With the SLA feature you can have Kenna automatically set due dates on vulnerabilities based on Risk Meter and vulnerability risk score parameters.
The SLA policy engine runs nightly to apply the rules to any vulnerabilities which match the criteria and do not already have a due date.
To review or set new policies, select SLA Settings from the gear drop-down menu.
First decide if your policy will apply to All vulnerabilities or one or more select Asset Groups.
Next, determine the Score Range for the policy.
Then set the number of days ahead to set the due date based on. The due date defaults to number of days from the "Found On" date for the vulnerability, however can be modified so the due dates are calculated by the "Created" date or the "Fix Published" date. To adjust this setting, please contact a Kenna Customer Success Engineer or Support.
Finally, decide if you would like Persistent Due Dates. With this setting on, the system will check to see if any other vulnerabilities with that VulnDef (i.e. CVE, CWE, etc.) have already been set by that SLA. If any exist, then it will set the new one to match, rather than following the normal criteria for the SLA.
For customers in heavily containerized environments, this can be very useful to track vulnerabilities that are ongoing with spinning down and spinning up new containers.
Keep the following considerations in mind as you build your SLA policy definitions:
1. If you leave the Due Date based on the "Found On" data field, those values may vary depending on the scanner vendor in use.
2. Rules will be applied to ALL vulnerabilities that meet the condition of the policy. Example: a policy with a 14 day SLA may be applied to a vulnerability that was found a year ago, but never fixed. In that case, vulnerability would end up set at approximately 50 weeks past due.
3. Policies are run from shortest SLA period to longest. For example, policies with due dates of 7 days after the Found On date will run before policies with due dates of 14 days after Found On date.
4. Policies are only applied to vulnerabilities that currently do not have a due date set. If a vulnerability happened to meet the criteria for more than one policy, the due date would be set by the first priority rule (whichever has the smallest SLA value) and would be ignored by any other policies.