Risk Score Settings

The Axonius Risk Score page offers a robust solution to assess threat levels and prioritize remediation efforts. Use the Risk Score page to create multiple Risk Scores for different assets and use cases, and to manage and edit them as needed.
Configuring custom conditions and applying data normalization rules allow for an accurate, transparent calculation process. The Risk Score calculation takes into account risk, business impact, and exploitability considerations.

While the Risk Score mechanism generally supports all asset types, a major use case for it is to calculate Risk Score across devices and vulnerabilities, namely, to calculate the Risk Score of a specific vulnerability in the context of a specific device ("per vulnerability per device"). For example, comparing the riskiness of specific CVEs on a laptop with the riskiness on the same CVEs on a desktop or a mobile device.

From the Vulnerability Instances page, click Risk Score to navigate to the Risk Score settings page.

RiskScoreButton

The left navigation panel lists all assets to which you have created at least one Risk Score. Under each asset type, all Risk Scores defined for this asset are listed.

Adding a New Risk Score

Basic Configuration

From the left navigation panel, click + Add Asset.
Choose an asset type from the dropdown and click Add Asset. You can only add a single asset type at a time.
If there are already Risk Scores defined for this asset type, the new Risk Score will be added under the relevant asset type in the left navigation panel.
You can also click + next to the relevant asset type to add a new Risk Score to it.

AddRiskScore

Under Action Name, enter a name for the Enforcement Action that runs when calculating this Risk Score. The name must be unique.

Note

At this point, the Risk Score's name is something generic such as "Calculate Risk Score 1". You can rename it after saving the Risk Score.

Selecting Assets and Fields

From the Select Query dropdown, select the specific assets this Risk Score applies to.
Under Weighted Risk Score, select whether to calculate Risk Score per Entity or per Asset per Entity. For all asset types except for Devices, the only option available is per Entity; for Devices, you can choose between the following two weighted Risk Score types:
- per Device - This Risk Score is calculated for Devices only, and is based on values from at least two Device fields. The results are written into the Axonius Risk Score field on the Devices' page, like in other Assets pages.
- per Vulnerability per Device - This Risk Score is calculated for a specific vulnerability in the context of a specific device.

Note

When calculating a per Vulnerability per Device Risk Score, the query selected must include at least one device that has an associated vulnerability.

Important

There are actually two methods to calculate a per Vulnerability per Device Risk Score.

Method 1 (recommended) - Calculate a per Vulnerability per Device Risk Score for Device assets.
Method 2 - Calculate a per Vulnerability Instance Risk Score for Vulnerability Instance assets.

In both methods, the Risk Score result is written into the following Assets pages and fields:

On the Devices page, the Risk Score appears under the Risk Score - Axonius calculated field per vulnerability per device field, available from either the Vulnerable Software table or Vulnerability Instances tables.
On the Vulnerability Instances page, the Risk Score appears under the Axonius Risk Score field. This refers to the risk score of the asset itself, and since a Vulnerability Instance asset represents a specific vulnerability on a specific devices, it is the same as the per Vulnerability Instance Risk Score.

We recommend using Method 1 when calculating a per Vulnerability per Device Risk Score, as you can use Devices, Vulnerabilities and Vulnerability Instances fields; while in Method 2, you can only use Vulnerability Instances fields. Using a variety of fields makes the calculation more accurate and tailored to your needs.

See Viewing Risk Score Results for detailed instructions on how to view the calculation results from each Assets page.

Under Score Calculation, select the asset types and fields you want to include in the score calculation. Click + to add more fields. You can include an unlimited number of fields (two is the minimum), provided that the sum of their weights (Total Percentage) is exactly 100. The more fields included, the more factors the Risk Score takes into consideration.
For each Risk Score component, from the Adapter dropdown, select the adapter from which to fetch the field value.
Select the Axoinus field, for example (for Devices): Host Name, Last Seen, Total CVE Count, etc.
Under the Weight column, type or use the Up/Down arrows to input the percentage of the selected Axonius field in the Risk Score calculation.

Note:

The Total % appearing under the Weight % column must be 100. If it's above or below 100, the system warns you accordingly.

The following example shows a Risk Score per Vulnerability per Device, calculated by the weights of three different fields: CMDB Business Applications: Crown Jewel (fetched from the ServiceNow adapter); Public IPs; and Plugins Information: VPR Score (fetched from the Tenable.io adapter).

RiskScoreExample

Assigning Alternative Values to Fields

All fields added to the Risk Score require defining at least one alternative value, that will be assigned to them as a Risk Score in case their values meet or do not meet specific conditions; and a fallback value (a default value to be assigned in case none of the conditions are met).

To complete this process, click Add Alternative Value (see above image) under the field row or the Edit icon edit .

The process of assigning alternative values to fields differs between numeric and non-numeric fields.

If the field has a non-numeric value:

Fill in the IF row (the first condition) to assign a numeric value to the field.
Optionally, click + to add more ELSE IF conditions.
In the bottom ELSE section, enter a fallback value.
Click Apply.

For example, if we add the CVE Severity field, we can define the following alternative values:

If this field's value is either CRITICAL or URGENT, the Risk Score will be 10.
If this field's value is HIGH, the Risk Score will be 8.
If this field's value is anything else, the Risk Score will be 5.

AlternativeValue

Notes:

Defining the conditions is done using standard Axonius query operators. The available operators change according to the field type - string, boolean, enum, etc. For example, if the selected field is Software Name, the condition row contains additional operators such as "starts" and "ends".
In case a single field has multiple values, the calculation assigns the numeric values according to the order in which the conditions were set. Based on the above example, if we have a Severity field that contains both CRITICAL and HIGH severities, its numeric value will be 10, because the CRITICAL condition appears first.

If the field has a numeric value:

When the field has a numeric value (for example - CVSS Score, Device Count, etc.), an additional section titled Choose Value appears in the Alternative Value wizard. From this section, fill in the following fields:

In case of multiple values, choose which one you want to display - Some fields might have multiple values, for example, if their values are fetched from multiple adapters. In this case, choose which value you want to use in the calculation: the Maximum (default) or Minimum.
(Optional) Select an operator (× or ÷) and enter a value to adjust the Risk Score - Select an operator (Multiply or Divide) and enter a value to adjust the Risk Score by it. For example - divide the Risk Score by 10. This is useful when fields have very high values (100, 1000, etc.) or non-integer values, which might complicate the calculation. In this case, you might prefer to normalize the data and work with more convenient numbers.

In the following example, we want to normalize the Device field Not Fetched Count. We will choose to display the maximum value in case of multiple values, and divide the value by 10:

DataNormalization

After normalizing the data, proceed to the Alternative Value section of the wizard and define conditions and a fallback value as explained above.
Note that the conditions defined in this section are checked against the values defined in the previous step. For each condition, select whether to use the Field Value (as defined under Choose Value), or set a different value.

Example

Assume that the Not Fetched Count field has the following values: 20, 30, and 50. According to what we defined under Choose Value, the assigned Risk Score will be 5, as the calculation mechanism takes the maximum value 50 and divides it by 10.
Under Alternative Value we will define that if the value is smaller than 10, the Field Value will be used as the Risk Score. 5 is smaller than 10 and therefore, the Field Value 5 will indeed be the Risk Score.
In any other case - when the value equals to or larger than 10 - an alternative Risk Score of 7 will be assigned.

FullWizard

You can come back to each field and edit its Alternative Value conditions by clicking the Edit EditIconBlue icon.

Previewing the Risk Score

Before saving the Risk Score, the system generates a Results Preview on a randomly selected instance and displays a breakdown of the factors contributing to the calculation, including original and normalized data. This capability ensures extra transparency and accuracy, as it allows you to go back and make changes to the calculation parameters before applying them in your environment.

Note that you can generate a preview only after you configured all calculation fields properly, assigned them alternative values, and ensured their total weight is 100%.

From the Results Preview section, click Generate Preview. The fields contributing to the calculation are displayed with the following breakdown:

Name - The field name.
Raw Data - The original field value.
Value - The actual field value, after a normalization process.
Percentage - The weight of the field in the calculation.

The calculated Axonius Risk Score is displayed under the list of fields.

Preview

The Host ID is displayed on the top left of the Preview table. However, if the Risk Score is calculated for Vulnerability Instances or per Vulnerability per Device - the CVE ID is displayed as well.

Preview2

If the Risk Score is calculated for Vulnerabilities, only the CVE ID is displayed.

Clicking Generate Preview again generates a preview for the same instance. This is useful if you want to make changes to the Risk Score settings after the first preview, and then generate another preview to see the effect of the changes.

To generate a preview for a different random instance, click the refresh icon. To preview results for the new instance, click Generate Preview again.

Saving the Risk Score

After completing all setup steps, the Risk Score page should look like this:

CompleteSetup

Click Save and Run to save the Risk Score. This creates a new Enforcement Set task and you can access the Risk Score from the Enforcement Center as well.

Renaming a Risk Score

To rename a Risk Score, hover over it in the left navigation panel and select Rename from the Actions menu.

Deleting a Risk Score

To delete a Risk Score, hover over it in the left navigation panel and select Delete from the Actions menu.

Viewing Risk Score Results

Note

The Risk Score of each asset is calculated in every discovery cycle, and the updated results is written into the Risk Score field.

Per Asset

After clicking Save and Run, wait for the Enforcement Set to finish running. Then, navigate to the Enforcement Set's run history and click the most recent Enforcement Set run (row) to open its drawer.

Click the green Successful link. The relevant Assets page opens. It lists the assets matching the query for which the Enforcement Action succeeded to calculate the Risk Score. For each asset, the EC: Result Details field shows

When there are assets for which the Enforcement Action failed to calculate the Risk Score, click the red Failed link to view them. You will be able to see the complete error message for each asset by hovering over the relevant row under the EC: Result Details field.

From the Assets page, select Edit Table > Edit Columns, and from the fields that appear, add the Axonius Risk Score field (refer to Changing Columns Display to learn more about adding fields).

The Assets table displays the Axonius Risk Score column.

Per Vulnerability per Device

Repeat steps 1-2 as explained above.
On the Devices page, select a device.
On the device's Profile page, from the left navigation panel, expand the Tables section and select Vulnerable Software or Vulnerability Instances.
The Vulnerable Software/Vulnerability Instances table opens, displaying the Risk Score - Axonius calculated field per vulnerability per device field for each vulnerability detected on the device.

EC-per-vuln-per-device-vulnerability-sw-table

Reminder

The results are also available from the Axonius Risk Score field on the Vulnerability Instances page.

Editing Enforcement Actions in a Risk Score

All Risk Scores are Enforcement Sets. After creating them, you can edit them and add more actions and advanced configurations as in any Enforcement Set. All Risk Scores created on the Risk Score page are available in the Enforcement Center as well, and vice versa.

To learn more about Enforcement Sets, see Enforcement Sets Page, Creating Enforcement Sets, and Managing Enforcement Sets.

To learn more about defining Risk Score using an Enforcement Action, see Axonius - Calculate Risk Score.

To navigate to a specific Risk Score's page in the Enforcement Center, click the LaunchIcon icon next to the Risk Score's name. From this page, you can do the following:

Edit the Enforcement Set name (Risk Score name) or add a description to it. The new name will be displayed in the Axonius Risk Score page once you refresh it.
Change the query (the assets this Risk Score applies to) under Run this Enforcement Set on assets matching the following query.

Note

You cannot change the query when it is associated with more than one Enforcement Action, meaning, if there is more than one action in the Enforcement Set - see example below. In this case, the query selection menu is disabled.

Schedule the Enforcement Set runs.
Configure Success, Failure, and Post Enforcement Actions. An Enforcement Set can include one or more Success, Failure, or Post Actions.
- Success Actions run on each asset for which the main action completes successfully.
- Failure Actions run on each asset for which the main action does not complete successfully.
- Post Actions run on ALL assets matching the query after the main action has completed.

In the following example, an Add Custom Data to Assets success action is set to run on each asset for which the main action has calculated the Risk Score successfully. To learn more about this action, see Axonius - Add Custom Data to Assets.

AddSuccessAction

You can add to each asset a custom field named Risk Score Exists. The field type is Single Value, the value type is Boolean, and the field value is Yes - indicating that all these assets have a Risk Score.

AddCustomData

After any change you make to the Enforcement Set, make sure to click Save or Save and Run.