Hi,
I have vulnerability dataset. Each vulnerability comes with a score from the scanning tool. Scanning tool has its own calculation and assigns a severity based on that.
We on customer side, calculate Severity based on customer defined score ranges below:
9.0-10.0 > CRITICAL
7.0-8.9 > HIGH
4.0-6.9 > MEDIUM
0.1-3.9 > LOW
0.0 > NONE
Issue is that when data comes from source/scanning tool, it has its own severities which are not always lined up with the above ranges. Our Score ranges above is the main root guideline to use.
Example:
Often times, Severity from data does not match the Score that is passed by the tool as I mentioned above.
A Severity of MAJOR in data coming with a Score of 3.0.
A Severity of MINOR in data coming with a Score of 3.0.
A Severity of CRITICAL in data coming with a Score of 0.0.
A Severity of CRITICAL in data coming with a Score of 10.0 (This is correct and inline with our ranges above)
I need both of the options below:
Desired output 1 (based on score ranges):
SEVERITY_Data Score_Data Severity_Adjusted_Score Severity_Adjusted_Code
MAJOR 3.0 Median of 0.1-3.9 LOW
Desired output 2 (based on SEVERITY_Data e.g. value is MAJOR):
SEVERITY_Data Score_Data Severity_Adjusted_Score Severity_Adjusted_Code
MAJOR 3.0 Median of 7.0-8.9 HIGH
Likewise for the rest of the severities and score ranges. Thanks in advance!!!
It's unclear how you need to aggregate scores or map severity labels, but here's an example using random data that may provide inspiration:
| makeresults count=100
| eval severity=mvindex(split("MINOR,MAJOR,CRITICAL", ","), random() % 3), score=round(10 * random() / 2147483647, 1)
| stats median(score) as score by severity
| rangemap field=score LOW=0.1-3.9 MEDIUM=4.0-6.9 HIGH=7.0-8.9 CRITICAL=9.0-10.0 default=NONE
| rename range as adjusted_severity