Skip to main content
McAfee MVISION Cloud

Create a Vulnerability Policy

About Vulnerability Policies

A Vulnerability Scan policy determines the vulnerabilities that should be included or excluded from an incident. Each vulnerability is described by the following attributes:

Attributes Description
CVE Severity A vulnerability severity level (High, Medium, or Low).
CVE ID The unique identifier for the CVE. 
Feature The entity that has the vulnerability (for example, an installed software package).
Namespace The platform in which the vulnerability is found (for example, Ubuntu:18.04).


You can enter multiple entries for CVE ID, Feature, and Namespace fields separated by commas. Alternatively, you can also use the wildcard (*) for a wide range of selections. The CVE Severity field is also a multi-option checkbox, (High, Medium, or Low).

Create a Vulnerability Policy from a Policy Template

To use the preconfigured Vulnerability Template, High-Severity CVEs, use the following steps:

  1. Go to Policy > Policy Templates.
  2. Filter for Policy Type > Vulnerability
  3. For High-Severity CVEs, click Create Policy
    vulnerability_policy_templates.png
  4. The High-Severity CVEs policy displays on the Policy > Vulnerabilities page.  

Create a Vulnerability Policy

You can create a new Vulnerability Policy, or edit an existing policy to customize it for your requirements. 

To create a policy, perform the following steps:

  1. Go to Policy > Vulnerabilities.
  2. Click Actions > Create Policy.
  3. Enter the policy name and click Next.
    clipboard_ed2aa194aabd741f0777afd125dfa91fe.png
  4. Select the User Groups to include or exclude.
    • Include All User Groups is the default. Click Edit to edit the selected users.
    • Then click Add Exclusions to exclude User Groups, if needed. 
  5. Click Next
  6. Choose the attributes to set the rule and click Next.
    clipboard_ec09fc72b35e821b87beed5d7e93ed95f.png
    clipboard_e804e2c9a5847b6f686858aada9de68cf.png
    clipboard_e023ae49223434ef17b2c71acd50d9c7b.png
    clipboard_e965c6ec00f41a53a2eaeaafc897a641a.png
  7. To add the response to the incident, select the Severity level, and click Next.
    clipboard_e5931b47ddde2a7f5f27b9c1759e09e6d.png
  8. Review your selections and click Save.
    clipboard_ec69851f4be65096210f4101f5f1a0d37.png

Create a Vulnerability Scan

Once your Vulnerability policy is created, configure a Vulnerability Scan to run and generate any possible incidents. 

Deny List and Allow Lists

The most useful way to create CVE policies is by creating Deny Lists or Allow Lists. You can create a policy to deny or allow the vulnerabilities based on the attributes. This allows you to prioritize or ignore incidents with attributes specific to your needs. The attributes can be set using:

  • is operator to deny
  • is not operator to allow

Deny List Policy Rules

In this Deny List policy, you have specified that you ARE interested:

  • In a particular CVE regardless of its severity.
  • In the feature openssl.
  • In the namespace ubuntu:18.04.

So an incident of High severity will always be created whenever these rules match. This allows you to make sure that certain Features, Namespaces, CVE Severities, and CVE IDs are never ignored.
cve_deny_list.png

Allow List Policy Rules

In this Allow List policy, you have specified that you ARE NOT interested:

  • In a particular CVE.
  • In Medium, or Low severity CVEs.
  • In the feature eglibc.
  • In the namespace debian:9.

So any CVE that matches these rules is assigned an incident severity of Low. Under Responses, you have specified that incidents must be created only for High severities. So no incidents are created that are less than High. This allows you to ignore certain Features, Namespaces, CVE Severities, and CVE IDs.
cve_allow_list.png

Severity Filters for Scans Created before 5.0.2

Severity filters remain the same for scans created before MVISION Cloud 5.0.2. This is for backwards compatibility. However, all new scans require a policy to be attached to the scan configuration. 

The easy way to migrate to the new paradigm keeping the old behavior is to create a policy and only select the CVE Severity.


clipboard_e581a97bab631f29cc1377e39dd9db262.png

  • Was this article helpful?