Admins can create an equation to produce a custom score. The process for creating an equation for a priority and findings is the same and consists of two steps:
Equation Properties: The tab in which the name, description, and (when applicable) what clients the equation applies to are entered.
Equation Builder: The tab where the user selects and configures the variables of the equation that determines the contextual score.
The example below is done within the Priorities tab, but the process is the same as the Findings tab.
Step 1: From the Admin Dashboard, click Risk scoring.
Step 2: Click Create Equation.
Step 3: Select whether to start from the tenant default or another equation. When finished, click Create.
Step 4: Enter an equation name and description on the "Edit basic information" tab.
If priorities are configured for all clients, client-specific configuration options for priorities equations will not appear, and users will proceed to Step 9.
Step 5: Identify whether the equation will apply to all clients in the tenancy who currently have no equation assigned or to a specific client.
If this equation applies to all clients, skip to Step 9.
Step 6: If client-specific, click Select clients and search, scroll, or use filter options to find the desired client.
Step 7: Click Select.
Step 8: Click Save at the bottom right of the page.
Step 9: Click Continue at the bottom right of the page.
The "Edit variables and equation" second tab appears as the equation builder tab.
The equation builder tab consists of three sections/boxes:
Box 1 - Score Equation: This box displays the current equation and allows users to modify it by dragging variables on/off the box.
Box 2 - Available Equation Variables: This box lists the available variables to be leveraged to update the current equation in Box 1.
Box 3 - Variable Configuration: When a variable in Box 1 is clicked or selected from the pulldown menu at the top of Box 3, this box provides further details that can be used to define how the variable is utilized in the equation. These details include additional properties and business rules.
The total equation weight must always equal 100%. The current allocation is listed above the equation.
Variable weights can be edited directly in the variable's box or in Box 3 on the right of the page in the "Variable weight" section.
To calculate the score for each variable in the equation, multiply the weight of the variable by the highest rule score and then divide the result by 100. For instance, if the weight of a variable is 50% and the highest rule score is 90, the score for that variable would be 50 * (90/100) = 45
.
If the total allocation for variables does not equal 100%, the total equation weight value in Box 1 will turn red to indicate an error, and an error message will appear if attempting to save the equation.
Variables can be included with an assigned 0% weight, but these will be ignored in the equation and have the same result as those that do not exist in the equation at all.
PlexTrac provides a default equation out of the box that cannot be deleted but can be edited. This equation becomes the tenant default that can be used as a template or starting point to create additional equations.
Any other equation can be reset to its default equation by clicking the kebob menu in the equation's box and clicking Reset to default PlexTrac equation.
The equation builder allows for many variables and scenarios. Below are a few examples that cover various aspects of the functionality and demonstrate the multiple ways equations can be leveraged to meet specific client or tenant needs.
When configuring an equation, errors will not be visible until the user clicks Save. After that initial action, however, error messages are provided dynamically as the equation is worked on.
Step 1: Click the Asset type
variable in Box 2 (Available Equation Variables), drag it up to Box 1 directly above and place it in the equation.
Step 2: Click Save. An error notification appears both in the equation and as a message because an operator variable is needed between the variables Asset type
and Asset criticality
.
All field variables need to be separated by an operator.
Step 3: Click the operator variable in Box 2, drag it to Box 1, and place it where the error notification was displayed between the variables Asset type
and Asset criticality
.
The error is resolved, and the message disappears.
Step 4: The next step is to set the variable attribute with the correct value. Click the Asset type
variable or select it from the pulldown menu in Box 3.
Step 5: Select the "Sever" asset type value from the pulldown menu for Rule 1.
Step 6: The next step is to give Asset type
some weight to the equation, or else it will be ignored, as all added variables default to 0%. Change the "Variable weight" value to 10%. The variable in the equation will dynamically update.
Step 7: Identify how many points the variable will receive if the business rule is met by adding 75 to the "out of 100" box at the bottom of the rule.
Step 8: Since the total equation weight is now over 100% with the new variable being updated to 10%, another variable must be reduced to compensate. Note that the total equation weight is currently 110% and in red, denoting an error. An error message is also provided.
Click Source data
and change its weight from 80% to 70% so that the total of all four variables equals 100%.
Step 9: The equation is now ready to be executed. Click Save and check "Enable equation after saving" to immediately enable (all existing equations assigned to the client will be disabled).
Step 1: Click Finding score (CVSS 3.1)
in Box 1, drag it to Box 2, and unclick the mouse.
The equation no longer includes that variable, and CVSS 3.1 is now listed as available in Box 2.
Step 2: Because the total equation weight must equal 100% and 10% of that weight was removed in Step 1, the remaining variables must be adjusted to compensate. Click Source data
and add 10% to the existing set weight to increase from 70% to 80%.
Step 3: The next step is to remove an operator variable, as an equation cannot end with an empty operator.
Select the operator at the end of the formula, drag it to Box 2 and release. The error message disappears.
Step 4: Click Save.
Step 1: Click Source data
on the equation.
Step 2: All business rules and parameters for Source data
appear in Box 3 on the far right of the page. Currently, a business rule only exists for HackerOne. Click Add rule.
Step 3: Working now under Rule 2, select the source data value "is added from integrations" from the pulldown menu.
Step 4: Select "Snyk" as the integration source in the following pulldown menu.
Step 5: Give Rule 2 a weight of 45 out of 100 points.
Step 6: Click Save.
The Risk scoring section under "Automations” in the Admin Dashboard allows admins to create formulas for producing dynamic risk and likelihood scores for findings and priorities.
If all equations are disabled, priorities will be scored by the likelihood and impact values selected in the priority.
Contextual Score: The value generated from a contextual scoring equation.
Contextual Scoring Equation: A collection of variables, operators, rules and logic to generate a contextual score.
Equation Variable: A component of the equation representing an individual or an aggregate of fields from PlexTrac, such as Asset count, Finding Severity, and CVE. Equation variables are the building blocks of an equation.
Multiplier: A constant value multiplied against an equation variable's value. It can rapidly increase the weight a variable has on an equation.
Operator: Mathematical symbols that can be used in a Contextual Scoring Equation. Currently, an operator can only perform a "+" addition function.
Variable Rule: The logic and conditions that help determine a variable's weight and value within the equation. A variable can have multiple rules.
PlexTrac provides a default equation for each disabled tab, which can be toggled on by clicking the toggle bar under the "Enabled" column. These equations can be used as a starting block for creating custom equations.
They are identified as "Default" under the "Type" column and cannot be deleted.
This tab lists all priority risk score equations and provides options to create and manage new ones. A client can enable only one equation at a time.
The finding score can be viewed under the finding detail section of a finding.
If the cursor hovers under the question mark icon and contextual scoring is enabled, the equation being used is listed.
This tab lists all priority risk score equations and provides options to create and manage new ones.
The priority score can be viewed under the progress bar on the Details tab of a priority.
If the cursor hovers under the question mark icon and contextual scoring is enabled, the equation being used is listed.
The table view for each tab can be customized by clicking the column view icon to the right of the search bar.
Once clicked, a modal appears that lists all fields. To remove a column, click X within the bar.
Fields that are required do not have an X available.
When fields are removed, an "Add Column" pulldown menu is added at the bottom left of the modal to store the field. Any removed fields can be added later by clicking Add Column and selecting the field to add.
This modal represents the sequence of fields provided in the table, meaning the bar on top will be the column on the table's far left.
The order of columns can be adjusted within this modal by clicking the six dots on the left of the bar for a field and dragging the bar to the desired sequence place.
Click Save when finished.
This page includes the business rules and instructions for enabling and disabling priority equations when multiple ones exist.
The impact of an equation on a priority depends on multiple variables, such as whether equations are set in General Settings to apply to all tenants or a client, if the default equation is enabled, if a custom equation is enabled, and if the custom equation applies the entire tenancy or specific clients.
When priorities are enabled at the tenant level, only one equation can be used at a time. When enabled, equations created for specific clients are no longer accessible from the contextual scoring page. Existing equations are not deleted, but they can no longer be viewed or modified from the page.
Tenant-level priorities have the following business rules for equations:
When priorities are enabled at the client level, only one tenant-level equation can be used at a time. However, custom equations for specific clients may be enabled and, when executed, take precedence. Any equations created for specific clients will be accessible from the contextual scoring page along with tenant-wide equations.
Whether the equation is client-specific or a tenant is identified under the "Associated with" column.
Client-level priorities have the following business rules for equations:
To enable an equation, toggle the button under the "Enable" column.
If the user's action impacts existing priorities and business rules, PlexTrac will display a message to inform of the consequence. If approved, the system will enable or disable other related equations accordingly.