- 14 Jul 2024
- 4 Minutes to read
- Print
- DarkLight
- PDF
Vulnerabilities Exclusion Rules
- Updated on 14 Jul 2024
- 4 Minutes to read
- Print
- DarkLight
- PDF
Use the Vulnerabilities Exclusion Rules to manage exclusion rules for Vulnerabilities. Exclusion rules control whether vulnerabilities are considered Excluded (or "Accepted")". When working with Vulnerabilities, you need to be able to prioritize them to see which to remediate first. In addition, a decision might be made to accept the risk and exclude the vulnerability.
You can use Exclusion Rules to create rules about vulnerabilities to be excluded from the vulnerabilities list presented by Axonius on the Vulnerabilities page. Exclusions rules are run in a discovery cycle - the decisive ones are the ones that existed at the beginning of the cycle (if a rule changed during the cycle it will be applicable in the next cycle). Once a Vulnerability is excluded the "Excluded Vulnerable Software" Complex field appears on each relevant device, rather than the" Vulnerable Software" complex field. Consequently, these Excluded vulnerabilities are not counted in Vulnerabilities calculations.
Permissions:
- You need to have 'Edit Excluded Vulnerabilities' permissions to edit Exclusion rules.
- Only users who have the Global scope and have the permission "Edit Excluded Vulnerabilities" are able to view and edit Exclusion rules,
Using the Exclusion Rules page.
From the Vulnerabilities page click Exclusion Rules, the Exclusion Rules page opens:
The first time you use this feature the page that opens is empty. Add a rule to populate this page.
Creating a Rule
- Click Create Exclusion Rule, the Create Exclusion drawer opens.
- Enter a Rule Name, the system assigns a default name.
- Enter a description (optional)
- Either enter a Vulnerability, or use the drop down to search for and select Vulnerabilities you want to exclude. Type all or part of a Vuln-ID, and then from the list of Vulnerabilities containing the string entered, select the relevant Vulnerabilities. Once you start typing up to 200 items are displayed.
Choose Select All to select all of the Vulnerabilities displayed.
If the Vulnerability you want to exclude doesn't appear on the list, you can enter it. Once you enter a name Add New is displayed. Select Add New to add the vulnerability to the list of Vulnerabilities. It is added to the list for this rule, and selected as part of the rule.
Select Create to create the Exclusion Rule. The rule now appears on the Exclusion Rules list.
You can also create an exclusion rule that will only apply to a specific subset of devices who have that vulnerability. Refer to Selecting Associated Devices.
Selecting Associated Devices
You can also create an exclusion rule that will only apply to a specific subset of devices who have that vulnerability to help prioritize vulnerabilities to deal with, for instance to exclude only the selected vulnerabilities that are on devices with closed ports. In the Vulnerability Repository these will appear as "partially excluded".
- To select associated devices, toggle on Select associated devices.
- From Select Query, select an existing query, or select Add Query to create a new query.
The Preview Query shows the number of devices that match the query results, but not the query results combined with the existence of the CVEs selected in the rule. Note that you can't only use a query that returns over 100k devices. If you choose a query that returns too many results, you need to refine the query, or select a different one.
Once you toggle on Select associated devices, the query selected has to return devices in order to be able to save the rule. The Preview Query pane shows you if there are no results. You can then refine the query or select a different query.
The rule applies to the results of the query at the time the rule was created.
- You can click Open in Devices page to see exactly which devices are included in the query results.
- Once you are satisfied with the query results, click Create to create the rule.
Editing a Rule
Click on a rule, the Rule Drawer opens.
Edit the rule details and click Save.
Deleting a Rule
Hover over a row and choose delete, or select one or more rows and choose Delete.
The exclusion rule is removed. This means that the vulnerabilities that were excluded from the Vulnerabilities page, now appear on the Vulnerabilities page again after the next discovery cycle..
Exclusion Rules Page
Once you create Exclusion Rules they are displayed on the Exclusion Rules page.
The table contains the following columns:
Rule Name - The name of the Rule.
Affected Vulnerabilities - The Vulnerabilities defined in the rule which will be excluded.
Create by - The name of the user who created the Exclusion rule.
Last Executed - the date and time of the last time the rule ran.
Last updated - The time and date the Exclusion Rule was last modified.
Searching and Filtering
You can filter the Exclusion rules that are displayed.
The following filters are available:
Search - Type to search the table.
Rule Name - Display rules with a specific name name of the Rule.
Affected Vulnerabilities - Display rules that define specific CVEs which will be excluded.
Create by - Display by the names of users who created Exclusion rules.
Last updated - Display Exclusion Rules modified during a specific time range.
Click Reset to clear all the filters and display all vulnerabilities.
Editing an Exclusion Rule
- To edit a rule click on the rule.
- The rule dialog opens.
- Edit anything required and click Save.
Excluding Vulnerabilities from the Vulnerabilities Page
You can exclude a vulnerability directly from the Vulnerabilities' page, or from the Vulnerabilities Repository page.
For general information about working with tables refer to Working with Tables.