The Operator Dashboard helps operations personnel identify and prioritize vulnerabilities that require attention. After performing this type of analysis, operators can launch remediation operations from this page.
To display the Operator Dashboard, select SecOps Response > Operator Dashboard.
Take an interactive (login to SecOps Response required).
This topic includes the following sections:
The Operator Dashboard helps you identify vulnerabilities requiring remediation. It provides filters that let you screen information based on many criteria, including a vulnerability's service level agreement (SLA) status (within, approaching, or exceeding) and operational status (awaiting attention or in progress). Using filters, you can quickly identify vulnerabilities that require attention. For example, you can show vulnerabilities of severity 4 or 5 that have exceeded the SLA and are not yet in progress. Or, you can show vulnerabilities of severity 4 or 5 found on assets that have been tagged with a particular business unit value, such as Payroll. When you have filtered information down to a set of critical vulnerabilities, you can launch remediation actions for those vulnerabilities.
Specifying the range of vulnerability data
By default, the charts in the Operator Dashboard show all vulnerability information that was generated and imported into SecOps Response within the last 90 days. Rather that use that time frame, you can display vulnerability information for:
- A set period of time—From Scan Data, select 90, 45, or 30 days.
- The oldest date included in selected scan reports—From Scan Data, select the name of one or more reports. If you want information for all reports, click Select All. The date range extends to the oldest scan data that was imported.
When you select an option from Scan Data, the dashboard automatically updates to show the information you have selected.
Showing vulnerability information by security group
If you belong to more than one security group, use the Security Group drop-down list at top to show vulnerability information for that group. If you belong to one security group only, this option is not enabled.
Mapped, unmapped, and unscanned assets and vulnerabilities
At the top of the Operator Dashboard, you see statistics showing mapped, unmapped, and unscanned assets and mapped and unmapped vulnerabilities. Unscanned data is only available if you have set up a connection to BMC Discovery, and that capability is currently only available if you are connected to BMC Server Automation. If you have not established a connection to BMC Discovery, "Unscanned" does not appear.
The statistics at top left provide information about:
- Mapped assets—How many assets detected in scans are mapped.
- Unmapped assets—How many assets detected in scans are not mapped.
- Unscanned assets—BSA only: How many servers have been detected using BMC Discovery but are not included in any scan files. Unscanned assets are essentially blind spots for security and operations personnel concerned with the overall integrity of a server environment. You can export a list of unscanned assets, so that list can be used to add assets to scan files in the future.
- Mapped vulnerabilities—How many vulnerabilities detected in scans are mapped to remediation content.
- Unmapped vulnerabilities—How many vulnerabilities detected in scans are not mapped to remediation content.
Vulnerabilities by Age (Status) chart
The Vulnerabilities by Age (Status) chart shows the status and number of open vulnerabilities by age. The X axis measures age, the Y axis counts the number of open vulnerabilities. Color indicates vulnerability SLA status (red for exceeding, yellow for approaching, green for within SLAs). Filters such as SLA Status and Severity let you limit the information displayed to vulnerabilities you need to address. Using all of this information, you can spot problematic vulnerabilities at a glance. For example, on a particular date there might be 50 red vulnerabilities, meaning they have exceeded the SLA.
After you have finished filtering information on the dashboard, the Actionable Vulnerabilities list at bottom shows the vulnerabilities that match your filtering criteria. These are the vulnerabilities you may want to remediate.
Unmapped Vulnerability Count by SLA Status chart
The Unmapped Vulnerability Count by SLA Status pie chart shows vulnerabilities that have not been mapped. Using this information you can quickly see that some vulnerabilities may be reaching a critical status (approaching or exceeding SLAs) but cannot fixed right away because they are unmapped.
Hover your cursor over each wedge of the pie chart to determine the severity of vulnerabilities represented by that wedge.
Filtering vulnerability information
Using the filters at top, you can limit the amount of information that the Operator Dashboard shows. All charts, counts, graphs, and the contents of the Actionable Vulnerabilities list update dynamically based on your filtering choices. Filtering is particularly useful if you plan to launch remediation actions for the vulnerabilities listed on this page.
By default, the Operator Dashboard uses the same filters last set in the Security Dashboard. This allows users of the Security Dashboard to refine their view of vulnerabilities. Then, operators can open the Operator Dashboard to display the same set of vulnerabilities immediately. In addition, settings for the Tags filter persist when you move between the Operator Dashboard, the Security Dashboard, and the Assets page.
To filter data, select any of the following options:
- BULLETIN ID—SCCM only: Shows information for specific vulnerabilities, as identified by Microsoft bulletin ID.
- CVE —BSA and BNA only: Shows information for specific vulnerabilities, as identified by common vulnerability and exposure (CVE) number.
Device collections—SCCM only: Shows information about selected device collections, which are groupings of devices. You can choose from all the device collections accessible to your Active Directory group.
- Device type—BNA only: Shows information about selected network devices.
O/S—BSA only: Shows information about selected operating systems.
Server Group—BSA only: Shows information about vulnerabilities detected for a selected BladeLogic server group. Because you can select smart groups, this filtering option can be very useful for limiting the information displayed.
Severity—Shows information about vulnerabilities with a specific severity.
SLA—Shows the SLA status of vulnerabilities: within, approaching or exceeding SLAs.
Software Instance—Shows information about servers that include the types of software you specify.
To enable the Software Instance filter, you must set up a connection to BMC Discovery.
- Status—Shows vulnerabilities that are in progress or awaiting attention. A vulnerability in progress can be awaiting approval or execution. Any vulnerability not in progress is awaiting attention.
Tags—Shows information about tagged assets.Click here for more information about tag filters.
If you have imported tags, you can filter assets using any combination of tags or tag values that have been applied to those assets. (A tag is a key/value pair.) The following example filters for both the "SRS" value of the tag called "BU" and the "Maria" value for the tag called "OWNER."
When using the Tags option, the search field lets you search for tag values but not for tag names.
When filtering by tags, you can select the key, which filters for all values of that key, or you can select individual values. Filtering behavior differs depending on whether you select tags, tag values, or both.
- When you select multiple values within a tag, filtering is based on an OR condition. For example, in the Owner tag, you might select Owner1 and Owner2. Filtering shows assets with the Owner1 OR the Owner2 value.
- When you select multiple tags, filtering is based on AND condition. For example, if you select the Owner and the Applications tags, filtering only shows assets with any Owner tag value AND any Applications tag value.
- When you select a combination of tags and tag values, filtering is based on a combination of AND and OR conditions. The AND conditions apply between tags and the OR conditions apply between values for a particular tag. For example, if you select the Application tag and the Owner 1 and Owner2 values of the Owner tag, filtering shows assets that have any Application tag value AND either the Owner1 value or the Owner2 value.
When you set tag filters, they persist when you switch between the Assets page, the Security Dashboard, and the Operator Dashboard.
To apply filtering choices
After making filtering choices, click Apply Filters to activate your selections.
The Actionable Vulnerabilities list shows mapped vulnerabilities that are discovered on mapped assets. The mapped vulnerabilities must occur within the specified time frame and match your filtering criteria.
Each item in the list is a mapped vulnerability that occurs on a mapped asset. If the same vulnerability exists on an asset for different ports, the vulnerability can appear multiple times on the Actionable Vulnerabilities list, once for each port.
After generating a list of actionable vulnerabilities, click Remediate to launch the Remediation operation wizard.
Showing tags as columns
You can choose to display tags as columns in the Actionable Vulnerabilities list. Tag values appear in the column rows if the associated assets has that tag value. After displaying a tag column, you can sort the values listed in the column. By displaying tags, you can quickly identify the actionable vulnerabilities associated with a particular category of information such as an asset owner or an application type.
To display tags as columns, click Display Columns and then select the tags you want to display. A count of selected tags appears in the header of the Display Columns option. You can hover over that count to see a list of the selected tags, as shown below.
To remove a tag column from the Actionable Vulnerabilities list, clear that selection in the Display Columns option.
Launching the Remediation operation wizard
Click Remediate to open the Remediation operation wizard, which allows you to select the assets to be modified and schedule remediation operations.
For more information on using the Remediation operation wizard, see:
- Creating a Remediation operation for BMC Server Automation
- Creating a Remediation operation for BMC Network Automation
- Creating a Remediation operation for SCCM
The Remediate button is only enabled when a set of conditions are satisfied, as illustrated in the following flowchart.
If you answer yes to all the questions in the flowchart and the Remediate button is still not enabled, contact BMC Support.
You can export the current contents of Operator Dashboard. Data is exported in a comma-separated value (CSV) format and stored in a ZIP file. After exporting, you can open the file in a spreadsheet and then manipulate the data in any way you want.
If you have set up a connection to BMC Discovery, two exports are generated: one export shows vulnerability asset information and the other shows data about unscanned assets. If you have not set up a connection to BMC Discovery, only the vulnerability asset information is exported.
If you filter data by software instance, a vulnerability asset export shows the applicable software instances per server. If you do not filter by software instance but a connection to BMC Discovery is enabled, the export lists all software instances that are discovered.
If you have imported tag data, the export file includes a column for each tag.
Large exports are broken into multiple files within the ZIP file. Each file contains 40-50 thousand rows.
To export the contents of the dashboard
Click Export, at top right. Using your browser, you can open the file or save it locally.