Managing asset risk and criticality

Professional Community Platform

runZero is able to help users assign and evaluate risk and criticality levels to the assets in their inventory. This can help prioritize risk mitigation or vulnerability remediation efforts by allowing users to quickly identify the assets in their organization with the highest levels of risk or criticality.

Defining risk and criticality

The risk level assigned automatically to assets in your inventory is inferred from the risk associated with vulnerabilities or risky configurations on that asset and defaults to the value none. Vulnerability risk level may be defined by the vulnerability management solution the vulnerability records are ingested from, or by the risk level assigned to a query vulnerability. The risk level can be overridden, in which case the override is retained until the asset or vulnerability is deleted. For vulnerabilities ingested from integrations, this may occur when the source no longer reports the vulnerability on that asset.

The criticality level is assigned manually and defaults to the value unset. This value is intended to be used to denote the criticality or importance of an asset to your organization. As an example, you may choose to assign business-critical systems such as database and web servers a critical level, but normal enduser systems a medium level.

Assigning asset risk and criticality

Both asset risk and criticality can be assigned via the asset inventory. Asset criticality can also be assigned with alert rules.

Superusers, administrators, and users can add or modify asset risk and criticality levels, and can reset risk assignment or remove criticality assignment from assets.

Risk and criticality in the asset inventory

Follow these steps to set risk and criticality through the asset inventory:

1. Select all the assets you wish to update, applying a query filter if needed.
2. Click the Modify asset risk or Modify asset criticality button to open the relevant popup.
3. Select the level of risk or criticality you wish to apply to the asset(s).
4. Click Override risk or Set criticality to apply your changes.

Applying criticality with rules

To automatically apply asset criticality values to assets after a scan, create an alert rule by going to Alerts > Rules and clicking the Create rule button:

1. Select an inventory query you wish to use, such as the asset-query-results rule type, then click Configure rule.
2. Configure any desired settings.
3. Set the Action to Modify asset.
4. Select an option from the Asset criticality menu.
5. Save the rule.

This rule will now add the specified asset criticality level to all assets that match the rule when a scan completes.

Asset risk report

The Asset risk report provides visibility into the risk and criticality levels across your asset inventory. To run the Asset risk report, go to Reports > Asset risk report and click the Asset risk report button. Configure the following fields:

1. Sites: Select a site of assets to include in the report, or leave the default All Sites.
2. Minimum risk: Choose the minimum asset risk level to include.
3. Minimum criticality: Choose the minimum asset criticality to include.
4. Top vulnerabilities per asset: Set this field to an integer between 0 and 20. If the value is set to an integer between 1 and 20, the report will list up to that number of the top vulnerabilities detected on each asset. The top vulnerabilities are identified by sorting the vulnerability results for each asset by risk rank, then risk score, then severity rank, then severity score.
5. Click Create report to generate the results.

The resulting report is grouped by asset criticality level and then sorted by risk level. The results can be exported as JSON Lines (.jsonl), a JSON document (.json), or CSV (.csv).