- 16 Jul 2023
- 8 Minutes to read
- Print
- DarkLight
- PDF
Axonius - Calculate Risk Score
- Updated on 16 Jul 2023
- 8 Minutes to read
- Print
- DarkLight
- PDF
Axonius - Calculate Risk Score calculates the risk score per device, per vulnerability, or per-vulnerability-per-device, and writes the calculated value into the relevant Axonius risk score field.
The main purpose of the Axonius - Calculate Risk Score action is to support the per-vulnerability-per-device risk score calculation, which involves complex cross-entity calculations. For example, a user might run this action to compare the riskiness of a specific vulnerability on a laptop compared to a desktop or mobile device. It can also be used for single asset risk calculations (per device, per vulnerability), although users can create for these their own custom fields using conditional statements and custom fields.
- Not all asset categories are supported for all Enforcement Actions.
- See Actions supported for Activity Logs, Adapters Fetch History, and Asset Investigation modules.
- See Actions supported for Vulnerabilities.
- See Actions supported for Software.
General Settings
- Enforcement Set name (required) - The name of the Enforcement Set. A default value is added by Axonius. You can change the name according to your needs.
- Add description - Click to add a description of the Enforcement Set. It is recommended to describe what the Enforcement Set does.
- Run action on assets matching following query (required) - Select the Devices or Vulnerabilities asset category (Module) and a query. The Enforcement Action runs on the assets that match the query parameters. A query only returns results for the asset type that it was created.
- Select Devices to calculate the per Device or per Vulnerability per Device risk score.
- Select Vulnerabilities to calculate the per Vulnerability risk score.
- Action name (required) - The name of the Main action. A default value is added by Axonius. You can change the name according to your needs.
- Configure Action Conditions - Toggle on to enter a conditional statement. See Configuring Enforcement Action Conditions to learn more about conditional statement syntax.
Required Fields
These fields must be configured to run the Enforcement Set.
- Weighted Risk Score - Choose the type of weighted risk score to calculate:
- per Vulnerability per Device (the default) - This risk score calculation is based on values from at least one Vulnerability field and one Device field. Requires defining a Device query in the Enforcement Set (not validated by the system).
- per Device - This risk score is calculated on values from at least two fields on a device. Requires defining a Device query in the Enforcement Set (not validated by the system).
- per Vulnerability - This risk score calculation is based on values from at least two fields on vulnerability. Requires defining a Vulnerability query in the Enforcement Set (not validated by the system).
- Under Score Calculation, do the following:
- Click the + button for each additional device/vulnerability field value that you want to include in the risk score calculation. You can include an unlimited amount of components, provided that the sum of their weights (Total %) is exactly 100. More selected fields means that the risk score takes more factors into consideration.
- Configure the following for each risk score component:
- For per Vulnerability per Device only, select the asset type of the component: Vulnerabilities or Devices.
- In the Adapter dropdown, select the adapter from which to fetch the field value.
- Select the Axonius field whose value is used in the risk score calculation.
- Type or use the Up/Down arrows to input the Weight % of the selected Axonius field.
The Total % appearing under the Weight % column must be 100. If it is not, the system warns you, as follows:
- When the sum of the weight percentages entered is below 100, a message appears in red showing the remaining % required to add to one or more components.
- When the sum of the weight percentages entered is above 100, a message appears in red showing the exceeding % required to remove from one or more components.
Adjust the weight percentage of each field value so that the Total % is 100.
When you run the Enforcement Action, for each asset that matches the query, the Enforcement action takes the values from the selected numeric fields, multiplies them by their respective weight values, and completes by adding all the values to get a score. The result is written to a new Axonius field, according to the selected Weighted Risk Score, as follows:
- per Device - Result is written to the Risk Score - Axonius calculated field per device field and is displayed in each device's Asset Profile - Aggregated Fields or Asset Profile> Custom Data page. It can also be added to the table on the Devices page.
- per Vulnerability - Result is written to the Risk Score - Axonius calculated field per vulnerability field and can be displayed in the table on the Vulnerabilities page.
- per Vulnerability per Device - Result is written to the Risk Score - Axonius calculated field per vulnerability per device field and is displayed in the table in each device's Asset Profile> Tables> Vulnerable Software page.
- When the selected Weighted Risk Score type does not match the asset query defined in the Enforcement Set, the action fails. This is because the assets returned from the query do not have the fields selected for the risk score calculation.
- Per device and Per vulnerability per device require a Device query to be defined in the Enforcement Set, as the risk scores are saved on the devices.
- Per vulnerability requires a Vulnerability query to be defined in the Enforcement Set.
- When a field has a different value for each adapter connection, the value from the first adapter connection is used in the risk score calculation.
- Similar to conditional statement behavior, when one of the fields is missing or has no value, the calculation fails entirely and that asset gets the Axonius-assigned default value 0.
Viewing Risk Scores on Devices Page
Define Axonius - Calculate Risk Score Enforcement Action with Weighted Risk Score set to per Device, as follows:
- Define the Enforcement Set as in the following screen and then click Save and Run.
- When the Enforcement Set completes running, view its run history and click the most recent Enforcement Set run (row) to open its Run drawer.
- Click the green Successful link. The Devices page opens, listing the devices matching the query for which the Enforcement Action succeeded to calculate the Risk Score. For each device, the EC: Result Details field shows
When there are devices for which the Enforcement Action failed to calculate the Risk Score, you can click the red Failed link to view the devices, and see the complete error message for each one by hovering over the EC: Result Details field.
- Add the calculated Risk Score column to the table on the Devices page: Click Edit Columns> Edit Columns, select Aggregated Data, and in the fields that appear, select the Risk Score - Axonius calculated field per device field, and then click Add (refer to Changing Columns Displayed).
The table on the Devices page now displays the Risk Score - Axonius calculated field per device column.
The Risk Score - Axonius calculated field per device field is also found under Custom Data. You can view this field per successful device, in the table in the Asset Profile> Custom Data page.
Viewing Risk Scores in Vulnerabilities Table
Define Axonius - Calculate Risk Score Enforcement Action with Weighted Risk Score set to per Vulnerability, as follows:
- Define the Enforcement Set as in the following screen and then click Save and Run.
- When the Enforcement Set completes running, view its run history and click the most recent Enforcement Set run (row) to open its Run drawer.
- Click the red Failed link to view the vulnerabilities for which the Enforcement Action failed to calculate the Risk Score. See the complete error message by hovering over the EC: Result Details field.
- Click the green Successful link. The Vulnerabilities page opens, listing the vulnerabilities matching the query for which the Enforcement Action succeeded to calculate the Risk Score.
- Add the calculated Risk Score column to the table on the Vulnerabilities page: Click Edit Columns> Edit Columns, select Aggregated Data, and in the fields that appear, select the Risk Score - Axonius calculated field per vulnerability field, and then click Add (refer to Changing Columns Displayed).
The table on the Vulnerabilities page now displays the Risk Score - Axonius calculated field per vulnerability column.
The Risk Score - Axonius calculated field per vulnerability field is also found under Custom Data.
Viewing Risk Scores in Vulnerable Software Table
Define Axonius - Calculate Risk Score Enforcement Action with Weighted Risk Score set to per Vulnerability per Device, as follows:
- Define the Enforcement Set as in the following screen and then click Save and Run.
- When the Enforcement Set completes running, view its run history and click the most recent Enforcement Set run (row) to open its Run drawer.
- Click the green Successful link. The Devices page opens, listing the devices matching the query for which the Enforcement Action succeeded to calculate their vulnerabilities' Risk Scores.
For each device, the EC: Result Details field shows
When there are devices for which the Enforcement Action failed to calculate their vulnerabilities' Risk Scores, you can click the red Failed link to view the devices, and see the complete error message for each one by hovering over the EC: Result Details field.
- Click a device, and in its Asset Profile page that opens, in the left navigation pane, expand Tables and click Vulnerable Software.
The Vulnerable Software table opens, displaying the Risk Score - Axonius calculated field per vulnerability per device field for each device vulnerability, identified by CVE ID.
For more details about other Enforcement Actions available, see Action Library.