Vulnerability Identification Rule
What is the vulnerability identification rule?
In ETM, the vulnerability data is imported from various external sources. It's expected to encounter overlapping information, such as identical CVE with asset context for a given vulnerability. To avoid importing duplicate data sets, the system uses specific identification attributes of the Common Data Model as identifiers. The Vulnerability Rule contains predefined conditions. Each condition specifies identification attributes that serve as an identifier to uniquely identify the vulnerability regardless of the source from which it's coming in. These pre-defined conditions use the following identification attributes:
- CVE, Port, Protocol
- CVE, Port
- CVE
- Vendor ID: QID/ Plug In ID/ Check ID
- Title
- Source Finding ID
How does the rule get executed?
When importing data from each source, the system evaluates identifiers in the chronological condition order shown in the following image. The identification evaluation stops after a match is found.
The following image illustrates the order of the predefined conditions:
- If the CVE ID of the incoming record matches that of an existing vulnerability for the same asset, the system consolidates the incoming record with the existing vulnerability record and proceeds to the next record.
- If the CVE ID is not present on the asset, the system creates a new vulnerability record and assigns an ETM Finding ID.
- If the identifier attribute is empty or missing from the incoming record, then the system assesses the next identifier in a similar manner, and so on.
- If none of the identifiers yield a match, then the system creates a new vulnerability record.
Use Cases
Use Case | Outcome |
Finding 1: Standard ID: CVE-456, Vendor ID: VID 54321, Source: V, Source Finding ID: abcd, AssetID: 1 Finding 2: Standard ID: CVE-456, Vendor ID: VID 54321, Source: V, Source Finding ID: defg, AssetID: 1 |
Finding 1 & Finding 2 belong to the same asset, same CVE, same source, but they are 2 different vendor finding IDs. If additional identifier fields (port, protocol, and so on) are available, the system evaluates them for identification and duplication. If not, it creates two separate records for each finding. |
Finding 1: Standard ID: CVE-456, Vendor ID: VID 54321, Source: V, vendor Finding ID: abcd, AssetID: 1 Finding 2: Standard ID: CVE-456, Vendor ID: TID 123, Source: T, Source Finding ID: 3456, AssetID: 1 |
Finding 1 & Finding 2 belong to the same asset, same CVE, but from different sources. If the additional identifier fields (port, protocol, etc.) are present, the system evaluates them for identification and duplication. If both the records do not have additional identifier fields, then the system merges them into one record. If any of them has additional identifier fields, the system creates 2 separate records. |