Mapping vulnerability scan results to a server environment
This use case demonstrates how to map server assets and vulnerabilities detected in a vulnerability scan to the servers and remediation content you are managing with TrueSight Server Automation. This mapping process is a prerequisite before you can use TrueSight Vulnerability Management to correct any vulnerabilities revealed in the scan.
This topic includes the following sections:
The following video demonstrates how to use TrueSight Vulnerability Management to map server assets and vulnerabilities detected in a scan to servers and remediation content managed with TrueSight Server Automation.
This use case describes how to associate servers included in a vulnerability scan (known in TrueSight Vulnerability Management as assets) to servers managed with TrueSight Server Automation (known as endpoints). It also describes how to associate vulnerabilities identified in the vulnerability scan to remediation content that is available through TrueSight Server Automation. This process of associating—or mapping—must occur before you can perform any remediation based on a vulnerability scan.
TrueSight Vulnerability Management can perform an automatic mapping of assets based on their DNS server and IP address. However, after auto-mapping some assets may remain unmapped. When that occurs, you can manually find endpoints in your managed environment and associate them with assets in the vulnerability scan.
TrueSight Vulnerability Management can also perform an automatic mapping of vulnerabilities to patches in TrueSight Server Automation patch catalogs. Mapping is based on the Common Vulnerabilities and Exposures (CVE) number. Only patches can be auto-mapped. Vulnerabilities requiring other types of remediation content must be manually mapped.
After assets and vulnerabilities are mapped, you can examine the Security Dashboard and the Operator Dashboard and then create a Remediation operation that corrects server vulnerabilities. That process is described in Using TrueSight Server Automation to remediate server issues detected in a vulnerability scan.
What do I need to get started?
- You must have a user ID that can access and use TrueSight Vulnerability Management.
- You must have the results of a vulnerability scan in an XML format that can be imported into TrueSight Vulnerability Management. If you have access to a vulnerability management system, such as Qualys, Nessus, or Rapid7, you can export the results to XML. For more information, see Importing scan files.
How to map vulnerability scan results
Using TrueSight Vulnerability Management, import a scan file exported from a vulnerability scanning product and automatically map assets in the scan to endpoints (that is, servers) managed in TrueSight Server Automation. Auto-mapping matches the IP address and domain name server (DNS) of assets in the vulnerability scan to servers managed by TrueSight Server Automation.
To check the status of the import, click Activity Status, in the menu bar at top right.
A window lists long running activities, such as scan imports, and shows their status. If the import is successful, its status says
For assets that remain unmapped after auto-mapping, you can perform a manual mapping procedure.
Select one or more assets that need mapping.
When you click Map, the asset(s) you selected appear on the Map Endpoint to Scanned Hosts page.
Specify a server managed in TrueSight Server Automation that should map to the selected asset(s).
Select an asset to map and then click the Endpoints tab.
Assets page shows name of mapped endpoint.
Display a list of vulnerabilities in the vulnerability scan. Then perform auto-mapping, which matches any vulnerabilities that can be corrected by patches with patches that already exist in TrueSight Server Automation patch catalogs.
For vulnerabilities that remain unmapped after auto-mapping, perform a manual mapping procedure. You can match vulnerabilities to any type of depot content that can be used for remediation, such as BLPackages, software packages, and NSH scripts.
Using the Search and Browse tabs, select a remediation package. After selecting a rule, click Save.
Click here to see a page with detailed instructions for using using search and browse capabilities.
Define rules that apply when you later deploy the remediation content to target servers. This capability is typically used to deploy one remediation content item to a certain type of target, such as Windows servers, and another type of remediation content to another type of target, such as Red Hat servers.
A message says that mapping has occurred. The Vulnerabilities page shows the remediation content that was selected and the remediation type, such as a BLPackage or Windows Hotfix. If you have a long list of vulnerabilities, use the Remediation Type filter and the Mapping Status filter (at the top of the page) to find the vulnerability you just mapped.
Repeat the same procedure to map additional vulnerabilities to remediation packages.
Wrapping it up
In this topic you used TrueSight Vulnerability Management to perform all the preliminary mapping necessary to remediate network vulnerabilities detected by an external vulnerability management system, such as Qualys, Nessus, or Rapid7.
Where to go from here
After all necessary mapping is complete, you can use the Security Dashboard and Operator Dashboard to analyze the vulnerabilities detected in a scan. Then you can use the Operator Dashboard to create a Remediation operation that corrects vulnerabilities in your server environment. Another use case describes that process.