Vulnerability SLAs
Vulnerability SLAs are a powerful way to triage vulnerabilities to make vulnerability management more effective and efficient.
Every vulnerability can be assigned an SLA. AttackForge helps to keep on top of vulnerabilities as they get closer to their SLA, by making it easy to filter, identify, action and export. Every SLA is color-coded and includes a countdown tracker.
AttackForge provides a rules-based engine to configure custom vulnerability SLAs. This powerful utility allows you to create SLAs which meet specific conditions based on vulnerability, asset and project datapoints.
Vulnerability SLAs can be enabled by Administrators via Administration module.

Configuring SLA Rules

AttackForge provides a rules-based engine to configure custom vulnerability SLAs. This powerful utility allows you to create SLAs which meet conditions based on vulnerability, asset and project datapoints.
Every rule will resolve to either True or False. If True, the SLA associated to the rule will be applied to the vulnerability. For example, if the SLA is 15 - the vulnerability will receive an SLA of 15 days.
Every rule is assigned a priority which determines the order in which the rules are evaluated. For example, a rule with a priority of 1 will be evaluated before a rule with a priority of 2. Once a rule has been applied (is True) - no further rules will be evaluated for that vulnerability.
Rules are made up pf expressions. Every expression has at least 1 Datapoint and 1 Operator. Multiple expressions can be grouped together to create more powerful SLAs. See examples below.

Datapoints

  • vuln.id - <string> id of the vulnerability
  • vuln.created - <date> created timestamp of the vulnerability
  • vuln.modified - <date> modified timestamp of the vulnerability
  • vuln.priority - <string> priority of the vulnerability. Is either Critical / High / Medium / Low / Info
  • vuln.title - <string> title of the vulnerability
  • vuln.status - <string> status of the vulnerability. Is either Open or Closed
  • vuln.tags - <string array> list of tags associated on the vulnerability
  • vuln.zeroday - <string> whether vulnerability is a zero-day. Is either Yes or No
  • vuln.likelihood_of_exploitation - <integer> likelihood of exploitation for vulnerability. Is a number between 1 to 10
  • vuln.ready_for_retest - <string> whether vulnerability is ready for retest. Is either Yes or No
  • vuln.visible - <string> whether vulnerability is visible or pending. Is either Yes or No
  • vuln.alternate_id - <string> user-friendly alternate vulnerability id
  • vuln.cvssv3_vector - <string> vulnerability cvss v3 vector string
  • vuln.cvssv3_base_score - <string> vulnerability cvss v3 base score
  • vuln.cvssv3_temporal_score - <string> vulnerability cvss v3 temporal score
  • vuln.cvssv3_environmental_score - <string> vulnerability cvss v3 environmental score
  • vuln.custom_tag_<key> - <string> vulnerability custom tag. Replace <key> with the name of your tag
  • vuln.custom_field_<key> - <string> vulnerability custom field. Replace <key> with the key of your custom field
  • vuln.library_id - <string> id of the vulnerability library template/write-up
  • vuln.library_created - <date> created timestamp of the vulnerability library template/write-up
  • vuln.library_modified - <date> modified timestamp of the vulnerability library template/write-up
  • vuln.library_code - <string> numerical code of the vulnerability library template/write-up. Is a 15-digit number
  • vuln.library_tags - <string array> list of tags associated on the vulnerability library template/write-up
  • vuln.library_import_source - <string> tool for the imported vulnerability library template/write-up
  • vuln.library_import_source_id - <string> plugin/external id for the imported vulnerability library template/write-up
  • vuln.library_custom_tag_<key> - <string> vulnerability library template/write-up custom tag. Replace <key> with the name of your tag
  • vuln.library_custom_field_<key> - <string> vulnerability library template/write-up custom field. Replace <key> with the key of your field
  • asset.id - <string> id of the asset
  • asset.created - <date> created timestamp of the asset
  • asset.modified - <date> modified timestamp of the asset
  • asset.name - <string> name of the asset
  • asset.external_id - <string> external id of the asset
  • asset.type - <string> asset type
  • asset.details - <string> details for the asset
  • asset.custom_field_<key> - <string> asset custom field. Replace <key> with the key of your field
  • project.id - <string> id of the project
  • project.created - <date> created timestamp of the project
  • project.modified - <date> modified timestamp of the project
  • project.name - <string> name of the project
  • project.code - <string> code for the project
  • project.start_date - <date> start date for the project
  • project.end_date - <date> end date for the project
  • project.scope - <string array> list of asset names
  • project.organization_code - <string> organization code for the project
  • project.vulnerability_code - <string> user-friendly alternate vulnerability id prefix
  • project.custom_tag_<key> - <string> project custom tag. Replace <key> with the name of your tag
  • project.custom_field_<key> - <string> project custom field. Replace <key> with the key of your field

Operators

  • NOT or ! - used to negate an expression. For example !(vuln.priority == "Critical")
  • AND or && - used to and multiple expressions. For example vuln.priority == "Critical" AND asset.type == "Web App"
  • OR or || - used to or multiple expressions. For example vuln.priority == "Critical" OR vuln.priority == "High"
  • == - used to check for equivalency. For example vuln.priority == "Critical"
  • === - used to check for equality. For example vuln.priority === "Critical"
  • !== - used to check for not equivalency. For example vuln.priority !== "Critical"
  • > - used to check for greater-than comparison. For example vuln.likelihood_of_exploitation > 5
  • < - used to check for less-than comparison. For example vuln.likelihood_of_exploitation < 5
  • >= - used to check for greater-than-or-equals comparison. For example vuln.likelihood_of_exploitation >= 5
  • <= - used to check for less-than-or-equals comparison. For example vuln.likelihood_of_exploitation <= 5
  • ( ) - used to group statements together. For example ((vuln.priority == "Critical") AND (asset.type == "Web App")) OR ((vuln.priority == "Critical") AND (asset.type == "API"))

Examples

vuln.priority == "Critical"
This rule will evaluate whether the vulnerability has a priority of Critical, and if so, it will apply the related SLA to that vulnerability.
vuln.priority == "Critical" OR vuln.priority == "High"
This rule will evaluate whether the vulnerability has a priority of Critical or High, and if so, it will apply the related SLA to that vulnerability.
vuln.priority == "Critical" AND vuln.likelihood_of_exploitation > 5
This rule will evaluate whether the vulnerability has a priority of Critical and a likelihood of exploitation which is greater than 5, and if so, it will apply the related SLA to that vulnerability.
((vuln.priority == "Critical") AND (asset.type == "Web App")) OR ((vuln.priority == "High") AND (asset.type == "API"))
This rule will evaluate whether the vulnerability has a priority of Critical and affected asset is of type Web App, or whether the vulnerability has a priority of High and affected asset is of type API, and if so, it will apply the related SLA to that vulnerability.
Export as PDF
Copy link
Outline
Configuring SLA Rules
Datapoints
Operators
Examples