Importing scan files - Threat Director

The Scan Import page lets you import results of scans performed by vulnerability management systems such as Qualys, Nessus, or Rapid7. After you use one of those systems to scan for potential issues in your data center environment, you can export the results so they can be imported into BladeLogic Portal. The export must be in XML format. 

When a vulnerability scan file is imported into BladeLogic Portal, assets that are included in the scan are automatically mapped to endpoints managed by BladeLogic. (An endpoint is a server managed by BMC BladeLogic Server Automation or a network device managed by BMC Network Automation). 

When connected to BMC Server Automation, automatic mapping is based on a combination of IP addresses and DNS servers. However, the presence of networking gear such as firewalls, load balancers, and proxies can cause mapping discrepancies. As a result, automatic mapping may not always correctly map all endpoints. When connected to BMC Network Automation, automatic mapping matches the device address and then the IP address of an asset in a vulnerability scan report to an endpoint with the same information that is managed by BMC Network Automation. For any assets that are not automatically mapped to endpoints, use the Assets page to perform manual mapping.

This topic contains the following sections:


Types of exports

You can import two types of export files:

  • Scan Reports—An export file that collects information about assets (such as servers) and the vulnerabilities associated with those assets.  
  • Asset Group Reports—A file that exports information about groupings of assets, such as server groups. You can optionally grant certain BSA roles or BNA realms access to asset groups using the Asset Groups setting when configuring portal security groups. Click here for a full description of that process

For more information about what constitutes a valid scan file to be imported, see Obtaining scan files eligible for import.

To import a vulnerability management scan file

Use this procedure to import a vulnerability management scan file. Only scan files with certain characteristics are eligible for import.

You can import multiple scan files. The Assets and Vulnerabilities pages show all data that you import, not just the results of the most recent import. When you import a scan file, asset and vulnerability information is added to any information already imported.

You cannot import the same scan file more than once. Scan files are identified by a unique <SCAN> tag within the XML file. If you want to import the same scan file more than once, you can manually modify the value of the <SCAN> tag. BMC recommends you also change the name of each scan file to avoid confusion.

After exporting a scan file from a vulnerability management system, you may want to validate its format before importing it.

  1. For Select Vendor, choose the type of vulnerability management system data that you want to import. 
  2. For Scan Report, click Browse and navigate to a scan file exported from a vulnerability management system. 
  3. To make choices about the type of data you are importing, take the following steps:
    1. Click Customize Filter Options.
    2. For Operating System, select the operating system data that you want to import.

      Note

      If you are importing data for networking devices, be sure to select Other. Networking devices are not always associated with an operating system.

      If you are importing data for SuSE servers, be sure to select both Linux and Other.

    3. For Severity, select the vulnerability severity levels you want to import.
      Qualys, Nessus, and Rapid7 use different scoring for severity levels. Qualys uses scores of 1-5. Nessus uses scores of 0-4. Rapid7 uses scores of 1-10. To maintain consistency, BMC increases the Nessus severity levels by one (so they become 1-5) and maps the ten Rapid7 severity levels to five levels.
  4. Click Import Scan.
    A confirmation message warns that large imports can extended periods of time. To check on their status, click Activity Status. After the import is complete, a message such as the one shown below confirms that the file was imported and tells how many assets were automatically mapped to endpoints. 
     

 

Notes

  • If scan times for imported scan files do not include a time zone, they are assumed to be Greenwich Mean Time (GMT).
  • BMC recommends importing scan files larger than 400 MB from a local area network with a latency of less than 50 milliseconds. Imports of large scan files from remote networks may not succeed.
  • Scan import supports:
    • Scan files up to 1 GB 
    • Total record counts up to 25 million
      A record is one asset with one vulnerability. For example, two assets with 10 vulnerabilities each equals 20 records.  
      If subsequent scans include assets that are already scanned with vulnerabilities that are already found, those vulnerabilities do not increase the record count. 
      To manage record counts, you can reduce the scope of a scan (for example, scanning only for vulnerabilities with severity 4 and 5) or remove unneeded devices from the scan, such as endpoints not managed with BladeLogic.

To import an assets group report file

Use this procedure to import an assets group report file, which contains information about asset groupings (such as server groupings). You can optionally grant certain BSA roles or BNA realms access to asset groups using the Asset Groups setting when configuring portal security groups. Click here for a full description of that process

If you import multiple asset group reports, only the information in the report most recently imported is used. Previously imported asset group reports are discarded.

When you import asset group files, they must have a specified format

  1. For Assets Group Report, click Browse and navigate to the scan file exported from a vulnerability management system. 
  2. Click Import Asset Group.

Obtaining scan files eligible for import

Only export files that meet certain requirements can be imported into BladeLogic Portal.

Rapid7 scan files

Scan files exported from Rapid7 must use the format called XML Export 2.0.

Qualys scan files

The following image shows how to generate a scan export using Qualys.

Scan exports created with Qualys must meet the following requirements:

  • The file must comply with the following DTD:  https://qualysguard.qg2.apps.qualys.com/scan-1.dtd

  • The file cannot be based on report templates. 
  • The file must be in XML format and the file ending must be .xml. Other formats for saving scan data are not supported.

A sample scan export is attached to this page. Below you can see the first few lines of that file. Highlighted regions flag the XML version, the DTD, and the scan ID.

Nessus scan files

Scan exports created with Nessus must meet the following requirements:

  • The scan file can be based on different types of scans (such as OS or network scans) but at minimum it must include:
    • Server name
    • Server IP address
    • Server operating system
    • Associated plugin IDs (a plugin is a check for a vulnerability)
  • The file must be in XML format and the file ending can be .nessus or .xml. Other formats for saving scan data are not supported.

A sample scan export from Nessus is attached to this page. See Creating and importing a Nessus scan file for a description of how to create and download a Nessus scan file.

Asset group report files

Currently, only Qualys lets you generate asset group files, but you can manually create an asset group file using the format in the sample attached to this page. 

The following image shows how to generate an asset group export using Qualys.  

Validating the format of scan files being imported

BMC provides a utility that allows you to check the validity of scan files you want to import. The utility counts the number of servers and vulnerabilities found, checks for any required fields that are missing, and determines whether you can successfully import the scan file.

The utility is available as a ZIP file that you can download from BMC Communities (login required). The name of the file is bmcScanFileProfiler-V4.zip.

After downloading the ZIP file, use the following instructions to check the validity of a scan file you want to import. 

  1. Check whether the JAVA_HOME environment variable is set.
  2. If not, set JAVA_HOME to the location where Java is installed. 
    (Windows): Search for java.exe. JAVA_HOME should point to the directory that contains the bin directory. For example, JAVA_HOME=C:\Program Files\Java\jdk1.7.0_75.
    (Linux):  Execute the which Java command, which gives the path of the Java executable. Then set JAVA_HOME to the directory containing the bin directory. For example, set JAVA_HOME=/opt/java/1.7
  3. Extract bmcScanFileProfiler-V4.zip to any directory.
  4. Using a command line, cd to the directory where the zip was extracted.
  5. Execute one of the following commands to profile a scan file:
    (Windows): bmcScanFileProfiler.bat <path of scan file>
    (Linux):  bmcScanFileProfiler.sh <path of scan file>

Deleting a scan file

The Scan Import page includes a table that lists all scan files imported into BladeLogic Portal.

You can use this table to delete scan files that were previously imported. When you delete a scan file, all associations between endpoints and vulnerabilities contained in that file are deleted unless the same association is also included in another scan file. Also, the SecOps Dashboard updates so it no longer displays data from a scan file that was deleted.

If you have enrolled endpoints in Threat Director, deleting a scan file that includes the endpoint does not automatically unenroll the endpoint. You should unenroll the endpoint from Threat Director before deleting the scan file.

  1. In the list of imported files at the bottom of the Scan Import page, find the file you want to delete. 
    If the list is long, filter entries using the text boxes at the top of each column. Enter any number of characters into a text box. As you enter characters, the list narrows its results to show only items with data in that column that includes the text string you have entered. Clear all text from the search box to show all items. You can enter data in multiple columns to show only results that match all criteria.
  2. At right, for the file you want to remove, click Delete. The portal prompts you to confirm the deletion. 
    Deleting a scan file may launch a process that runs for a long time. To track its progress, use the Activity Status page

 

Where to go next

Mapping assets to endpoints - Threat Director

Was this page helpful? Yes No Submitting... Thank you

Comments