This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

Create Alert based on Vulnerability Count and CVSS Score

I have been trying to find a way to create an alert that will alert via email when a new Vulnerability is detected that has a certain CVSS score.

The 'out-the-box' alert will trigger when the number of vulnerabilities increases based on the Vulnerability Count field.

Is it possible to also base this on the CVSS score?

Scenario - new vulnerability received, CVSS score between 7.0 - 10.0 - send email

Scenario - new vulnerability received, CVSS score between 0 - 6.9 - do not alert

How do I trigger the alert based on CVSS score?

  • Hi

    Maybe something like this:

    Create a "Custom SWQL Alert" based on Node. Add the following to the editable frame:

    INNER JOIN (
    SELECT
    n.caption,
    N.NodeID
    ,va.score
    FROM Orion.Nodes AS N
    INNER JOIN NCM.VulnerabilitiesAnnouncementsNodes AS VAN ON N.Nodeid=VAN.CoreNodeid
    INNER JOIN NCM.VulnerabilitiesAnnouncements AS VA ON VAN.EntryID=VA.EntryID
    WHERE
    VA.Score>9
    AND N.[NodeProperties].[VulnerabilitiesCount] > N.[NodeProperties].[OldVulnerabilitiesCount]
    ) AS Result ON Nodes.NodeID = Result.NodeID

    It will look something like this:

    Seashore_0-1605018394545.png

    Hope it helps.

  • I have managed to insert a variable into the alert trigger that will hopefully alert when new vulnerabilities are detected with a score greater than 7.0

    I tested the query in Database Manager and the information returned is correct, just need to see if this works within the alert.

    ${N=SWQL;M=SELECT * FROM [dbo].[NCM_VulnerabilitiesAnnouncements]WHERE Score}

    grizzlyferrett_0-1605020466150.png

  • Thanks . Looks better than my solution. Will test and update on progress.