Working with operations

This topic provides instructions on adding operations for remediating missing patches or vulnerabilities, and viewing the results after an operation is complete.

To understand the concept of operations, see Operations.

Adding a patch remediation operation

On the Operations page, click Add Operation, and do these steps:

Enter a unique operation name, and an optional description, and then click Next.
Operation name must always be unique (up to 150 characters) even if users with different roles are creating it.
On the Patch Selections page, do these steps:
1. Select a patch policy (policy having missing patches).
2. To specify assets, do one of the following:
  - Select associated groups (server groups or server smart groups imported from the policy).
  - Select associated assets and then select individual assets.
To specify reboot options for the assets, select one of the following options:
- Honor Patch Reboot Settings: Adheres to the reboot settings defined for the patch in the patch catalog
- Do Not Reboot: Does not reboot automatically after installing the required patches
- Reboot at the End: Reboots all assets after the patching process is complete
To specify a schedule for the operation, select one of the following options:
1. I will do it later: Change approval is not applicable and you skip to step 6.
2. Set a schedule:
  1. Click the calendar icon in the Date and Time field, and specify the date and time.
  2. Select the hours or minutes in the Staging Before field to specify a staging and analysis window.
    A staging window determines the time before which the patches and payload data must be downloaded on the assets before running the remediation operation. If you select 1 hour for staging, analysis starts an hour before the staging phase. Maximum limit is 999 hours.
3. Execute now
To configure change request creation and approval, select the following options:
The Change Approval Management page appears only if change automation is enabled in your environment.
1. Enable Create Change Ticket.
  Is the Create Change Ticket option is mandatory? How can I disable the change request creation?
  
  You can enable or disable change ticket creation depending on how administrators have configured the TrueSight Orchestration connector configuration. If the connector is configured with Change Approval as required, you cannot disable the option or skip this step.
  If already selected, continue to select values in other fields for creating a change request.
2. Change Template Name
3. Urgency
4. Impact
5. Reason for Change
6. ChangeClass
To configure notifications, select any of the following options:
- Send email to: Specify a comma-separated list of email addresses, and then select one or more of the following options:
  - Select the status to send an email based on the operation status.
  - Select Attach patch analysis results to the email, and then specify the email attachment size limit.
  - Specify whether to send a list of assets where the operation failed.
- Send SNMP trap to: Specify a host name or IP address of the server to notify the operation results and then select one or more status options when a notification should be sent.
View the summary of options selected for the operation and save changes.
The operation runs according to the defined schedule. If a change request is created, the operation runs after the change is approved. If you want to update the schedule for an operation in BMC Remedy ITSM, update the Schedule Start Date or the Schedule End Date for the task and not the change request.

Adding a vulnerability remediation operation

On the Operations page, click Add Operation, and do these steps:

Enter a unique operation name, and an optional description, and then click Next.
Operation name must always be unique (up to 150 characters) even if users with different roles are creating it.
Select Vulnerability Selections and do these steps:
- Enter a vulnerability name, asset host name or IP address, or a CVE ID, and click Search.
  Assets with vulnerabilities that are mapped to remediation content are displayed and selected in the operation.
  Can I perform an empty search?
  
  No. However, you can place your cursor in the search box, add a space, and click Search. All assets with vulnerabilities mapped to the remediation content are displayed.
  You can either use basic search or Advanced Search to select vulnerabilities. Results from only the latest search are selected for the operation.
- Click Advanced Search and choose one or more of the following options:
  - Asset
  - Asset Tag
  - CVE ID
  - Operating System
  - Risk Owner
  - Risk Score
  - Risk Tag
  - Scan File
  - Severity
  - Vulnerability Name
    
    When you select the Operating System filter, the list of operating systems is populated dynamically depending upon the imported scan file.
    
    Assets with vulnerabilities that match the search results are displayed and selected in the operation.
  To view details about the vulnerabilities, expand the asset name. Vulnerability name, port, CVE IDs, severity, remediation, and the remediation type are displayed.
To configure additional remediation options based on the remediation content, do these steps:
- If there are no configuration options, click Next.
- For a Patch type of operation, select one of the following options:
  - Honor Patch Reboot Settings: Adheres to the reboot settings defined for the patch in the patch catalog
  - Do Not Reboot: Does not reboot automatically after installing the required patches
  - Reboot at the End: Reboots all assets after the patching process is complete
To specify a schedule for the operation, select one of the following options:
- I will do it later: Change approval is not applicable and skip to step 6.
- Set a schedule: Click the calendar icon in the Date and Time field, and specify the date and time.
- Execute now
To configure change request creation and approval, select the following options:
The Change Approval Management page appears only if change automation is enabled in your environment.
1. Enable Create Change Ticket.
  Is the Create Change Ticket option is mandatory? How can I disable the change request creation?
  
  You can enable or disable change ticket creation depending on how administrators have configured the TrueSight Orchestration connector configuration. If the connector is configured with Change Approval as required, you cannot disable the option or skip this step.
  If already selected, continue to select values in other fields for creating a change request.
2. Change Template Name
3. Urgency
4. Impact
5. Reason for Change
6. ChangeClass
To configure notifications, select any of the following options:
- Send email to: Specify a comma-separated list of email addresses, and then select one or more of the following options:
  - Select the status to send an email based on the operation status.
  - Select Attach patch analysis results to the email, and then specify the email attachment size limit.
  - Specify whether to send a list of assets where the operation failed.
- Send SNMP trap to: Specify a host name or IP address of the server to notify the operation results and then select one or more status options when a notification should be sent.

View the summary of options selected for the operation and save changes.
A parent operation is created, which creates child operations based on the remediation type. Depending on the remediation type such as NSH script, patch, or a deploy type, separate jobs are created in TrueSight Server Automation. For example, if the vulnerabilities require only an NSH script, and a deploy job, two separate jobs are created in TrueSight Server Automation and two operations are displayed under the parent operation on the Operations page.

If change approval is configured, after a change request is created, the change request ID appears on the Operations page for all type of operations. Click the ID to view the status and other details.

If you want to update the schedule for an operation in BMC Remedy ITSM, update the Schedule Start Date or the Schedule End Date for the task and not the change request.

Consult the following table to understand the correlation between the change request status and the operation status and the impact on the vulnerabilities and assets state.

Change request status	Operation status	Vulnerabilities and assets state
Not applicable yet	Awaiting attention	Awaiting attention
New	Awaiting approval	Awaiting approval
Ready to Execute	Awaiting execution Success (After the operation completes successfully)	Awaiting execution Closed (After the operation completes successfully)
Ready to execute	Cancelled due to schedule timeout	Awaiting attention
Cancelled	Cancelled due to approval rejection	Awaiting attention

Viewing results for an operation

On the Operations page, do the following:

Click the operation name.
The Operation Run Results page shows the following details:

- Date, time, and duration of the operation
- Date, time, and status of the policy scan conducted as part of the operation (for a patch operation only)
- Date, time, and status of the operation (for a vulnerability operation only)
- Total number of assets on which the operation is performed, and their status
- List of assets and the number of patches installed or missing on them (for a patch operation only)
To view the list of patches installed for each asset, click the asset name (for a patch operation only).

The patch name and the status is displayed. You can view the patch severity for each patch.
To view detailed logs for an operation, click logs.
For a patch operation, remediation and a post-analysis logs are displayed. Detailed log messages with a timeline are displayed for each asset.

To search for an operation, enter the operation name in the search field and the results that match the search term are displayed.

Removing an operation

An operation can only be run once. You may want to remove operations periodically to ensure that your application does not contain irrelevant data.

When you remove a vulnerability remediation parent operation, its child operations are also removed.

For a patch remediation operation, no draft operations get created.