Vulnerability SLAs
Vulnerability SLAs are a powerful way to triage vulnerabilities to make vulnerability management more effective and efficient.
Every vulnerability can be assigned an SLA. AttackForge helps to keep on top of vulnerabilities as they get closer to their SLA, by making it easy to filter, identify, action and export. Every SLA is color-coded and includes a countdown tracker.
AttackForge provides a rules-based engine to configure custom vulnerability SLAs. This powerful utility allows you to create SLAs which meet specific conditions based on vulnerability, asset and project datapoints.
Vulnerability SLAs can be enabled by Administrators via Administration module.
Configuring SLA Rules
AttackForge provides a rules-based engine to configure custom vulnerability SLAs. This powerful utility allows you to create SLAs which meet conditions based on vulnerability, asset and project datapoints.
Every rule will resolve to either True or False. If True, the SLA associated to the rule will be applied to the vulnerability. For example, if the SLA is 15 - the vulnerability will receive an SLA of 15 days.
Every rule is assigned a priority which determines the order in which the rules are evaluated. For example, a rule with a priority of 1 will be evaluated before a rule with a priority of 2. Once a rule has been applied (is True) - no further rules will be evaluated for that vulnerability.
Rules are made up of expressions. Every expression has at least 1 Datapoint and 1 Operator. Multiple expressions can be grouped together to create more powerful SLAs. See examples below.
Datapoints
vuln.id - <string> id of the vulnerability
vuln.created - <date> created timestamp of the vulnerability
vuln.modified - <date> modified timestamp of the vulnerability
vuln.priority - <string> priority of the vulnerability. Is either Critical / High / Medium / Low / Info
vuln.title - <string> title of the vulnerability
vuln.status - <string> status of the vulnerability. Is either Open or Closed
vuln.tags - <string array> list of tags associated on the vulnerability
vuln.zeroday - <string> whether vulnerability is a zero-day. Is either Yes or No
vuln.likelihood_of_exploitation - <integer> likelihood of exploitation for vulnerability. Is a number between 1 to 10
vuln.ready_for_retest - <string> whether vulnerability is ready for retest. Is either Yes or No
vuln.visible - <string> whether vulnerability is visible or pending. Is either Yes or No
vuln.alternate_id - <string> user-friendly alternate vulnerability id
vuln.cvssv3_vector - <string> vulnerability cvss v3 vector string
vuln.cvssv3_base_score - <string> vulnerability cvss v3 base score
vuln.cvssv3_temporal_score - <string> vulnerability cvss v3 temporal score
vuln.cvssv3_environmental_score - <string> vulnerability cvss v3 environmental score
vuln.custom_tag_<key> - <string> vulnerability custom tag. Replace <key> with the name of your tag
vuln.custom_field_<key> - <string> vulnerability custom field. Replace <key> with the key of your custom field
vuln.library_id - <string> id of the vulnerability library template/write-up
vuln.library_created - <date> created timestamp of the vulnerability library template/write-up
vuln.library_modified - <date> modified timestamp of the vulnerability library template/write-up
vuln.library_code - <string> numerical code of the vulnerability library template/write-up. Is a 15-digit number
vuln.library_tags - <string array> list of tags associated on the vulnerability library template/write-up
vuln.library_import_source - <string> tool for the imported vulnerability library template/write-up
vuln.library_import_source_id - <string> plugin/external id for the imported vulnerability library template/write-up
vuln.library_custom_tag_<key> - <string> vulnerability library template/write-up custom tag. Replace <key> with the name of your tag
vuln.library_custom_field_<key> - <string> vulnerability library template/write-up custom field. Replace <key> with the key of your field
asset.id - <string> id of the asset
asset.created - <date> created timestamp of the asset
asset.modified - <date> modified timestamp of the asset
asset.name - <string> name of the asset
asset.external_id - <string> external id of the asset
asset.type - <string> asset type
asset.details - <string> details for the asset
asset.custom_field_<key> - <string> asset custom field. Replace <key> with the key of your field
project.id - <string> id of the project
project.created - <date> created timestamp of the project
project.modified - <date> modified timestamp of the project
project.name - <string> name of the project
project.code - <string> code for the project
project.start_date - <date> start date for the project
project.end_date - <date> end date for the project
project.scope - <string array> list of asset names
project.organization_code - <string> organization code for the project
project.vulnerability_code - <string> user-friendly alternate vulnerability id prefix
project.custom_tag_<key> - <string> project custom tag. Replace <key> with the name of your tag
project.custom_field_<key> - <string> project custom field. Replace <key> with the key of your field
Operators
NOT or ! - used to negate an expression. For example !(vuln.priority == "Critical")
AND or && - used to and multiple expressions. For example vuln.priority == "Critical" AND asset.type == "Web App"
OR or || - used to or multiple expressions. For example vuln.priority == "Critical" OR vuln.priority == "High"
== - used to check for equivalency. For example vuln.priority == "Critical"
=== - used to check for equality. For example vuln.priority === "Critical"
!== - used to check for not equivalency. For example vuln.priority !== "Critical"
> - used to check for greater-than comparison. For example vuln.likelihood_of_exploitation > 5
< - used to check for less-than comparison. For example vuln.likelihood_of_exploitation < 5
>= - used to check for greater-than-or-equals comparison. For example vuln.likelihood_of_exploitation >= 5
<= - used to check for less-than-or-equals comparison. For example vuln.likelihood_of_exploitation <= 5
( ) - used to group statements together. For example ((vuln.priority == "Critical") AND (asset.type == "Web App")) OR ((vuln.priority == "Critical") AND (asset.type == "API"))
Examples
This rule will evaluate whether the vulnerability has a priority of Critical, and if so, it will apply the related SLA to that vulnerability.
This rule will evaluate whether the vulnerability has a priority of Critical or High, and if so, it will apply the related SLA to that vulnerability.
This rule will evaluate whether the vulnerability has a priority of Critical and a likelihood of exploitation which is greater than 5, and if so, it will apply the related SLA to that vulnerability.
This rule will evaluate whether the vulnerability has a priority of Critical and affected asset is of type Web App, or whether the vulnerability has a priority of High and affected asset is of type API, and if so, it will apply the related SLA to that vulnerability.
Last updated