Custom Severity: Overview

This page feature describes a feature currently development. If you would like to join the beta program, please contact support through the Ivanti Success Portal.

The Ivanti Neurons for RBVM and ASPM platform offers two different scoring systems for findings. VRR, Ivanti Neuron’s proprietary scoring system, helps you to more efficiently prioritize findings for remediation. You can now change Severity, the second scoring metric in Ivanti Neurons, if your organization prefers the scanner score or CVSS over VRR. Additionally, this feature allows organizations to either mirror VRR as Severity or incorporate VRR into Severity.

When you update the Severity algorithm, the new scores will populate for open findings. Severity already integrates seamlessly with many parts of Ivanti Neurons. You can set up dashboards, export templates, SLAs, and saved views that show risk in terms of Severity.

Configuring Custom Severity

To update a client setting, you must have the privilege Client Settings Control.

Go to Configuration > Client Settings.

Then go to Severity Configurations and select EDIT CONFIGURATION.

In the first step, configure the platform to always choose the highest of all scores available or prioritize one scoring metric over the others.

In both cases, you can choose the following scoring metrics as sources for the final finding score:

VRR: Ivanti Neuron’s proprietary scoring algorithm
CVSS V3: Third version of the NVD scoring system for CVEs
CVSS V2: Second version of the NVD scoring system for CVEs
Normalized Scanner Severity: Scanner score for the finding, mapped to a value between 1 and 10

For Priority Order, you must order the scoring metrics that you want to include. Ivanti Neurons will always default to option 1 unless the finding has no associated scores of that type. Then it will default to option 2 and so on.

As the scoring metrics available for a finding can vary, Ivanti Neurons requires for you to always include Normalized Scanner Severity.

On the second step, type “I understand” to submit.

Once you submit, you will see information about the new Severity algorithm, including the scoring method and the new version number. The system will also block a new update until the displayed date.

Planning the Update

You should carefully consider the following before updating Severity:

Ivanti Neurons may take several days to finish calculating new scores for all open findings. Ivanti Neurons only allows you to submit a new custom severity job every 7 days.
Other users will see scores change in their dashboards and list views. Until Ivanti Neurons finishes calculating all new scores, your teams should avoid doing analysis or audits based Severity metrics.
If you have enabled Ivanti Neurons to update existing SLAs in response to a Severity score change, any SLAs based on Severity could change.
Know your data. The same algorithm applies to host findings and application findings. Depending on the types of connectors your organization has enabled, some findings may lack CVE associations. Many low and informational findings also have no CVE associations. However, these findings will still have VRR and scanner severity scores.

Understanding Scoring Methods

For this discussion, assume that you have a finding with the following properties:

VRR of 9.2
Two CVEs with CVSS V3 scores of 8.2 and 9.0
Normalized Scanner Severity of 8.6

This section demonstrates how you could calculate the final score for the finding by hand to determine which scoring method to choose.

Example 1: Highest Of

Your administrator has chose the highest of CVSS V3, VRR, and Normalized Scanner Severity. The finding will have a final score of 9.2.

Example 2: Priority Order

Your administrator has chosen this priority order:

CVSS V3
VRR
Normalized Scanner Severity

The system only looks at the CVSS V3 scores because they have priority. In this scenario, the finding will have a final score of 9.0. For CVSS V3 scores, the system always chooses the highest. (Similarly, the system will choose the highest of all CVSS V2 scores if V2 has precedence.)

Understanding Versions

Ivanti Neurons only applies the latest version of Severity to new and open findings. In the Host Findings and Application Findings pages, you can inspect the finding to determine the version associated with the finding’s last assigned Severity score.

Closed findings may show an earlier version number than the current one. If the system reworks the finding for any reason, the system will update the Severity score to match the most recent configuration.

All clients start with version 1. Version 1 uses highest of CVSS V3, CVSS V2, and Normalized Scanner Severity.

Resetting Severity to the Default

You can reset the scoring method to the default. To do, this choose “Highest Of” in step 1 and select REVERT TO DEFAULT CONFIGURATION. Ivanti Neurons will consider an update to the default configuration a new version.

Custom Severity FAQ

Does custom severity affect VRR or RS³?

While you can base custom severity on VRR, the finding Severity score has no impact on the finding’s VRR or the asset’s RS³ score.

When I update Severity to a new version, will that have an impact on finding SLAs?

The system will recalculate finding SLAs for existing findings if 1) the Scoring Metric is Severity and 2) you check the box “Update SLA if Severity changes” in Step 4.

Does an update of the Severity version trigger notifications based on Severity Group?

A family of notifications informs users when findings change Severity score or when the platform ingests new findings in a specific Severity Group. When the platform processes an update to the Severity algorithm, the platform will not send out these notifications. Updates to the Severity scores that happen in response to normal operations (e.g. new ingested finding, VRR score change, finding re-opened by a System Rework workflow, etc.) should still trigger the notifications.

The notifications include:

New Open Critical Findings (Severity)
New Open High Findings (Severity)
New Open Medium Findings (Severity)