Creating Equations
Last updated
Last updated
© 2024 PlexTrac, Inc. All rights reserved.
Admins can create an equation to produce a custom score. The process for creating an equation for a priority and findings is the same and consists of two steps:
Equation Properties: The tab in which the name, description, and (when applicable) what clients the equation applies to are entered.
Equation Builder: The tab where the user selects and configures the variables of the equation that determines the contextual score.
The example below is done within the Priorities tab, but the process is the same as the Findings tab.
Step 1: From the Admin Dashboard, click Risk scoring.
Step 2: Click Create Equation.
Step 3: Select whether to start from the tenant default or another equation. When finished, click Create.
Step 4: Enter an equation name and description on the "Edit basic information" tab.
If priorities are configured for all clients, client-specific configuration options for priorities equations will not appear, and users will proceed to Step 9.
Step 5: Identify whether the equation will apply to all clients in the tenancy who currently have no equation assigned or to a specific client.
If this equation applies to all clients, skip to Step 9.
Step 6: If client-specific, click Select clients and search, scroll, or use filter options to find the desired client.
Step 7: Click Select.
Step 8: Click Save at the bottom right of the page.
Step 9: Click Continue at the bottom right of the page.
The "Edit variables and equation" second tab appears as the equation builder tab.
The equation builder tab consists of three sections/boxes:
Box 1 - Score Equation: This box displays the current equation and allows users to modify it by dragging variables on/off the box.
Box 2 - Available Equation Variables: This box lists the available variables to be leveraged to update the current equation in Box 1.
Box 3 - Variable Configuration: When a variable in Box 1 is clicked or selected from the pulldown menu at the top of Box 3, this box provides further details that can be used to define how the variable is utilized in the equation. These details include additional properties and business rules.
The total equation weight must always equal 100%. The current allocation is listed above the equation.
Variable weights can be edited directly in the variable's box or in Box 3 on the right of the page in the "Variable weight" section.
To calculate the score for each variable in the equation, multiply the weight of the variable by the highest rule score and then divide the result by 100. For instance, if the weight of a variable is 50% and the highest rule score is 90, the score for that variable would be 50 * (90/100) = 45.
If the total allocation for variables does not equal 100%, the total equation weight value in Box 1 will turn red to indicate an error, and an error message will appear if attempting to save the equation.
Variables can be included with an assigned 0% weight, but these will be ignored in the equation and have the same result as those that do not exist in the equation at all.
PlexTrac provides a default equation out of the box that cannot be deleted but can be edited. This equation becomes the tenant default that can be used as a template or starting point to create additional equations.
Any other equation can be reset to its default equation by clicking the kebob menu in the equation's box and clicking Reset to default PlexTrac equation.
The equation builder allows for many variables and scenarios. Below are a few examples that cover various aspects of the functionality and demonstrate the multiple ways equations can be leveraged to meet specific client or tenant needs.
When configuring an equation, errors will not be visible until the user clicks Save. After that initial action, however, error messages are provided dynamically as the equation is worked on.
Step 1: Click the Asset type variable in Box 2 (Available Equation Variables), drag it up to Box 1 directly above and place it in the equation.
Step 2: Click Save. An error notification appears both in the equation and as a message because an operator variable is needed between the variables Asset type and Asset criticality.
All field variables need to be separated by an operator.
Step 3: Click the operator variable in Box 2, drag it to Box 1, and place it where the error notification was displayed between the variables Asset type and Asset criticality.
The error is resolved, and the message disappears.
Step 4: The next step is to set the variable attribute with the correct value. Click the Asset type variable or select it from the pulldown menu in Box 3.
Step 5: Select the "Sever" asset type value from the pulldown menu for Rule 1.
Step 6: The next step is to give Asset type some weight to the equation, or else it will be ignored, as all added variables default to 0%. Change the "Variable weight" value to 10%. The variable in the equation will dynamically update.
Step 7: Identify how many points the variable will receive if the business rule is met by adding 75 to the "out of 100" box at the bottom of the rule.
Step 8: Since the total equation weight is now over 100% with the new variable being updated to 10%, another variable must be reduced to compensate. Note that the total equation weight is currently 110% and in red, denoting an error. An error message is also provided.
Click Source data and change its weight from 80% to 70% so that the total of all four variables equals 100%.
Step 9: The equation is now ready to be executed. Click Save and check "Enable equation after saving" to immediately enable (all existing equations assigned to the client will be disabled).
Step 1: Click Finding score (CVSS 3.1)in Box 1, drag it to Box 2, and unclick the mouse.
The equation no longer includes that variable, and CVSS 3.1 is now listed as available in Box 2.
Step 2: Because the total equation weight must equal 100% and 10% of that weight was removed in Step 1, the remaining variables must be adjusted to compensate. Click Source dataand add 10% to the existing set weight to increase from 70% to 80%.
Step 3: The next step is to remove an operator variable, as an equation cannot end with an empty operator.
Select the operator at the end of the formula, drag it to Box 2 and release. The error message disappears.
Step 4: Click Save.
Step 1: Click Source data on the equation.
Step 2: All business rules and parameters for Source data appear in Box 3 on the far right of the page. Currently, a business rule only exists for HackerOne. Click Add rule.
Step 3: Working now under Rule 2, select the source data value "is added from integrations" from the pulldown menu.
Step 4: Select "Snyk" as the integration source in the following pulldown menu.
Step 5: Give Rule 2 a weight of 45 out of 100 points.
Step 6: Click Save.
