View Finding Rules

In ETM, all the security findings about a particular asset is imported and gathered from multiple sources. Therefore, it is crucial to have strong capabilities to de-duplicate it and aggregate similar findings from disparate sources with the help of Finding rules. These rules are specifically for uniquely identifying findings within same asset.

On the Findings tab, you can view the pre-defined rules for finding aggregation and identification to combine, de-duplicate, and normalize finding data.

• Identification (Finding Identification Rules): The purpose of identification rules is to Identify and de-duplicate security findings from various data sources.  Use the identifier attributes (such as CVE ID, port, and protocol, title, so on. )  to detect and flag duplicate findings. This step ensures that each finding is uniquely recognized and prevents redundancy in the system.
• Merge (Finding Merge Rules): The purpose of merge rules is to consolidate identified duplicate findings into a single aggregated record. Apply the specific rules are to merge attributes of duplicate findings. This involves determining precedence for each attribute (for example, using the most recent data, highest severity, or trusted source) to create a comprehensive and accurate unified record. 
• Finding Purge Rule: The purpose of purge rules is to clean up and remove outdated or irrelevant findings. Define conditions under which findings should be purged from the system based on specific source, connector id, name or last detected, first detected, and so on. This helps maintain an up-to-date and relevant security posture.