Vulnerability SLAs

Vulnerability Remediation SLAs are a powerful way to triage vulnerabilities to make vulnerability management more effective and efficient.

Every vulnerability can be assigned a Remediation SLA. AttackForge helps to keep on top of vulnerabilities as they get closer to their SLA, by making it easy to filter, identify, action and export. Every SLA is color-coded and includes a countdown tracker.

AttackForge provides a rules-based engine to configure custom vulnerability SLAs. This powerful utility allows you to create SLAs which meet specific conditions based on vulnerability, asset, writeup and project data points.

Vulnerability Remediation SLAs can be enabled by Administrators via Administration module.

Configuring SLA Rules

AttackForge provides a rules-based engine to configure custom vulnerability SLAs. This powerful utility allows you to create SLAs which meet conditions based on vulnerability, asset and project datapoints.

Every rule will resolve to either True or False.

If True, the SLA associated to the rule will be applied to the vulnerability. For example, if the SLA is 15 days - the vulnerability will receive an SLA of 15 days.

Every rule is evaluated from top to bottom. This means any SLAs at the top of the list, will be evaluated and compared first. Once a rule has been matched (is True) - no further rules will be evaluated for that vulnerability.

Rules are made up of Expressions. Every expression has at least 1 Datapoint and 1 Operator. Multiple expressions can be grouped together to create more powerful SLAs. See examples below.

Datapoints

• vuln.id - <string> id of the vulnerability

• vuln.created - <date> created timestamp of the vulnerability

• vuln.modified - <date> modified timestamp of the vulnerability

• vuln.priority - <string> priority of the vulnerability. Is either Critical / High / Medium / Low / Info

• vuln.title - <string> title of the vulnerability

• vuln.status - <string> status of the vulnerability. Is either Open or Closed

• vuln.tags - <string array> list of tags associated on the vulnerability

• vuln.zeroday - <string> whether vulnerability is a zero-day. Is either Yes or No

• vuln.likelihood_of_exploitation - <integer> likelihood of exploitation for vulnerability. Is a number between 1 to 10

• vuln.ready_for_retest - <string> whether vulnerability is ready for retest. Is either Yes or No

• vuln.visible - <string> whether vulnerability is visible or pending. Is either Yes or No

• vuln.alternate_id - <string> user-friendly alternate vulnerability id

• vuln.cvssv3_vector - <string> vulnerability cvss v3 vector string

• vuln.cvssv3_base_score - <string> vulnerability cvss v3 base score

• vuln.cvssv3_temporal_score - <string> vulnerability cvss v3 temporal score

• vuln.cvssv3_environmental_score - <string> vulnerability cvss v3 environmental score

• vuln.custom_tag_<key> - <string> vulnerability custom tag. Replace <key> with the name of your tag

• vuln.custom_field_<key> - <string> vulnerability custom field. Replace <key> with the key of your custom field

• vuln.library_id - <string> id of the vulnerability writeup

• vuln.library_created - <date> created timestamp of the vulnerability writeup

• vuln.library_modified - <date> modified timestamp of the vulnerability writeup

• vuln.library_code - <string> numerical code of the vulnerability writeup. Is a 15-digit number

• vuln.library_tags - <string array> list of tags associated on the vulnerability writeup

• vuln.library_import_source - <string> tool for the imported vulnerability writeup

• vuln.library_import_source_id - <string> plugin/external id for the imported vulnerability writeup

• vuln.library_custom_tag_<key> - <string> vulnerability writeup custom tag. Replace <key> with the name of your tag

• vuln.library_custom_field_<key> - <string> vulnerability writeup custom field. Replace <key> with the key of your field

• asset.id - <string> id of the asset

• asset.created - <date> created timestamp of the asset

• asset.modified - <date> modified timestamp of the asset

• asset.name - <string> name of the asset

• asset.external_id - <string> external id of the asset

• asset.type - <string> asset type

• asset.details - <string> details for the asset

• asset.custom_field_<key> - <string> asset custom field. Replace <key> with the key of your field

• project.id - <string> id of the project

• project.created - <date> created timestamp of the project

• project.modified - <date> modified timestamp of the project

• project.name - <string> name of the project

• project.code - <string> code for the project

• project.start_date - <date> start date for the project

• project.end_date - <date> end date for the project

• project.scope - <string array> list of asset names

• project.organization_code - <string> organization code for the project

• project.vulnerability_code - <string> user-friendly alternate vulnerability id prefix

• project.custom_tag_<key> - <string> project custom tag. Replace <key> with the name of your tag

• project.custom_field_<key> - <string> project custom field. Replace <key> with the key of your field

Operators

• NOT or ! - used to negate an expression. For example !(vuln.priority == "Critical")

• AND or && - used to and multiple expressions. For example vuln.priority == "Critical" AND asset.type == "Web App"

• OR or || - used to or multiple expressions. For example vuln.priority == "Critical" OR vuln.priority == "High"

• == - used to check for equivalency. For example vuln.priority == "Critical"

• === - used to check for equality. For example vuln.priority === "Critical"

• !== - used to check for not equivalency. For example vuln.priority !== "Critical"

• > - used to check for greater-than comparison. For example vuln.likelihood_of_exploitation > 5

• < - used to check for less-than comparison. For example vuln.likelihood_of_exploitation < 5

• >= - used to check for greater-than-or-equals comparison. For example vuln.likelihood_of_exploitation >= 5

• <= - used to check for less-than-or-equals comparison. For example vuln.likelihood_of_exploitation <= 5

• ( ) - used to group statements together. For example ((vuln.priority == "Critical") AND (asset.type == "Web App")) OR ((vuln.priority == "Critical") AND (asset.type == "API"))

Examples

vuln.priority == "Critical"

This rule will evaluate whether the vulnerability has a priority of Critical, and if so, it will apply the related SLA to that vulnerability.

vuln.priority == "Critical" OR vuln.priority == "High"

This rule will evaluate whether the vulnerability has a priority of Critical or High, and if so, it will apply the related SLA to that vulnerability.

vuln.priority == "Critical" AND vuln.likelihood_of_exploitation > 5

This rule will evaluate whether the vulnerability has a priority of Critical and a likelihood of exploitation which is greater than 5, and if so, it will apply the related SLA to that vulnerability.

((vuln.priority == "Critical") AND (asset.type == "Web App")) OR ((vuln.priority == "High") AND (asset.type == "API"))

This rule will evaluate whether the vulnerability has a priority of Critical and affected asset is of type Web App, or whether the vulnerability has a priority of High and affected asset is of type API, and if so, it will apply the related SLA to that vulnerability.

Custom Emails on SLAs

You can configure custom emails for SLAs in the Custom Time-Based Emails.

Check this link for more information.