Axonius - Calculate Risk Score

Axonius - Calculate Risk Score calculates the risk score of an asset and writes the calculated value into the relevant Axonius risk score field for:

• Assets returned by the selected query or assets selected on the relevant asset page.

While the Axonius - Calculate Risk Score action generally supports all asset types, a major use case for it is to calculate risk score across Devices and Vulnerabilities, meaning, calculating the risk score of a specific vulnerability in the context of a specific device (per-vulnerability-per-device). For example, a user might run this action to compare the riskiness of a specific vulnerability on a laptop compared to a desktop or mobile device. See Viewing Risk Scores in the Vulnerable Software Table to learn more.

Required Fields

These fields must be configured to run the Enforcement Set.

• Enforcement Set name - The name of this Enforcement Action. The system sets a default name. You can change the name.
• Configure Dynamic Values - Toggle on to enter a Dynamic Value statement. See Creating Enforcement Action Dynamic Value Statements to learn more about Dynamic Value statement syntax.
• Weighted Risk Score - The type of weighted risk score to calculate. This changes according to the assets you selected under the Select Assets tab. For example, if you selected Databases, the Weighted Risk Score is per Databases; if you selected Vulnerabilities, the Weighted Risk Score is per Vulnerability; and so on. An exception happens when you select Devices - then, you can choose between the following two weighted risk score types:
  • per Vulnerability per Device (default) - This risk score calculation is based on values from either the Device or Vulnerability fields. You must enter at least one Device field value and one Vulnerability field value.
  • per Device - This risk score is calculated on values from at least two fields on a device.
• Score Calculation - in this section, do the following:
  1. Click the + button for each additional field value that you want to include in the risk score calculation. You can include an unlimited amount of components, provided that the sum of their weights (Total %) is exactly 100. More selected fields means that the risk score takes more factors into consideration.
  2. Select the Axonius field whose value is used in the risk score calculation.
  3. For each risk score component, in the Adapter dropdown, select the adapter from which to fetch the field value.
  4. Type or use the Up/Down arrows to input the Weight % of the selected Axonius field.

In some use cases, you might want to employ non-numeric fields in the calculation process. To learn more about this capability, see Assigning Numeric Values to Non-Numeric Fields.

When you run the Enforcement Action, for each asset that matches the query, the Enforcement action takes the values from the selected numeric fields, multiplies them by their respective weight values, and completes by adding all the values to get a score. The result is written to a new Axonius field named Axonius Risk Score, according to the selected Weighted Risk Score.

Similar to conditional statement behavior, when one of the fields is missing or has no value, the calculation fails entirely and that asset gets the Axonius-assigned default value 0.

When a field has a different value for each adapter connection, the value for the calculation is selected randomly. For non-numeric fields with multiple values, the if-else conditions are evaluated sequentially: the score is assigned based on the first true condition, with the conditions being checked from top to bottom. Refer to Assigning Numeric Values to Non-Numeric Fields to learn more.

Viewing Risk Score Results

The following sections provide examples for how to view the Risk Score results after running the Enforcement Set.

Viewing Risk Scores on the Devices Page

Define Axonius - Calculate Risk Score Enforcement Action with Weighted Risk Score set to per Device, as follows:

1. Define the Enforcement Set, as demonstrated in the following screen, then click Save and Run.

2. When the Enforcement Set completes running, view its run history and click the most recent Enforcement Set run (row) to open its Run drawer.

3. Click the green Successful link. The Devices page opens, listing the devices matching the query for which the Enforcement Action succeeded to calculate the Risk Score. For each device, the EC: Result Details field shows

When there are devices for which the Enforcement Action failed to calculate the Risk Score, you can click the red Failed link to view the devices, and see the complete error message for each one by hovering over the EC: Result Details field.

4. Add the calculated Risk Score column to the table on the Devices page: select Edit Table > Edit Columns, and from the fields that appear, add the Axonius Risk Score field (refer to Changing Columns Display to learn more).

The table on the Devices page now displays the Axonius Risk Score column.

Viewing Risk Scores in the Vulnerable Software Table

Define Axonius - Calculate Risk Score Enforcement Action with Weighted Risk Score set to per Vulnerability per Device, as follows:

1. Define the Enforcement Set as demonstrated in the following screen, then click Save and Run.
   
2. When the Enforcement Set completes running, view its run history and click the most recent Enforcement Set run (row) to open its Run drawer.
   
3. Click the green Successful link. The Devices page opens, listing the devices matching the query for which the Enforcement Action succeeded to calculate their vulnerabilities' Risk Scores.
   

For each device, the EC: Result Details field shows

4. Click a device, and in its Asset Profile page that opens, in the left navigation pane, expand Tables and select Vulnerable Software.
   The Vulnerable Software table opens, displaying the Risk Score - Axonius calculated field per vulnerability per device field for each device vulnerability, identified by CVE ID.
   

Assigning Numeric Values to Non-Numeric Fields

Some use cases might require to employ non-numeric fields in the calculation process, so you can accurately calculate the risk scores of vulnerabilities that include qualitative attributes. In these cases, you can select non-numeric fields such as text, boolean or enum fields and assign them numeric values using standard Axonius query operators. The assigned values are then incorporated into the overall vulnerability risk score calculation.

When you enter a non-numeric field in the Score Calculation section, the system notifies you that fields must have a numeric value.

1. Click Set a numeric value for this field to proceed with the calculation.

2. The Set a Numeric Value for [Field Name] pane opens. Define a condition or a set of conditions that will determine which numeric value to assign to the field (the THEN part of the condition).
   In the following example, we are setting a numeric value for the Last Seen field, which is a Devices' date field. The condition is that if the value of this field is larger then 2024-12-01 (meaning, if the device was last seen after December 1, 2024), its numeric value will be 8, and this is the value that will be taken into account while calculating the risk score.

3. To add more conditions, click the + icon.
4. In the bottom ELSE section, enter a value that will be assigned to this field in case none of the conditions are met. If you do not enter any value, the default is 0.
   In the following example, we set separate numeric values for the Critical and High values of the Severity field. If the severity is any other than Critical or High, the numeric value is 5.

5. After you finish setting all the conditions, select Apply. The field now appears in the Score Calculation section and you can edit it if needed.

If the Score Calculation includes a field that has no value in the query, it will not be assigned a numeric value, and the calculation Enforcement Action will not take place.