Mapping assets to endpoints - Threat Director

The Assets page lets you map assets that are included in a vulnerability scan report to endpoints–that is, servers managed by BMC BladeLogic Server Automation or network devices managed by BMC Network Automation. After assets have been mapped, you can optionally enroll them in Threat Director, which provides analytic and operational capabilities that help you maintain the integrity of your computing and network environment. 

Typically, most assets detected with a vulnerability scan tool such as Qualys or Nessus can be automatically mapped to endpoints. Mapping is based on a combination of IP addresses and DNS servers. However, the presence of networking gear such as firewalls, load balancers, and proxies can cause mapping discrepancies. As a result, automatic mapping may not always correctly map all hosts. 

A network administrator who understands the correct mapping between endpoints managed in BladeLogic and assets detected in a vulnerability scan can perform manual mapping and if necessary override automatic mapping. In some situations a single endpoint can be mapped to multiple assets detected in the scan or a single asset in a scan can be mapped to multiple endpoints.

The Assets page provides the following capabilities:

Mapping and unmapping assets 

Use the following procedures to map assets to endpoints managed with BMC Server Automation or BMC Network Automation.

Automatically mapping assets in a vulnerability scan to endpoints 

When connected to BMC Server Automation, automatic mapping matches the domain name server (DNS) and then the IP address of an asset in a vulnerability scan report to an endpoint with the same information that is managed by BMC Server Automation.

When connected to BMC Network Automation, automatic mapping matches the device address and then the IP address of an asset in a vulnerability scan report to an endpoint with the same information that is managed by BMC Network Automation.

To perform auto-mapping, click Auto-map at top right. A message tells you that mapping has occurred. Assets that are auto-mapped are marked with a  icon in the Auto-mapped  column at left.

Manually mapping assets in a vulnerability scan to endpoints

After you perform automatic mapping, some assets may remain unmapped. For these, you can perform a manual mapping procedure.

Typically, you map one scanned asset to an endpoint managed in BladeLogic. However, if necessary, you can map one asset in a scan to multiple endpoints, or you can map multiple assets in a scan to one endpoint.

  1. Select the assets that require mapping.  
    If necessary, use the filtering capability at the top of each column in the page to find particular assets. For example, if you are looking for assets with names that include the string "aus," enter aus in the filter box at the top of the Scan Host column. 
  2. At top right, click the Actions menu and select Map.
    The Map Endpoint to Scanned Host(s) page opens. It consists of two tabs: Selected Scanned Hosts and Endpoints. The assets you selected in the previous step are listed on the Selected Scanned Hosts tab.

  3. Use the Map Endpoint to Scanned Host(s) page to perform the following actions:
    1. On the Selected Scanned Hosts tab, determine which hosts you want to map to an endpoint. To use the full list of hosts, skip this step. To remove a host from the list, click on the appropriate row.  

    2. Click the Endpoints tab. If you are connected to BMC Server Automation, the page displays two sub-tabs: Search and Browse. If you are connected to BMC Network Automation, the page displays only a Search tab. There is no Browse tab. Use the tabs as described below to find the endpoint or endpoints that you want to map to one or more hosts on the Selected Scanned Hosts tab. 

      Perform a simple text search to find one or more endpoints.

      BSA example

      1. Enter a text string in the Search text box. 
        Your text is matched against any text visible on screen, such as part of a endpoint name, description, or OS.
        Search strings cannot include spaces or hyphens.
        Note that for endpoint searches, you enter data into an elliptical text field. The elliptical shape distinguishes endpoint searches from other types of search.

      2. When connected to BMC Server Automation, you can optionally use the filters at left to refine your search. In the example below, notice how the search filtered for the Windows operation system produces 6 results while the search shown above produces 10.
        There are no filtering options available when connected to BMC Network Automation.

      BNA example:

      Enter a text string in the Search text box. 
      Your text is matched against any text visible on screen, such as part of a endpoint name, description, or OS.
      Search strings cannot include spaces or hyphens.
      Note that for endpoint searches, you enter data into an elliptical text field. The elliptical shape distinguishes endpoint searches from other types of search.



      Browse through folders to find an endpoint.

      1. Select the Browse tab. A list of folders appears at left. 
      2. Navigate to the folder containing the endpoint you want.  

         
        As you traverse folders, a trail of "bread crumbs" appears above the Folder list. You can select any name in the bread crumbs to display the contents of that folder.

    3. On the Browse or Search tab, select one or more endpoints.

    4. Click Save.
      The endpoint or endpoints you selected on the Endpoints tab are mapped to the hosts you selected on the Selected Scanned Hosts tab. If you did not select any hosts on the Selected Scanned Hosts tab, the endpoint or endpoints you select on the Endpoints tab are mapped to all the hosts on the Selected Scanned Hosts tab.

Mapping one host in a scan to multiple endpoints

In some situations you may need to map one host in a scan to multiple endpoints in BladeLogic. 

Examples:

BMC Server Automation: When a proxy server or load balancer is enrolled in a vulnerability scan engine and a scan is performed without advanced configuration, the scan may not detect the real servers behind the load balancer or proxy server. In this situation, you must map the proxy server or load balancer that was detected in the scan to multiple endpoints–that is, the servers managed with BMC Server Automation. Those servers are the real servers behind the load balancer or proxy server.

BMC Network Automation: A network device such as a NSX Manager can control other devices such as a firewall, a load balancer, and a router. All devices have the same IP address, but only the NSX Manager appears in a scan. If you need to perform remediation on the NSX Manager (for example, by applying a rule that upgrades its operating system), you can map all the other endpoints—that is, the firewall, load balancer, and a router—to the same IP address as the NSX Manager. When the remediation is performed, the same rule applies to all endpoints, and they all have their operating system upgraded.

  1. Select the hosts that require mapping.  
  2. At top right, click the Actions menu and select Map.
    The Map Endpoint to Scanned Host(s) page opens. The hosts you selected in the previous step appear on the Selected Scanned Hosts tab.
  3. On the Selected Scanned Hosts tab, select the host to map.
  4. On the Endpoints tab use the Search tab to find endpoints–either servers in BSA or network devices in BNA. Select the endpoints to be mapped. If you are connected to BSA, you can also use the Browse tab to find endpoints. The Browse tab is not available for BNA.
  5. Click Save. The servers or network devices you selected on the Endpoints tab are mapped to the host on the Selected Scanned Hosts tab.

Mapping multiple hosts in a scan to one endpoint

In some situations you may need to map multiple hosts in a scan to one endpoint. 

For example, when BladeLogic is managing a proxy server or load balancer but a vulnerability scan detects the real hosts that are serviced by the proxy server or load balancer, you must map those hosts to a single proxy server or load balancer. Typically this level of detection occurs in a scan when hosts are enrolled in a vulnerability scan engine or advanced configuration in the vulnerability scan engine can reveal real server names or IP addresses. 

  1. Select the hosts that requires mapping.  
  2. At top right, click the Actions menu and select Map.
    The Map Endpoint to Scanned Host(s) page opens. The hosts you selected in the previous step appear on the Selected Scanned Hosts tab.
  3. On the Selected Scanned Hosts tab, make sure no hosts are selected.
  4. On the Endpoints tab, use the Search tab to find an endpoint–either a server in BSA or a network device in BNA. Select the endpoint to be mapped. If you are connected to BSA, you can also use the Browse tab to find endpoints. The Browse tab is not available for BNA.
  5. Click Save. The endpoint you select on the Endpoints tab is mapped to all the hosts on the Selected Scanned Hosts tab.

Removing mapping

Use this procedure to remove mapping after assets listed on the Assets page have been mapped to endpoints managed with either BMC Server Automation or BMC Network Automation.

Note

Removing mapping for an endpoint does not unenroll that endpoint from Threat Director. If an endpoint is enrolled in Threat Director, unenroll the endpoint before you remove mapping.

  1. Select assets that have been previously mapped. 
  2. At top right, click the Actions menu and select Remove Mapping.

Enrolling mapped assets in Threat Director

After you have mapped assets to endpoints in BladeLogic, you can enroll those endpoints in Threat Director. When a server is enrolled, it can be included in Threat Director analysis.

A portal administrator must grant you the Threat Director permission to enroll servers in Threat Director. This type of permission is assigned when you define a portal security group.

Note

Use of Threat Director requires a per-server license fee. The first 100 servers enrolled in Threat Director are free. 

  1. Select the mapped assets to be enrolled in Threat Director.  
  2. At top right, click the Actions menu and select Enroll Asset. A confirmation dialog appears. Click OK.
    An icon in the left column indicates the asset has been enrolled.
    In some situations, an asset may be mapped to multiple BladeLogic endpoints. If that is the case, after you click OK a confirmation message tells you the number of assets that were enrolled in Threat Director.
    EnrolledServers

Unenrolling assets

Use this procedure to unenroll hosts that were previously enrolled in Threat Director.

  1. Select assets that have been previously enrolled in Threat Director. The  icon indicates an asset is enrolled. 
  2. At top right, click the Actions menu and select Unenroll Asset.

Clearing all selections

If you are in the process of selecting assets and you want to clear your selections, click the Actions menu at top right and select Clear All Selections

Sorting data in columns

Sort columns of data on this page by clicking on the column header.

Filtering assets

Filters let you limit the data displayed on this page using different criteria, as described in the following sections.

Filtering data in columns

Using the text boxes at the top of each column, enter any number of characters. As you enter characters, the list narrows its results to show only items with data in that column that includes the text string you have entered. Clear all text from the search box to show all items. You can enter data in multiple columns to show only results that match all criteria.

Some columns provide a list of choices that you can select. The columns are filtered to show only the values you select.

Filtering by security group

If your user ID is assigned to multiple security groups, you can filter the hosts displayed on the Assets page by selecting an option from the Security Groups filter at the top of the page. The page shows only assets to which that security group has access.

Filtering by mapping status

You can filter the assets displayed on the Assets page with the Mapping Status filter at the top of the page. This filter can limit the assets displayed to those that are mapped to endpoint managed in BladeLogic. You can select Mapped, Not Mapped, or All.

Filtering by enrolled status

You can filter the assets displayed on the Assets page with the Enrolled Status filter at the top of the page. This filter can limit the assets displayed to those enrolled in Threat Director. To apply a filter, select EnrolledUnenrolled, or All.

Exporting information about licensed endpoints in Threat Director

You can export details about the licensed endpoints in your environment. Perform the following steps:

  1. Select Threat Director > Assets.
  2. In the upper-right corner, click Export Licensed Assets, as shown below.

    The export creates a folder with the name BMC BladeLogic Threat Director Usage Report <yyyy-mm-dd>.
  3. Navigate to the folder where the file was downloaded.
  4. Unzip the file.
  5. Open the spread sheet.

The exported spread sheet contains the following information for each licensed endpoint:

  • Target Name
  • Type
  • Description
  • Agent Status
  • IP Address
  • OS
  • OS Platform
  • OS Release
  • OS Version
  • OS Vendor
  • Target Type

Where to go next

Mapping vulnerabilities to remediation content - Threat Director

Was this page helpful? Yes No Submitting... Thank you

Comments