Vulnerability Identification Rule

What is the vulnerability identification rule?

In ETM, the vulnerability data is imported from various external sources. It's expected to encounter overlapping information, such as identical CVE with asset context for a given vulnerability. To avoid importing duplicate data sets, the system uses specific identification attributes of the Common Data Model as identifiers. The Vulnerability  Rule contains predefined conditions. Each condition specifies identification attributes that serve as an identifier to uniquely identify the vulnerability regardless of the source from which it's coming in. These pre-defined conditions use the following identification attributes:

• CVE, Port, Protocol
• CVE, Port
• CVE
• Vendor ID: QID/ Plug In ID/ Check ID
• Title
• Source Finding ID

How does the rule get executed?

When importing data from each source, the system evaluates identifiers in the chronological condition order shown in the following image. The identification evaluation stops after a match is found.

The following image illustrates the order of the predefined conditions:

• If the CVE ID of the incoming record matches that of an existing vulnerability for the same asset, the system consolidates the incoming record with the existing vulnerability record and proceeds to the next record.
• If the CVE ID is not present on the asset, the system creates a new vulnerability record and assigns an ETM Finding ID.
• If the identifier attribute is empty or missing from the incoming record, then the system assesses the next identifier in a similar manner, and so on.
• If none of the identifiers yield a match, then the system creates a new vulnerability record.

Use Cases