1. Overview

Because severity terminology can vary between projects, Prisma Cloud normalizes severity ratings into a common schema.

Prisma Cloud leverages the CVSS 3.0 scoring system. The CVSS framework captures the principal characteristics of a vulnerability and produces a numerical score that reflects the severity of the vulnerability. CVSS scores range from 0.0 to 10.0. The higher the number, the higher the degree of severity.

2. Mappings

We only normalize vulnerability ratings for the purpose of creating rules. Console’s Monitoring section shows vendor terminology, not Prisma Cloud’s normalized scores (low, medium, high, critical).

The following table maps popular vendor terminology to Prisma Cloud normalized scores:

Vendor terminology Prisma Cloud score

Unimportant

Low

Unassigned

Low

Negligible

Low

Not yet assigned

Low

Low

Low

Medium

Medium

Moderate

Medium

High

High

Important

High

Critical

Critical

In the absence of project-specific terminology, Prisma Cloud normalizes using the CVSS base scores defined by NIST. In addition to the numeric CVSS scores, NVD provides severity rankings of Low, Medium, High, and Critical. These qualitative grades are simply derived from the numeric CVSS scores:

CVSS base score Prisma Cloud severity

0.0 - 3.9

Low

4.0 - 6.9

Medium

7.0 - 8.9

High

9.0 -10.0

Critical