With the SLA feature you can have Kenna automatically set due dates on Vulnerabilities based on Risk Meter and vulnerability risk score parameters.
The SLA policy engine runs nightly to apply the rules to any vulnerabilities which match the criteria and do not already have a due date.
To review or set new policies, select SLA Settings from the gear drop-down menu.
First decide if your policy will apply to All vulnerabilities or one or more select Asset Groups.
Next Determine the Score Range for the policy.
Finally, set the number of days from the "Found On" date for the vulnerability which will be used to set the Due Date.
Keep the following considerations in mind as you build your SLA policy definitions:
1. Due Date is based on the "Found On" data field whose value may vary depending on the scanner vendor in use. In most cases that field will represent the date the scanner found the vulnerability, not when the data was loaded into the Kenna environment.
2. Rules will be applied to ALL vulnerabilities that meet the condition of the policy. Example: a policy with a 14 day SLA may be applied to a vulnerability that was found a year ago but never fixed. In that case, vulnerability would end up set at approximately 50 weeks past due.
3. Policies are run from shortest SLA period to longest, therefore policies with due dates of 7 days after the Found On date will run before policies with due dates of 14 days after Found On date.
4. Policies are only applied to vulnerabilities that currently do not have a due date set. If a vulnerability happened to meet the criteria for more than one policy, the due date would be set by the first priority rule (whichever has the smallest SLA value) and would be ignored by any other policies.