Managing flag types and SLA matrix
In Vulnerability settings, you can manage flag types and set up a Service Level Agreement (SLA) matrix.
Important
Tenable VM integration with Asset Manager is available through the Early Adopter Program. If you want to opt in, contact your Diligent representative.
Flag types
Different types of flags are used to classify and prioritize vulnerabilities. These flags provide insight into the severity and impact of each finding. For example: Actual finding, informational, false positive.
Note
The Permissions, Import, and General tabs, as well as the Vulnerability Details page, become available after you activate your Tenable account in Asset Manager. For information about activating, see Activating your Tenable VM account.
Adding a flag type
Note
The Actual finding flag type is available by default and cannot be edited or removed. All findings imported from Tenable are assigned this flag type.
- Open the Asset Manager app.
- On the left hand side, select the expand button to open the side panel.
- Select Vulnerabilities > Settings > General tab.
- Select Add New, and enter the flag type name in the text box.
- To save the name, either press Enter on the keyboard or scroll down and select Save Changes.
Result The new flag type is saved.
Removing a flag type
Note
The Actual finding flag type is available by default and cannot be edited or removed. All findings imported from Tenable are assigned this flag type.
- Open the Asset Manager app.
- On the left hand side, select the expand button to open the side panel.
- Select Vulnerabilities > Settings > General tab.
- Select the minus sign (-) next to the flag type that you want to remove.
Result The flag type is removed.
SLA settings
In the context of vulnerabilities, a Service Level Agreement (SLA) specifies the maximum number of days required to resolve a vulnerability after it has been identified.
In Asset Manager, you can calculate the SLA (due date) for the findings imported from Tenable by setting up an SLA matrix.
Prequisites to set up an SLA matrix
Finding severity value This is one of the values required to set up the SLA matrix. There are three types of scores imported from Tenable, and you can select one of them to calculate the SLA.
- VPR score Vulnerability Priority Rating (VPR) is a metric to prioritize the remediation of vulnerabilities based on multiple factors.
- CVSSv2 Common Vulnerability Scoring System version 2 is a standardized method to assess the severity of security vulnerabilities, focusing on base, temporal, and environmental metrics.
- CVSSv3 Updated version of the CVSSv2 method that provides more detailed and accurate assessment of vulnerabilities.
SLA matrix The SLA matrix is a table used to calculate the SLAs for the vulnerabilities/findings. This table consists of the following:
- Asset criticality This is the criticality level of the aggregated asset, and comes from the Asset Manager. Criticality signifies the level of the business impact of an asset. For example: High, Medium, and Low.
The assets created in Asset Manager must have the Criticality field completed for the SLA matrix to work. For more information, see Working with assets in Asset Manager. - Score This is the score you select in Finding severity value, and the options include: VPR score, CVSSv3, and CVSSv2. These are imported from Tenable and are available in findings. They contain a range of values, for example: 0-2, 2-4, and 4-6.
Note
If the Asset criticality metrics are missing or left blank in the SLA matrix table, the Execute SLA Calculation button will be disabled.
Setting up the SLA matrix
Note
The Permissions, Import, and General tabs, as well as the Vulnerability Details page, become available after you activate your Tenable account in Asset Manager. For information about activating, see Activating your Tenable VM account.
- Open the Asset Manager app.
- On the left hand side, select the expand button to open the side panel.
- Select Vulnerabilities > Settings > General tab.
- Under the SLA settings, select the Finding severity value from the following three options:
Note
The option you select as Finding severity value takes precedence.
If you select VPR score for the SLA due date calculation, and the VPR score from Tenable is not available, then the SLA calculation logic uses the CVSSv3 score. If CVSSv3 is also not available, then it uses the CVSSv2 score as the third option. If none of these scores are available from Tenable, then the due date is not calculated.
- VPR score
- CVSSv3
- CVSSv2
- In the SLA Matrix table, enter a number in each cell.
This number signifies the maximum number of days required to resolve a vulnerability/finding. For example: In the screenshot above, if the score is between 8-10 and the asset criticality is High, then the SLA is 7 days. - Select Save Changes.
Result The SLA settings are saved.