View Finding Rules

In ETM, all the security findings about a particular asset are imported and gathered from multiple sources. Therefore, it is crucial to have strong capabilities to de-duplicate it and aggregate similar findings from the different sources with the help of Finding rules. These rules are specifically for uniquely identifying findings.

On the Findings tab, you can view the pre-defined rules for finding aggregation and identification to combine, de-duplicate, and normalize finding data.

• Identification (Finding Identification Rules): The purpose of identification rules is to Identify and de-duplicate security findings from various data sources.  The various identifier attributes (such as CVE ID, port, and protocol, title, so on. ) are used to detect and flag duplicate findings. This step ensures that each finding is uniquely recognized and prevents redundancy in the system. There are the following two types of identification rules:
  • Vulnerability Identification Rule
  • Misconfiguration Identification Rule
• Merge (Finding Merge Rules): The purpose of merge rules is to consolidate identified duplicate findings into a single aggregated record.  The specific rules are applied to merge attributes of duplicate findings. This involves determining precedence for each attribute (for example, using the most recent data, highest severity, or trusted source) to create a comprehensive and accurate unified record.  There are the following two types of merge rules:
  • Source Trust Ranking
  • Custom Merge
• Finding Purge Rule: The purpose of purge rules is to clean up and remove outdated or irrelevant findings. Define conditions under which findings should be purged from the system based on specific source, connector id, name or last detected, first detected, and so on. This helps maintain an up-to-date and relevant security posture.