Working with risks

This topic provides instructions on viewing a list of missing patches and vulnerabilities, and mapping and unmapping vulnerabilities to the remediation content.

To know about the missing patches, and the automatic and manual mapping processes, see Risks.

Viewing and exporting unique missing patches

On the Risks > Missing Patches page, view the list of missing patches.

  • Missing Patches contains the following information for each unique missing patch:
    • Patch name
    • Impacted Assets. Click the link to view a list of impacted assets for the particular patch. 
    • Patch Age, in days
    • Severity
    • Classification
    • CVE IDs: CVE Identification numbers specified in the patch catalog.
      Patch Age, Severity, and CVE IDs are provided by the patch vendor. 
  • You can either search by patch name, classification, and CVE ID (basic search) or by severity, asset, operating system, CVE IDs, classification, and patch age (advanced search).
  • To view the list of impacted assets for a unique missing patch, do the following:
    1. Click the link in the Impacted Assets column.
      The Managed Assets page shows the host name, IP address, operating system, and the total number of unique missing patches for each asset.
    2. Click Clear Filters to view all assets and unique missing patches in your environment.

Exporting missing patches

On the Risks > Missing Patches page, click Export and enter a name to save the results in a CSV file. 

If you filter data using advanced search options and then export, filtered data appears in the CSV file. 

Viewing and exporting vulnerabilities

On the Risks > Vulnerabilities page, view the list of vulnerabilities.

  • The Vulnerabilities page contains the following information for each unique vulnerability:
    • CVE IDs
    • Severity level
    • Status (Mapped, Automapped, or Unmapped)
    • Source: Expand the vulnerability to view the vulnerability management system that identified the vulnerability
    • Remediation and remediation type for the vulnerability: To view complete remediation details, click the link.
    • Impacted Assets: To view the list of impacted assets by that vulnerability, click the link.

  • You can either search by vulnerability name and CVE ID (basic search) or by severity, asset, operating system, CVE IDs, scan file, and status (advanced search). You can filter by Status in BMC Helix Automation Console (SaaS) and TrueSight Automation Console (on-premises) version 20.02.01 only. 

    Click Clear Filters to view unfiltered data.

  • To view the list of impacted assets by a vulnerability, do the following:
    1. Click the link in the Impacted Assets column.
      The Scanned Assets page shows the host name, IP address, mapping status, source, and operating system that are impacted by the vulnerability.
    2. Click Clear Filters to view all assets and the number of vulnerabilities impacting those assets.

Viewing details of a vulnerability

Click the vulnerability name to view its details. The vulnerability panel displays more information, including its severity level, CVEs that are included, description, links to the related vendor (such as Microsoft), and links to the patches that can be deployed to fix the vulnerability.

The following panel shows the details of the Microsoft SChannel Remote Code Execution vulnerability.

Viewing details of a remediation

After a vulnerability has been mapped to the remediation content, you can view the remediation details such as type of content (BLPackage, Patch, or NSH Script), catalog name, patch name, the path to the file, and any target rules that are defined for deploying the package. If an entry provides information for multiple remediations, the panel lists the information for each remediation content.

To view details of a remediation, do the following:

  • In the Remediation column, click the remediation link.
    The remediation panel shows the type of remediation, rules, catalog name, patch name, and the path where the remediation content is available, as shown in the following figure for a vulnerability.
  • To view vulnerability details, expand the vulnerability.
    Vulnerability ID, Source, and CVE ID are displayed.

Exporting vulnerabilities

On the Risks > Vulnerabilities page, click Export and enter a name to save the results in a CSV file. 

If you filter data using the advanced search options and then export, filtered data appears in the CSV file. 

Mapping and unmapping vulnerabilities

Use the instructions in the following sections to map and unmap vulnerabilities.

Auto-mapping new vulnerabilities

If BMC Helix Automation Console is not able to auto-map vulnerabilities during import, you can attempt to auto-map the unmapped vulnerabilities to remediation content. To auto-map content, patch catalogs must be imported and assets must be mapped to endpoints in the endpoint manager, TrueSight Server Automation.

On the Risks > Vulnerabilities page, do the following:

  1. (Optional) Use the search feature to limit the number of vulnerabilities. For example, you might want to search by severity level so you can map vulnerabilities with the highest severity first.
  2. Click Automap New on the top of the page.
    Vulnerabilities that are auto-mapped are marked with a  icon in the Status column.

Manually mapping vulnerabilities

If some vulnerabilities remain unmapped during import or during auto-mapping of new vulnerabilities, you can perform a manual mapping procedure.

On the Risks > Vulnerabilities page, do the following:

  1. (Optional) Use the search feature to limit the number of vulnerabilities. For example, you might want to search by severity level so you can map vulnerabilities with the highest severity first.
  2. From Actions, select Map for the vulnerability.
    The Vulnerability Mapping page shows the existing mappings, if any.
  3. Click + Map Remediation Content.
    The Map Content section displays the remediation content.
  4. Search for the remediation content that you want to map to the selected vulnerabilities:

    1. Choose the remediation content type, NSH Script or Package. 
    2. Enter a text string in the Search text box.
      Your text is matched against the names of any remediation content.
  5. Select the remediation package that should be deployed to the targets.
  6. If you need to map multiple remediation packages to the same vulnerability, define the target scope that determines the types of targets where the package should be deployed.
    Typically, target scope specifies different packages for different operating systems and architectures.
    • Use the default option, All, if you want to map remediation packages to all the targets.
    • Click Specify Target Scope if you want to map remediation packages to specific targets.
      A set of options appears that establish the scope for deploying the package.
      1. In the row defining the scope, for the first field, select any of the following:
        • OS–For example, Windows.
        • OS Platform–For example, x86_64.
        • OS Version–For example, 2008 R2.
        • OS Patch Level–For example, SP1, SP2.
        • OS Release–For example, 6.1
        • OS Vendor–For example, Microsoft.
      2. In the last field of the first row, enter a text string as the search criteria. Evaluation is based on whether a field contains the string you entered. For example, if you are specifying the Windows operating system, enter a string such as win. When evaluating targets, if the OS name contains the string win, the package is deployed there.
      3. In the next row defining the scope, select whether the target must satisfy all or any of the values you provided in the first row.
      4. To add another rule defining the scope, click Add Criteria. A new row appears. Use its fields to define an additional rule.
  7. To define another set of target scope and rules for another remediation package, click + Map Remediation Content.
  8. Click Save. The selected remediation content items are mapped to the selected vulnerabilities. The Vulnerabilities page shows the mapped remediation content against the vulnerability when you expand it. 
    If the mapping is unsuccessful, a message indicating the same is displayed on the GUI.

Unmapping vulnerabilities

You can unmap a vulnerability irrespective of whether it is mapped manually or automatically.

To unmap a vulnerability, from Actions, select Remove Mapping for the vulnerability.

Was this page helpful? Yes No Submitting... Thank you

Comments