Overview
Using the Nucleus Automation Engine, you can create Finding Processing Rules based on all of the available finding and asset criteria to automatically set due dates, make assignments, update statuses, and much more. For example, rules can be configured to set a due date as a specified number of days, weeks, or months from the time of ingestion, or the finding's discovered date.
Create Finding Processing Rules
Finding Processing Rules enable you to dynamically manage vulnerability and compliance type findings as they're ingested into Nucleus.
From within a project, navigate to the Automation page.
Select the Finding Processing tab and click the Add Rule button.
Enter the rule information as shown below.
⚠️ Case Sensitivity
When using exact match conditions (e.g., “is,” “is not,” or “equals”), case sensitivity is required.
For example, if your rule condition is set to match the value Production, it will not match production or PRODUCTION.
Step 1 - Rule name and criteria
Rule Name
Enter a name to recognize the rule, specify how it is used, and describe the parameters that trigger this rule. This rule name will be included in some of the notifications, for example: "Exploitable vulns (or compliance findings) on assets in IP range X to Y."
Finding Criteria
Finding criteria enable you to choose the conditions that activate the rule. You can set rules to match the following conditions:
Condition | Description | Field Type |
|---|---|---|
Severity - Original | Indicates a vulnerability severity defined by the scanning tool | Dropdown with the following choices: Critical, High, Medium, Low, Informational |
Severity - Current | Indicates a vulnerability severity in it's current state within Nucleus. This will take into account manual, or automated adjustments to a finding's severity made within Nucleus | Dropdown with the following choices: Critical, High, Medium, Low, Informational |
Name | A search field where you can search for strings in the name of the vulnerability for additional granular triggering | Freeform text field. Examples: Microsoft, Adobe, Apache, Oracle |
Exploitable | Indicates if a newly discovered vulnerability has existing public exploit code | Boolean: Yes, No |
Description | Search field where you can search for strings in the description of the vuln for additional granular triggering | Freeform text field |
Solution | Search field where you can search for strings in the solution of the vuln for additional granular triggering | Freeform text field |
Discovered | Field to enter a number for days since discovery | Number |
CVE | Field to enter a number for CVEs | Number |
CVSS Score | Field to enter a number for CVSS | Number |
Source | The scanning tool that discovered the vulnerability | Freeform text field |
CISA BOD 22-01 Vulnerability | Indicates if a vulnerability is included in CISA BOD 22-01 | Boolean: Yes, No |
EPSS Score | Field to enter a number for EPSS score | Number or range |
Result | Indicates status of a compliance finding | Dropdown with the following choices: Passed, Failed, Warning |
Port (contact support for enablement) | Indicates the port for a particular finding | Freeform text field to specify a port (eg 443) |
Output (contact support for enablement) | Keys off of the first 1000 characters in a finding's output field | Free form text. Specify a specific phrase, or key word that the finding output contains or does not contain up to the first 1000 characters. |
For example:
Asset Criteria
Asset criteria enable you to specify the conditions on the assets that activate the rule. You can set rules to match asset model-specific information (e.g. name, IP, group, type), asset metadata attributes (business owner, business owner team, etc.), and asset additional metadata ingested from your asset inventory tools into Nucleus.
When you finish entering the rule information, click the Next button to go to Step 2.
Step 2 - Rule actions
.png)
Clarification
An important difference between actions on finding instances and finding attributes is that instances affect specific instances of findings while attributes affect whole unique findings. An example use of a unique finding action would be to automatically mark an instance of a finding as exploitable if the Recorded Future risk score is above a 65.
With Finding Processing Rules, you can choose from a wide set of actions to perform once a finding's instances and attributes are ingested into Nucleus. For example, Finding Processing Rules make it fast and easy to set due dates on findings using the security policies in your organisation. Finding Processing Rules improve workflow efficiency as shown below.
Finding Instances
Set the due date of a finding.
Specify the due date:
Your new finding processing rule now appears in the Automation > Finding Processing list. Use the search to easily find your new processing rule as shown below:
.png)
Assign a finding to a user and/or a team.
Change the finding’s status (e.g. if you want to always mark a finding as False Positive or Risk Accepted).
Comment on the finding.
Finding Attributes
Set the finding as exploitable/not exploitable.
Pin select vulnerabilities to the top of the Active Vulnerabilities page.
Set a different severity on the finding.
You can include all of the above actions into a single rule in order to orchestrate many outcomes based on the same criteria. Simply create a new rule, choose the finding and asset criteria, and add action cards with the + add button to your heart’s content!
Finding Processing Rules can be particularly useful for actions that are specific to your organisational context, such as normalising severities based on your internal triage framework, assigning findings to teams and users based on names and underlying assets, or setting SLA due dates accordingly to organisational security policies.
When you've finished adding action cards, click the Save & Finish button.
If you have any questions, please contact us through the support center.