Operator Dashboard - Threat Director
The Operator Dashboard helps operations personnel identify and prioritize vulnerabilities that require attention. After performing this type of analysis, operators can launch remediation operations from this page.
This topic includes the following sections:
Overview
The Operator Dashboard is designed to help you identify vulnerabilities requiring remediation. It provides filters that let you screen for a vulnerability's service level agreement (SLA) status (within, approaching, or exceeding) and operational status (awaiting attention or in progress). Using these tools, you can quickly identify vulnerabilities that require attention. For example, you can show vulnerabilities of severity 4 or 5 that have exceeded the SLA and are not yet in progress. When you have filtered information down to a set of critical vulnerabilities, you can launch remediation actions for those vulnerabilities.
The Operator Dashboard is similar to the SecOps Dashboard, but it has a few key differences—most notably, the dashboard does not show information about closed vulnerabilities. Also, the Operator Dashboard only presents data for endpoints that are enrolled in Threat Director management. (An endpoint is a server for BMC Server Automation, a network device for BMC Network Automation.) The Operator Dashboard does not show vulnerability information for unenrolled endpoints.
Notes
- For the Operator Dashboard to show data, you must first:
- Import one or more scan files
- Map endpoints in BMC Server Automation or BMC Network Automation to assets included in scan files
- Enroll mapped endpoints in Threat Director
- The portal must be connected to the same application server that was used for mapping—that is, the same application server used when you associated scanned assets to endpoints and vulnerabilities to remediation content. If you connect the portal to a different application server, mapping errors can occur when the portal attempts to use missing or incorrect mapping information.
Mapped, unmapped, and unscanned assets and vulnerabilities
At top of the Operator Dashboard, you see statistics showing mapped, unmapped, and unscanned assets and mapped and unmapped vulnerabilities. Unscanned data is only available if you have set up a connection to BMC Discovery. If you have not established the connection, "Unscanned" does not appear.
The statistics at top left provide information about:
- Mapped assets—How many assets detected in scans are mapped.
- Unmapped assets—How many assets detected in scans are not mapped.
- Unscanned assets—How many assets servers have been detected using BMC Discovery but are not included in any scan files. Unscanned assets are essentially blind spots for security and operations personnel concerned with the overall integrity of a server environment. You can export a list of unscanned assets, so that list can be used to add assets to scan files in the future. The Operator Dashboard does not provide unscanned data when you are connected to BMC Network Automation.
- Mapped vulnerabilities—How many vulnerabilities detected in scans are mapped to remediation content in BSA or BNA.
- Unmapped vulnerabilities—How many vulnerabilities detected in scans are not mapped to remediation content in BSA or BNA.
Vulnerabilities by Age (Status) chart
The Vulnerabilities by Age (Status) chart shows the status and number of open vulnerabilities by age. The X axis measures age, the Y axis counts the number of open vulnerabilities. Color indicates vulnerability SLA status (red for exceeding, yellow for approaching, green for within SLAs). Filters such as SLA Status and Severity let you limit the information displayed to vulnerabilities you need to address. Using all of this information, you can spot problematic vulnerabilities at a glance. For example, on a particular date there might be 50 red vulnerabilities, meaning they have exceeded the SLA.
After you have finished filtering information on the dashboard, the Actionable Vulnerabilities list at bottom shows the vulnerabilities that match your filtering criteria. These are the vulnerabilities you may want to remediate.
Unmapped Vulnerability Count by SLA Status chart
The Unmapped Vulnerability Count by SLA Status pie chart shows vulnerabilities that have not been mapped. Using this information you can quickly see that some vulnerabilities may be reaching a critical status (approaching or exceeding SLAs) but cannot fixed right away because they are unmapped.
Hover your cursor over each wedge of the pie chart to determine the severity of vulnerabilities represented by that wedge.
Specifying the range of vulnerability data
By default, the charts in the Operator Dashboard show all vulnerability information that was generated and imported into the portal within the last 90 days. Rather that use that time frame, you can display vulnerability information for:
- A set period of time—From Scan Data, select 90, 45, or 30 days.
- The oldest date included in selected scan reports—From Scan Data, select the name of one or more reports. If you want information for all reports, click Select All. The date range extends to the oldest scan data that was imported.
When you select an option from Scan Data, the dashboard automatically updates to show the information you have selected.
Showing vulnerability information by security group
If you belong to more than one security group, use the Security Group drop-down list at top to show vulnerability information for that group. If you belong to one security group only, this option is not enabled.
Filtering vulnerability information
Using the filters at top, you can limit the amount of information that the Operator Dashboard shows. In this way you can restrict data to a subset of all potential data. Filtering can be particularly useful if you plan to launch remediation actions for the vulnerabilities listed on this page.
By default, the Operator Dashboard uses the same filters last set in the Security Dashboard. This allows users of the Security Dashboard to refine their view of vulnerabilities. Then operators can open the Operator Dashboard to display the same set of vulnerabilities immediately.
To filter data, select any of the following options:
- CVE—Shows information for specific vulnerabilities, as identified by common vulnerability and exposure (CVE) number.
O/S—BSA only: Shows information about selected operating systems.
Device type—BNA only: Shows information about selected network devices.
- Severity—Shows information about vulnerabilities with a specific severity.
Server Group—BSA only: Shows information about vulnerabilities detected for a selected BladeLogic server group. Because you can select smart groups, this filtering option can be very useful for limiting the information displayed.
- SLA—Shows the SLA status of vulnerabilities: within, approaching or exceeding SLAs. Portal administrators can set SLA levels for Threat Director.
- Status—Shows vulnerabilities that are in progress or awaiting attention. A vulnerability in progress can be awaiting approval or execution. Any vulnerability not in progress is awaiting attention.
Software Instance—BSA only: Shows information about servers that include the types of software you specify.
Note
The Software Instance filter is only visible if you set up a connection to BMC Discovery.
To apply filtering choices
After making filtering choices, click Apply Filters to activate your selections.
Actionable Vulnerabilities
The Actionable Vulnerabilities list shows all vulnerabilities that have known remediations on mapped servers, occur within the specified time frame, and match your filtering criteria. After generating a list of vulnerabilities, click Remediate to launch the Remediation operation wizard.
The Actionable Vulnerabilities list only presents data for endpoints that have been enrolled in Threat Director.
Launching the Remediation operation wizard
Click Remediate to open the Remediation operation wizard, which allows you to select the assets to be modified, schedule remediation operations, and specify any notifications that are generated by the operation.
Exporting data
You can export the current contents of Operator Dashboard. Data is exported in a comma-separated value (CSV) format and stored in a ZIP file. After exporting, you can open the file in a spreadsheet and then manipulate the data in any way you want.
If you have set up a connection to BMC Discovery, two exports are generated: one export shows vulnerability asset information and the other shows data about unscanned assets. If you have not set up a connection to BMC Discovery, only the vulnerability asset information is exported.
If you filter data by software instance, a vulnerability asset export shows the applicable software instances per server. If you do not filter by software instance but a connection to BMC Discovery is enabled, the export lists all software instances that are discovered.
Large exports are broken into multiple files within the ZIP file. Each file contains 40000 to 50000 rows.
When you export the Operator Dashboard, the VAT Status column in the exported file displays one of the following states:
- IMPORTED: The vulnerability is imported into the system. No action has been taken so far on this vulnerability.
- TARGET_MAPPED: The vulnerability is imported into the system and assets on which it is reported are mapped to targets.
- OPERATION_CREATED: A remediate operation has been created in the system for that vulnerability.
- AWAITING_APPROVAL: A remediation operation has been created for the vulnerability, but still the operation is pending for approval. This statistics are not applicable for TrueSight Network Automation or SCCM.
- AWAITING_EXECUTION: A remediation operation has been created for the vulnerability and the approval has been received (if it was configured while creating the operation), however, operation is still waiting for execution on the server.
- REMEDIATION_RUNNING: Remediation operation is in progress for the vulnerability.
- CLOSED: Assets affected by the vulnerability are remediated.
To export the contents of the dashboard
Click Export, at top right. Using your browser, you can open the file or save it locally.
Comments
Hello Team,
What is the meaning of CLOSED and TARGET_MAPPED under VAT Status column in exported .csv file.
Regards, Akki
Sorry for the delay in response, Akash. I have added explanation for the VAT Status column in the Exporting data section. Also, I have included these columns in the Security Dashboard topic.
Log in or register to comment.