- 05 Jan 2025
- 10 Minutes to read
- Print
- DarkLight
- PDF
Axonius - Calculate Risk Score
- Updated on 05 Jan 2025
- 10 Minutes to read
- Print
- DarkLight
- PDF
Axonius - Calculate Risk Score calculates the risk score per device, per vulnerability, or per-vulnerability-per-device, and writes the calculated value into the relevant Axonius risk score field.
The main purpose of the Axonius - Calculate Risk Score action is to support the per-vulnerability-per-device risk score calculation, which involves complex cross-entity calculations. For example, a user might run this action to compare the riskiness of a specific vulnerability on a laptop compared to a desktop or mobile device. It can also be used for single asset risk calculations (per device, per vulnerability), although users can create for these their own custom fields using conditional statements and custom fields.
- Not all asset categories are supported for all Enforcement Actions.
- See Actions supported for Activity Logs, Adapters Fetch History, and Asset Investigation modules.
- See Actions supported for Vulnerabilities.
- See Actions supported for Software.
General Settings
- Enforcement Set name (required) - The name of the Enforcement Set. A default value is added by Axonius. You can change the name according to your needs.
- Add description - Click to add a description of the Enforcement Set. It is recommended to describe what the Enforcement Set does.
- Run action on assets matching following query (required) - Select the Devices or Vulnerabilities asset category (Module) and a query. The Enforcement Action runs on the assets that match the query parameters. A query only returns results for the asset type that it was created.
- Select Devices to calculate the per Device or per Vulnerability per Device risk score.
- Select Vulnerabilities to calculate the per Vulnerability risk score.
- Action name (required) - The name of the Main action. A default value is added by Axonius. You can change the name according to your needs.
- Configure Action Conditions - Toggle on to enter a conditional statement. See Configuring Enforcement Action Conditions to learn more about conditional statement syntax.
Required Fields
These fields must be configured to run the Enforcement Set.
- Weighted Risk Score - Choose the type of weighted risk score to calculate:
- per Vulnerability per Device (the default) - This risk score calculation is based on values from either the Device or Vulnerability fields
- per Device - This risk score is calculated on values from at least two fields on a device. Requires defining a Device query in the Enforcement Set (not validated by the system).
- per Vulnerability - This risk score calculation is based on values from at least two fields on vulnerability. Requires defining a Vulnerability query in the Enforcement Set (not validated by the system).
- Under Score Calculation, do the following:
- Click the + button for each additional device/vulnerability field value that you want to include in the risk score calculation. You can include an unlimited amount of components, provided that the sum of their weights (Total %) is exactly 100. More selected fields means that the risk score takes more factors into consideration.
- Configure the following for each risk score component:
- For per Vulnerability per Device only, select the asset type of the component: Devices or Vulnerabilities.
- In the Adapter dropdown, select the adapter from which to fetch the field value.
- Select the Axonius field whose value is used in the risk score calculation.
- Type or use the Up/Down arrows to input the Weight % of the selected Axonius field.
In some use cases, you might want to employ non-numeric fields in the calculation process. To learn more about this capability, see Assigning Numeric Values to Non-Numeric Fields.
The Total % appearing under the Weight % column must be 100. If it is not, the system warns you, as follows:
- When the sum of the weight percentages entered is below 100, a message appears in red showing the remaining % required to add to one or more components.
- When the sum of the weight percentages entered is above 100, a message appears in red showing the exceeding % required to remove from one or more components.
Adjust the weight percentage of each field value so that the Total % is 100.
When you run the Enforcement Action, for each asset that matches the query, the Enforcement action takes the values from the selected numeric fields, multiplies them by their respective weight values, and completes by adding all the values to get a score. The result is written to a new Axonius field, according to the selected Weighted Risk Score, as follows:
- per Device - Result is written to the Risk Score - Axonius calculated field per device field and is displayed in each device's Asset Profile - Aggregated Fields or Asset Profile> Custom Data page. It can also be added to the table on the Devices page.
- per Vulnerability - Result is written to the Risk Score - Axonius calculated field per vulnerability field and can be displayed in the table on the Vulnerabilities page.
- per Vulnerability per Device - Result is written to the Risk Score - Axonius calculated field per vulnerability per device field and is displayed in the table in each device's Asset Profile> Tables> Vulnerable Software page.
- When the selected Weighted Risk Score type does not match the asset query defined in the Enforcement Set, the action fails. This is because the assets returned from the query do not have the fields selected for the risk score calculation.
- Per device and Per vulnerability per device require a Device query to be defined in the Enforcement Set, as the risk scores are saved on the devices.
- Per vulnerability requires a Vulnerability query to be defined in the Enforcement Set.
- When a field has a different value for each adapter connection, the value from the first adapter connection is used in the risk score calculation.
- Similar to conditional statement behavior, when one of the fields is missing or has no value, the calculation fails entirely and that asset gets the Axonius-assigned default value 0.
Viewing Risk Scores on Devices Page
Define Axonius - Calculate Risk Score Enforcement Action with Weighted Risk Score set to per Device, as follows:
- Define the Enforcement Set as in the following screen and then click Save and Run.
- When the Enforcement Set completes running, view its run history and click the most recent Enforcement Set run (row) to open its Run drawer.
- Click the green Successful link. The Devices page opens, listing the devices matching the query for which the Enforcement Action succeeded to calculate the Risk Score. For each device, the EC: Result Details field shows
When there are devices for which the Enforcement Action failed to calculate the Risk Score, you can click the red Failed link to view the devices, and see the complete error message for each one by hovering over the EC: Result Details field.
- Add the calculated Risk Score column to the table on the Devices page: Click Edit Columns> Edit Columns, select Aggregated Data, and in the fields that appear, select the Risk Score - Axonius calculated field per device field, and then click Add (refer to Changing Columns Displayed).
The table on the Devices page now displays the Risk Score - Axonius calculated field per device column.
The Risk Score - Axonius calculated field per device field is also found under Custom Data. You can view this field per successful device, in the table in the Asset Profile> Custom Data page.
Viewing Risk Scores in Vulnerabilities Table
Define Axonius - Calculate Risk Score Enforcement Action with Weighted Risk Score set to per Vulnerability, as follows:
- Define the Enforcement Set as in the following screen and then click Save and Run.
- When the Enforcement Set completes running, view its run history and click the most recent Enforcement Set run (row) to open its Run drawer.
- Click the red Failed link to view the vulnerabilities for which the Enforcement Action failed to calculate the Risk Score. See the complete error message by hovering over the EC: Result Details field.
- Click the green Successful link. The Vulnerabilities page opens, listing the vulnerabilities matching the query for which the Enforcement Action succeeded to calculate the Risk Score.
- Add the calculated Risk Score column to the table on the Vulnerabilities page: Click Edit Columns> Edit Columns, select Aggregated Data, and in the fields that appear, select the Risk Score - Axonius calculated field per vulnerability field, and then click Add (refer to Changing Columns Displayed).
The table on the Vulnerabilities page now displays the Risk Score - Axonius calculated field per vulnerability column.
The Risk Score - Axonius calculated field per vulnerability field is also found under Custom Data.
Viewing Risk Scores in Vulnerable Software Table
Define Axonius - Calculate Risk Score Enforcement Action with Weighted Risk Score set to per Vulnerability per Device, as follows:
- Define the Enforcement Set as in the following screen and then click Save and Run.
- When the Enforcement Set completes running, view its run history and click the most recent Enforcement Set run (row) to open its Run drawer.
- Click the green Successful link. The Devices page opens, listing the devices matching the query for which the Enforcement Action succeeded to calculate their vulnerabilities' Risk Scores.
For each device, the EC: Result Details field shows
When there are devices for which the Enforcement Action failed to calculate their vulnerabilities' Risk Scores, you can click the red Failed link to view the devices, and see the complete error message for each one by hovering over the EC: Result Details field.
- Click a device, and in its Asset Profile page that opens, in the left navigation pane, expand Tables and click Vulnerable Software.
The Vulnerable Software table opens, displaying the Risk Score - Axonius calculated field per vulnerability per device field for each device vulnerability, identified by CVE ID.
Assigning Numeric Values to Non-Numeric Fields
Some use cases might require to employ non-numeric fields in the calculation process, so you can accurately calculate the risk scores of vulnerabilities that include qualitative attributes. In these cases, you can select non-numeric fields such as text, boolean or enum fields and assign them numeric values using standard Axonius query operators. The assigned values are then incorporated into the overall vulnerability risk score calculation.
When you enter a non-numeric field in the Score Calculation section, the system notifies you that fields must have a numeric value. Click Set a numeric value for this field to proceed with the calculation.
The Set a Numeric Value for [Field Name] pane opens. Define a condition or a set of conditions that will determine which numeric value to assign to the field (the THEN part of the condition).
In the following example, we are setting a numeric value for the Last Seen field, which is a Devices' date field. The condition is that if the value of this field is larger then 2024-12-01 (meaning, if the device was last seen after December 1, 2024), its numeric value will be 8, and this is the value that will be taken into account while calculating the risk score.
To add more conditions, click the + icon.
In the bottom ELSE section, enter a value that will be assigned to this field in case none of the conditions are met. If you do not enter any value, the default is 0.
In the following example, we set separate numeric values for the Critical and High values of the Severity field. If the severity is any other than Critical or High, the numeric value is 5.
In the case of multiple values for a single field, the numeric values are assigned according to the condition order. Based on the above example, if we have a Severity field that contains both Critical and High severities, the numeric value is 10 as this condition appears first.
After you finish setting all the conditions, click Apply. The field now appears in the Score Calculation section and you can edit it if needed.
There is no limit on the number of non-numeric fields to incorporate in the risk score calculation, as long as you assign them all numeric values.
If the Score Calculation includes a field that has no value in the query, it will not be assigned a numeric value, and the calculation Enforcement Action will not take place.
For more details about other Enforcement Actions available, see Action Library.