RSA Admin

VAM Built-in Reports give misleading results.

Discussion created by RSA Admin Employee on Jun 21, 2010
Latest reply on Aug 2, 2010 by Charles Beierle

Looking at the Built-in VAM reports/dashboards, the results they give are not what you would expect.

 

Something with the way the results are returned with the query, causes duplicates which skews the numbers.Confirmed this running ISQL, there are not duplicates within the database itself for those tables.

 

For example, for the report VAM - Most Vulnerable Assets by Count.  The initial results would show about 10x higher for some assets. Fixing it is as simple as changing the  Count(VID)  to   Count(DISTINCT VID)

This one is fixable.

 

For  VAM - Most Vulnerable by Severity or VAM - Most Vulnerable by Business Rating,  these can't be directly fixed. It relies on   Sum(CvssScore) which includes the duplicates, and you can't count distict. Even choosing Only Distinct Rows, can show you the correct number of issues, but the Summation appears to be on the whole query with the duplicates.

Outcomes