settings in the CSV files take effect, you will need to upload the files in the Administrator application. It is important not to change the names of the CSV files. Before uploading, verify that the names of the files are as follows:
- Vulnerability Risk Score Entity Criticality Factor Formula Definition
- Vulnerability Risk Score Entity Criticality Factor Attribute Mappings
Vulnerability Risk Score Calculator Job
Vulnerability risk score calculations are updated when the Vulnerability Risk Score Calculator job runs. By default, the job is set to run once per day at 11:00 PM. You can run the job more frequently. The job only recalculates risk scores for entities whose vulnerabilities or relevant entity attributes have changed, but RiskVision recommends first testing the performance impact of the job in your environment if you decide to run it multiple times per day.
For Vulnerability Risk Factor processing , the property changes to pickup different score system or enhanced score gets picked up during next job run. However, new system will be applicable only to the vulnerabilities/instances changed after the property change. In this case there will be a mix of scores from old and new system.
If you want to apply change of score system throughout the application, then the Vulnerability Risk Score Initiator job will refresh the scores and re-calculate everything based on new score system.
