cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post

Create Alert based on Vulnerability Count and CVSS Score

Jump to solution

I have been trying to find a way to create an alert that will alert via email when a new Vulnerability is detected that has a certain CVSS score.

The 'out-the-box' alert will trigger when the number of vulnerabilities increases based on the Vulnerability Count field.

Is it possible to also base this on the CVSS score?

Scenario - new vulnerability received, CVSS score between 7.0 - 10.0 - send email

Scenario - new vulnerability received, CVSS score between 0 - 6.9 - do not alert

How do I trigger the alert based on CVSS score?

0 Kudos
1 Solution
Level 13

Hi

Maybe something like this:

Create a "Custom SWQL Alert" based on Node. Add the following to the editable frame:

INNER JOIN (
SELECT
n.caption,
N.NodeID
,va.score
FROM Orion.Nodes AS N
INNER JOIN NCM.VulnerabilitiesAnnouncementsNodes AS VAN ON N.Nodeid=VAN.CoreNodeid
INNER JOIN NCM.VulnerabilitiesAnnouncements AS VA ON VAN.EntryID=VA.EntryID
WHERE
VA.Score>9
AND N.[NodeProperties].[VulnerabilitiesCount] > N.[NodeProperties].[OldVulnerabilitiesCount]
) AS Result ON Nodes.NodeID = Result.NodeID

It will look something like this:

Seashore_0-1605018394545.png

 

Hope it helps.

 

View solution in original post

3 Replies

I have managed to insert a variable into the alert trigger that will hopefully alert when new vulnerabilities are detected with a score greater than 7.0

I tested the query in Database Manager and the information returned is correct, just need to see if this works within the alert.

 

${N=SWQL;M=SELECT * FROM [dbo].[NCM_VulnerabilitiesAnnouncements]WHERE Score}

 

grizzlyferrett_0-1605020466150.png

 

 

0 Kudos
Level 13

Hi

Maybe something like this:

Create a "Custom SWQL Alert" based on Node. Add the following to the editable frame:

INNER JOIN (
SELECT
n.caption,
N.NodeID
,va.score
FROM Orion.Nodes AS N
INNER JOIN NCM.VulnerabilitiesAnnouncementsNodes AS VAN ON N.Nodeid=VAN.CoreNodeid
INNER JOIN NCM.VulnerabilitiesAnnouncements AS VA ON VAN.EntryID=VA.EntryID
WHERE
VA.Score>9
AND N.[NodeProperties].[VulnerabilitiesCount] > N.[NodeProperties].[OldVulnerabilitiesCount]
) AS Result ON Nodes.NodeID = Result.NodeID

It will look something like this:

Seashore_0-1605018394545.png

 

Hope it helps.

 

View solution in original post

Thanks @Seashore. Looks better than my solution. Will test and update on progress.