Axonius - Calculate Risk Score
  • 23 Jan 2025
  • 8 Minutes to read
  • Dark
    Light
  • PDF

Axonius - Calculate Risk Score

  • Dark
    Light
  • PDF

Article summary

Axonius - Calculate Risk Score calculates the risk score of an asset and writes the calculated value into the relevant Axonius risk score field for:

  • Assets returned by the selected query or assets selected on the relevant asset page.

While the Axonius - Calculate Risk Score action generally supports all asset types, a major use case for it is to calculate risk score across Devices and Vulnerabilities, meaning, calculating the risk score of a specific vulnerability in the context of a specific device (per-vulnerability-per-device). For example, a user might run this action to compare the riskiness of a specific vulnerability on a laptop compared to a desktop or mobile device. See Viewing Risk Scores in the Vulnerable Software Table to learn more.

See Creating Enforcement Sets to learn more about adding Enforcement Actions to Enforcement Sets.

Note:

Required Fields

These fields must be configured to run the Enforcement Set.

  • Enforcement Set name - The name of this Enforcement Action. The system sets a default name. You can change the name.
  • Configure Dynamic Values - Toggle on to enter a Dynamic Value statement. See Creating Enforcement Action Dynamic Value Statements to learn more about Dynamic Value statement syntax.
  • Weighted Risk Score - The type of weighted risk score to calculate. This changes according to the assets you selected under the Select Assets tab. For example, if you selected Databases, the Weighted Risk Score is per Databases; if you selected Vulnerabilities, the Weighted Risk Score is per Vulnerability; and so on. An exception happens when you select Devices - then, you can choose between the following two weighted risk score types:
    • per Vulnerability per Device (default) - This risk score calculation is based on values from either the Device or Vulnerability fields. You must enter at least one Device field value and one Vulnerability field value.
    • per Device - This risk score is calculated on values from at least two fields on a device.
  • Score Calculation - in this section, do the following:
    1. Click the + button for each additional field value that you want to include in the risk score calculation. You can include an unlimited amount of components, provided that the sum of their weights (Total %) is exactly 100. More selected fields means that the risk score takes more factors into consideration.
    2. Select the Axonius field whose value is used in the risk score calculation.
    3. For each risk score component, in the Adapter dropdown, select the adapter from which to fetch the field value.
    4. Type or use the Up/Down arrows to input the Weight % of the selected Axonius field.

In some use cases, you might want to employ non-numeric fields in the calculation process. To learn more about this capability, see Assigning Numeric Values to Non-Numeric Fields.

Note:

The Total % appearing under the Weight % column must be 100. If it is not, the system warns you, as follows:

  • When the sum of the weight percentages entered is below 100, a message appears in red showing the remaining % required to add to one or more components.
  • When the sum of the weight percentages entered is above 100, a message appears in red showing the exceeding % required to remove from one or more components.

Adjust the weight percentage of each field value so that the Total % is 100.

When you run the Enforcement Action, for each asset that matches the query, the Enforcement action takes the values from the selected numeric fields, multiplies them by their respective weight values, and completes by adding all the values to get a score. The result is written to a new Axonius field named Axonius Risk Score, according to the selected Weighted Risk Score.

Note:

If the Weighted Risk Score is per Vulnerability per Device, the result is written to the Risk Score - Axonius calculated field per vulnerability per device field and is displayed in the table in each device's Asset Profile> Tables> Vulnerable Software page. The Risk Score - Axonius calculated field per device field is also found under Custom Data.

Similar to conditional statement behavior, when one of the fields is missing or has no value, the calculation fails entirely and that asset gets the Axonius-assigned default value 0.

When a field has a different value for each adapter connection, the value for the calculation is selected randomly. For non-numeric fields with multiple values, the if-else conditions are evaluated sequentially: the score is assigned based on the first true condition, with the conditions being checked from top to bottom. Refer to Assigning Numeric Values to Non-Numeric Fields to learn more.

Viewing Risk Score Results

The following sections provide examples for how to view the Risk Score results after running the Enforcement Set.

Viewing Risk Scores on the Devices Page

Define Axonius - Calculate Risk Score Enforcement Action with Weighted Risk Score set to per Device, as follows:

  1. Define the Enforcement Set, as demonstrated in the following screen, then click Save and Run.

RiskScoreDevicesAction.png

  1. When the Enforcement Set completes running, view its run history and click the most recent Enforcement Set run (row) to open its Run drawer.

CompletedActionRiskScore.png

  1. Click the green Successful link. The Devices page opens, listing the devices matching the query for which the Enforcement Action succeeded to calculate the Risk Score. For each device, the EC: Result Details field shows EC-result-details-field

When there are devices for which the Enforcement Action failed to calculate the Risk Score, you can click the red Failed link to view the devices, and see the complete error message for each one by hovering over the EC: Result Details field.

  1. Add the calculated Risk Score column to the table on the Devices page: select Edit Table > Edit Columns, and from the fields that appear, add the Axonius Risk Score field (refer to Changing Columns Display to learn more).

AddRiskScoreField.png

The table on the Devices page now displays the Axonius Risk Score column.

RiskScoreResults.png

Viewing Risk Scores in the Vulnerable Software Table

Define Axonius - Calculate Risk Score Enforcement Action with Weighted Risk Score set to per Vulnerability per Device, as follows:

  1. Define the Enforcement Set as demonstrated in the following screen, then click Save and Run.
    EC-per-vuln-per-device-config
  2. When the Enforcement Set completes running, view its run history and click the most recent Enforcement Set run (row) to open its Run drawer.
    EC-per-vuln-per-device-run-outcome
  3. Click the green Successful link. The Devices page opens, listing the devices matching the query for which the Enforcement Action succeeded to calculate their vulnerabilities' Risk Scores.
    EC-per-vuln-per-device-deviceinfo

For each device, the EC: Result Details field shows EC-result-details-field

Note:

When there are devices for which the Enforcement Action failed to calculate their vulnerabilities' Risk Scores, you can click the red Failed link to view the devices, and see the complete error message for each one by hovering over the EC: Result Details field.

  1. Click a device, and in its Asset Profile page that opens, in the left navigation pane, expand Tables and select Vulnerable Software.
    The Vulnerable Software table opens, displaying the Risk Score - Axonius calculated field per vulnerability per device field for each device vulnerability, identified by CVE ID.
    EC-per-vuln-per-device-vulnerability-sw-table
Note:

The Risk Score - Axonius calculated field per device field is also found under Custom Data. You can view this field per successful device, in the table in the Asset Profile >** Custom Data** page.
image.png

Assigning Numeric Values to Non-Numeric Fields

Some use cases might require to employ non-numeric fields in the calculation process, so you can accurately calculate the risk scores of vulnerabilities that include qualitative attributes. In these cases, you can select non-numeric fields such as text, boolean or enum fields and assign them numeric values using standard Axonius query operators. The assigned values are then incorporated into the overall vulnerability risk score calculation.

When you enter a non-numeric field in the Score Calculation section, the system notifies you that fields must have a numeric value.

  1. Click Set a numeric value for this field to proceed with the calculation.

Set a numeric value

  1. The Set a Numeric Value for [Field Name] pane opens. Define a condition or a set of conditions that will determine which numeric value to assign to the field (the THEN part of the condition).
    In the following example, we are setting a numeric value for the Last Seen field, which is a Devices' date field. The condition is that if the value of this field is larger then 2024-12-01 (meaning, if the device was last seen after December 1, 2024), its numeric value will be 8, and this is the value that will be taken into account while calculating the risk score.

Condition1

  1. To add more conditions, click the + icon.
  2. In the bottom ELSE section, enter a value that will be assigned to this field in case none of the conditions are met. If you do not enter any value, the default is 0.
    In the following example, we set separate numeric values for the Critical and High values of the Severity field. If the severity is any other than Critical or High, the numeric value is 5.

MultipleConditions

  1. After you finish setting all the conditions, select Apply. The field now appears in the Score Calculation section and you can edit it if needed.

Score calculation section

Notes:
  • There is no limit on the number of non-numeric fields to incorporate in the risk score calculation, as long as you assign them all numeric values.
  • In the case of multiple values for a single field, the numeric values are assigned according to the condition order. Based on the above example, if we have a Severity field that contains both Critical and High severities, the numeric value is 10 as this condition appears first.

If the Score Calculation includes a field that has no value in the query, it will not be assigned a numeric value, and the calculation Enforcement Action will not take place.

For more details about other Enforcement Actions available, see Action Library.


Was this article helpful?