Scans

Scans enable you to discover potential issues on the assets in your environment. You can use various vulnerability management systems such as Qualys, Nessus, and Rapid7 to scan the assets. For the supported endpoint managers, TrueSight Server Automation or TrueSight Network Automation, you can use the same procedure to scan servers and network devices (assets) and then import a scan file into Automation Console.After scanning the assets, you can export the scan results from these systems and then import them into
TrueSight Automation Console.

Automatically importing scan files in Automation Console

You can integrate Automation Console with TrueSight Orchestration to automatically import scan files from Nessus system. For details, see Use case: Automatically importing vulnerability scan files. This capability is available for the TrueSight Server Automation endpoint manager only.

An exported scan file collects information about assets (such as servers and network devices

) and the vulnerabilities associated with those assets. You can import scan files with assets belonging to the following operating systems:

Microsoft Windows
IBM
HP
Solaris
Red Hat Enterprise Linux
SUSE Linux
CentOS
Oracle Enterprise Linux

For CentOS, Errata's are not supported, hence the vulnerabilities cannot be automatically mapped to the remediation content.

When a vulnerability scan is imported into Automation Console, assets included in the scan are automatically mapped to endpoints managed by the underlying endpoint manager, TrueSight Server Automation. The automatic asset mapping process matches the Domain Name Server (DNS) and then the IP address of an asset in a vulnerability scan to an endpoint managed in TrueSight Server Automation.

You can remediate these assets against the vulnerabilities using Automation Console. Currently, you can import a scan file up to 1 GB.

This topic describes prerequisites for importing scans, and a few considerations that you need to keep in mind before you import.

Prerequisites for importing scans

Before importing a scan, ensure that the you have exported scan results from the vulnerability management system. For information about supported versions of the scanning systems, see System requirements. The exported file must meet the following requirements.

Rapid7 scan file requirement

The scan file exported from Rapid7 must use the XML Export 2.0 format.

Qualys scan file requirements

The scan file exported from Qualys:

must comply with the following DTD: https://qualysguard.qg2.apps.qualys.com/scan-1.dtd
cannot be based on report templates.
must be in XML format and it must end with the .xml extension.

Nessus scan file requirements

The scan file exported from Nessus can be based on different types of scans (such as OS or network scans) but at a minimum, it must include the following details:
- Server name
- Server IP address
- Server operating system
- Associated plugin IDs (a plugin is a check for a vulnerability)
The scan file must be in XML format, and the file must end with the .nessus extension.

Considerations before you import

Before you begin importing scans, consider the following:

A record is one asset with one vulnerability. For example, two assets with 10 vulnerabilities each equals 20 records.
If subsequent scans include assets that are already scanned with vulnerabilities that are already found, those vulnerabilities do not increase the record count.
To manage record counts, you can reduce the scope of a scan (for example, scanning only for vulnerabilities with severity 4 and 5) or remove unneeded devices from the scan, such as endpoints not managed with TrueSight Server Automation.

Where to go from here

To import or delete scans, see Working with scans.