Creating a Risk Score

The left navigation panel of the Axonius Risk Score page lists all assets to which you have created at least one Risk Score. Under each asset type, all Risk Scores defined for this asset are listed.

To add new Risk Score:

1. From the left navigation panel, click + Add Asset.
2. Choose an asset type from the dropdown and click Add Asset. You can only add a single asset type at a time. If there are already Risk Scores defined for this asset type, the new Risk Score will be added under the relevant asset type in the left navigation panel. You can also click + next to the relevant asset type to add a new Risk Score to it.

3. Under Action Name, enter a name for the Enforcement Action that runs when calculating this Risk Score. The name must be unique.

📘

Note

At this point, the Risk Score's name is something generic such as "Calculate Risk Score 1". You can rename it after saving the Risk Score.

Selecting Assets and Fields

1. From the Select Query dropdown, select the specific assets this Risk Score applies to.
2. Under Weighted Risk Score, select whether to calculate Risk Score per [Asset Name] or per Vulnerability per [Asset Name].
   • per Asset - This Risk Score is calculated for the selected assets only, and is based on values from at least two assets fields. The results are written into the Axonius Risk Score field on the relevant Assets Page.
   • per Vulnerability per Asset - This Risk Score is calculated for a specific vulnerability in the context of a specific asset.

💡

Guidelines for calculating per Vulnerability per Asset Risk Score

When calculating a per Vulnerability per Asset Risk Score:

• The query selected should include at least one asset that has an associated vulnerability.

• We strongly recommend to include at least one field from the Vulnerability Instances module and not from the asset itself. Otherwise, the calculation might fail or provide false results.

  • The Vulnerability Instances field should include attributes related to the vulnerability itself - CVE Severity, CVSS Score, etc.

• The Risk Score result is written simultaneously into the following pages and fields:

  • On the Assets page, the Risk Score appears under the Vulnerable Software: Axonius Risk Score field, available from either the Vulnerable Software or Vulnerability Instances tables (the latter is available only for Devices).
  • On the Vulnerability Instances page, the Risk Score appears under the Axonius Risk Score field. This refers to the risk score of the asset itself, and since a Vulnerability Instance asset represents a specific vulnerability on a specific devices, it is the same as the per Vulnerability Instance Risk Score.

See Viewing Risk Score Results for detailed instructions on how to view the calculation results from each Assets page.

3. Under Score Calculation, select the asset types and fields you want to include in the score calculation. Click + to add more fields. You can include an unlimited number of fields (two is the minimum), provided that the sum of their weights (Total Percentage) is exactly 100. The more fields included, the more factors the Risk Score takes into consideration.
4. For each Risk Score component, from the Adapter dropdown, select the adapter from which to fetch the field value.
5. Select the Axoinus field, for example (for Devices): Host Name, Last Seen, Total CVE Count, etc.
6. Under the Weight column, type or use the Up/Down arrows to input the percentage of the selected Axonius field in the Risk Score calculation.

📘

Note

The Total % appearing under the Weight % column must be 100. If it's above or below 100, the system warns you accordingly.

The following example shows a Risk Score per Vulnerability per Device, calculated by the weights of three different fields: CMDB Business Applications: Crown Jewel (fetched from the ServiceNow adapter); Public IPs; and Plugins Information: VPR Score (fetched from the Tenable.io adapter).

Assigning Alternative Values to Fields

All fields added to the Risk Score require defining the following:

• At least one alternative value, that will be assigned to them as a Risk Score in case their values meet or do not meet specific conditions. For example, fields with non-numeric values must be assigned at least one numeric value.
• At least one fallback value - a default value to be assigned in case none of the conditions are met.

To complete this process, click Add Alternative Value (see above image) under the field row or the Edit icon .

The process of assigning alternative values to fields differs between numeric and non-numeric fields.

If the field has a non-numeric value:

1. Fill in the IF row (the first condition) to assign a numeric value to the field.
2. Optionally, click + to add more ELSE IF conditions.
3. In the bottom ELSE section, enter a fallback value.
4. Click Apply.

For example, if we add the CVE Severity field, we can define the following alternative values:

• If this field's value is either CRITICAL or URGENT, the Risk Score will be 10.
• If this field's value is HIGH, the Risk Score will be 8.
• If this field's value is anything else, the Risk Score will be 5.

📘

Notes

1. Defining the conditions is done using standard Axonius query operators. The available operators change according to the field type - string, boolean, enum, etc. For example, if the selected field is Software Name, the condition row contains additional operators such as "starts" and "ends".
2. In case a single field has multiple values, the calculation assigns the numeric values according to the order in which the conditions were set. Based on the above example, if we have a Severity field that contains both CRITICAL and HIGH severities, its numeric value will be 10, because the CRITICAL condition appears first.

If the field has a numeric value:

When the field has a numeric value (for example - CVSS Score, Device Count, etc.), an additional section titled Choose Value appears in the Alternative Value wizard. From this section, fill in the following fields:

1. In case of multiple values, choose which one you want to display - Some fields might have multiple values, for example, if their values are fetched from multiple adapters. In this case, choose which value you want to use in the calculation: the Maximum (default) or Minimum.
2. (Optional) Select an operator (× or ÷) and enter a value to adjust the Risk Score - Select an operator (Multiply or Divide) and enter a value to adjust the Risk Score by it. For example - divide the Risk Score by 10. This is useful when fields have very high values (100, 1000, etc.) or non-integer values, which might complicate the calculation. In this case, you might prefer to normalize the data and work with more convenient numbers.

In the following example, we want to normalize the Device field Not Fetched Count. We will choose to display the maximum value in case of multiple values, and divide the value by 10:

3. After normalizing the data, proceed to the Alternative Value section of the wizard and define conditions and a fallback value as explained above. Note that the conditions defined in this section are checked against the values defined in the previous step. For each condition, select whether to use the Field Value (as defined under Choose Value), or set a different value.

Example

Assume that the Not Fetched Count field has the following values: 20, 30, and 50. According to what we defined under Choose Value, the assigned Risk Score will be 5, as the calculation mechanism takes the maximum value 50 and divides it by 10. Under Alternative Value we will define that if the value is smaller than 10, the Field Value will be used as the Risk Score. 5 is smaller than 10 and therefore, the Field Value 5 will indeed be the Risk Score. In any other case - when the value equals to or larger than 10 - an alternative Risk Score of 7 will be assigned.

Field-Based Fallback Conditions

The above examples demonstrate how to configure numeric fallback values - Value-type fallbacks. However, you can also configure up to 2 Field-type fallbacks. The system will check these two fields sequentially, until it reaches the correct field value to use. If none of the fields match the condition, a final Value-type fallback must be assigned.

📘

Note

While you can configure up to 2 field-based fallbacks, you can only configure a single numeric fallback value for each condition.

To summarize the two possible flows:

1. Flow 1:
   1. The system checks the value of the calculation field defined.
   2. If the value doesn't match the required condition(s), the system assigns this field a defined numeric value.
2. Flow 2:
   1. The system checks the value of the calculation field defined.
   2. (Optional) If the value doesn't match the required condition(s), the system checks the value of a second field.
   3. (Optional) If the value doesn't match the required condition(s), the system checks the value of a third field.
   4. If the value doesn't match the required condition(s), the system assigns this field a defined numeric value.

Example for Flow 2

We want to use a Vulnerability Instance's CVSS V4 Score field value in the Risk Score calculation. However, this field doesn't necessarily have values for all Vulnerability Instances. Instead of setting a numeric fallback value straight away, we can set the system to move on and check the value of the CVSS V3 Score field. This field also doesn't necessarily have values for all Vulnerability Instances, so we can set the system to move on and check the value of the CVSS V2 Score field. In case none of the above fields have appropriate values, we will set a final, numeric fallback value to use in the calculation.

1. Click Edit Risk Score next to the field's row to start the process:

2. Set one or more conditions for the CVSS V4 Score field:

3. From the ELSE dropdown, select Field:

4. Select the CVSS V3 Score field and set a condition for it:

5. From the next ELSE dropdown, select Field. Then, select the CVSS V2 Score field and set a condition for it:

6. You've reached the maximum number of fields that can be set. The final ELSE dropdown only allows you to select Value and set a numeric value. This step is mandatory to complete the process.

7. Click Apply to save your changes.

Important notes:

• Each step can contain multiple conditions. Click + to add expressions for each step.

• To have the system use the field value instead of a custom value, click Reset score value.

• If the field has a numeric value, you can normalize its data using operators, as demonstrated above. Click Normalize risk score to display the Choose Value dialog.

• If the field has a non-numeric value, the Normalize risk score won't be available, and you will only need to assign it a custom numeric value.

You can come back to each calculation field and edit its Alternative Value configurations by clicking the Edit icon.

Defining Risk Levels

Axonius divides ranges of Risk Scores into levels. A Risk Level is a translation of a Risk Score's numeric value into one of the following strings: Low, Medium, High, or Critical. For example, Axonius' default settings are that Risk Scores between 0.01 and 3.99 are Low level; Risk Scores between 4 and 6.99 are Medium level; and so on.

The Risk Level section is available at the bottom of the Risk Score page, right after selecting assets and fields.

Each Risk Level row contains two fields. The left field represents the lowest number in the range and the right field represents the highest number in the range. The ranges are set to the Axonius default, but you can change them according to your needs.

Guidelines for defining Risk Levels

• The left field of the Low level row always has the value 0.1 and can't be edited.
• Each left field automatically receives its value from the right field on the previous row, so no gap between the ranges is possible.
  • For example, if the value of the right Low field is 4.5, then the value of the left Medium field is set to 4.51; if you change the value of the right Low field to be 4.51, then the value of the left Medium field changes to 4.52.

• The right field of the Critical level row always has the value infinity; so, in fact, the range of the Critical level is driven by the ranges of the former levels and doesn't need to be manually set.
• To return to the Axonius default settings, click Reset to Levels Default.
• To save the custom Risk Score ranges you defined, you must save your changes before exiting the page. Otherwise, the ranges and levels will be reset to the Axonius default.

Saving Custom Risk Levels as Default

To avoid defining custom Risk Levels for every new Risk Score created, you can save the custom ranges you defined as default.

1. Click Risk Score Settings from the top right corner of the page.

2. Edit the default ranges according to the guidelines explained above.
3. Select whether to apply this default only on future Risk Scores, or on both existing and new Risk Scores.
4. Click Save.