Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Custom Risk Classification

 

Use custom risk scores in JSA Vulnerability Manager to classify vulnerabilities that pose the most risk to your organization. Custom risk classification allows you to override a vulnerability's risk with your own risk classification.

Based on your individual requirements, you might want to override a vulnerability's risk with your own risk classification. A vulnerability that is classified as a high CVSS score by JSA Vulnerability Manager may not actually pose a serious risk for numerous mitigating factors. For example, if a CVSS 9.5 IPv6 vulnerability is published, and an enterprise does not have any IPV6 infrastructure, then the high CVSS score is not justified.

Configuring Custom Risk Scores for Vulnerabilities

In JSA Vulnerability Manager, you can add an internal custom risk score to vulnerabilities that reflects the real risk to your organization.

Note

A nightly auto update job runs to update all the custom risk fields. For reporting and saved search purposes, your custom risk changes will not come into effect right away. You can run the auto update manually to populate the custom risk information that is entered. Run auto update by clicking the Auto Update icon on the Admin tab.

  1. Click the Vulnerabilities tab.
  2. In the navigation pane, click Research > Vulnerabilities
  3. To assign an custom risk score to an asset, use the following steps:

    1. Select a vulnerability and click Edit/Triage.

    2. Choose a custom risk type from the Custom Risk Assignment window:

      • Blank: no change is made to custom risk, but a note is assigned.

      • Critical

      • High

      • Medium

      • Low

      • Warning

      • CVSS: the vulnerability has a custom risk set in accordance with the rules for the current CVSS score.

      • Unassign: the vulnerability no longer has a custom risk level. Use this option to remove an existing custom risk.

    3. Optional: Add a note by using the RTF text-box to reflect the vulnerability assignment. For example, you could add a note to explain why you are changing the classification.

    4. Click Save.

    5. When a custom risk is created on any vulnerability, a new column called Custom Risk displays in the Research Vulnerabilities screen.

  4. To view the custom risk details and note related to a custom risk assignment, double click the Vulnerability in the Research Vulnerabilities screen.
  5. To search for vulnerabilities that have not yet been triaged, use the following steps:

    1. In the navigation pane, click Research > Vulnerabilities.

    2. Click Search > New Search.

    3. In the Custom Risk Level section, select one of the following parameters to search on:

      Table 1: Custom Risk Search Parameters

      Custom Risk Search Type

      Description

      All Vulnerabilities

      Returns all vulnerabilities regardless of whether a custom risk is assigned.

      All triaged vulnerabilities

      Returns all vulnerabilities with a custom risk assigned.

      All not yet triaged vulnerabilities

      Returns all vulnerabilities that do not have a custom risk assigned.

      All vulnerabilities with the specific custom risk level

      Returns vulnerabilities that are filtered on the custom risk type that is selected, for example, critical, high, or medium.

    4. Click Search.

  6. Export a list of vulnerabilities from the Vulnerability List screen for audit or compliance purposes, by using the following steps:

    1. In the navigation pane, click Research > Vulnerabilities.

    2. Select the export option required:

      • Export to XML

      • Export to CSV

Related Documentation