Hi Chris,

This is very interesting, I was not aware that, the PSIRT checks against the inventory, had the ability to be 'context aware' in respect of enabled features/protocols etc.

Is there any supporting documentation that describes this?

Presumably there are some constraints as some alerts can be quite niche in their cases for being applicable to any specific device, thinking of compound logic here i.e. if, and - within range, or type conditions?

Thanks, Graham

I don't own any of the external documentation, so I'll let someone else chime in there.  There are always caveats with automation because of niche cases, as you mentioned.  If you have some more specifics, I'd be happy to answer them.  It is pretty straight-forward in that we'll write a regex rule for parsing against the running config to look for those configuration lines that indicate you have the feature enabled.  In addition, of course, the software version is matched.  For IOS, the imagename is matched as well.  Optionally, hardware information, such as Product Family and PID can be matched, if needed.  For IOS XR, SMU checks are also done.  The automation does not currently look at additional show commands beyond the running config.

Thanks for the clarification.

At present we aren't uploading configs, partially due to security restrictions but also because we didn't think there was sufficient value in doing so.

So, as of now we are just getting the Alert/Device match on just HW type and SW version, but given that when my next 6 collectors come online there will be over 60K chassis to report on, hence my interest in the alert matching being context aware.

Just to check... this is included within the standard SNTC offering, and not part of the Threat Awareness or other bolt on service correct?

Standard.  Without configs, many of your PSIRT results will be "Potentially Vulnerable"