Operator Dashboard

The Operator Dashboard helps operations personnel identify and prioritize vulnerabilities that require attention. After performing this type of analysis, operators can launch remediation operations from this page.

To display the Operator Dashboard, select TrueSight Vulnerability Management > Operator Dashboard.

This topic includes the following sections:

Overview

The Operator Dashboard helps you identify vulnerabilities requiring remediation. It provides filters that let you screen information based on many criteria, including a vulnerability's service level agreement (SLA) status (within, approaching, or exceeding) and operational status (awaiting attention or in progress). Using filters, you can quickly identify vulnerabilities that require attention. For example, you can show vulnerabilities of severity 4 or 5 that have exceeded the SLA and are not yet in progress. Or, you can show vulnerabilities of severity 4 or 5 found on assets that have been tagged with a particular business unit value, such as Payroll. When you have filtered information down to a set of critical vulnerabilities, you can launch remediation actions for those vulnerabilities.


Notes

For the Operator Dashboard to show data, you must first:

  • Import one or more scan files
  • Map endpoints to assets included in scan files
  • (Applicable only for version 3.0) Ensure that vulnerabilities have not been excluded from consideration.

  • NEW IN 3.0.01 Ensure that exceptions have not been applied to vulnerabilities, which exclude them from various vulnerability counts depicted in the dashboard. For example, if for a vulnerability all assets have been considered for exclusion while adding or importing an exception, and so, the exception has been applied on all the assets that are affected by the vulnerability, that vulnerability is excluded from the counts (explained in the sections that follow).
    Also, if for an asset all vulnerabilities have been considered for exclusion while importing an exception, and so, the exception has been applied on an asset that is affected by all the vulnerabilities, that asset is excluded from the counts (explained in the sections that follow).

Specifying the range of vulnerability data  

By default, the charts in the Operator Dashboard show all vulnerability information that was generated and imported into TrueSight Vulnerability Management within the last 90 days. Rather that use that time frame, you can display vulnerability information for:

  • A set period of time—From Scan Data, select 9045, or 30 days. 
  • The oldest date included in selected scan reports—From Scan Data, select the name of one or more reports. If you want information for all reports, click Select All.  The date range extends to the oldest scan data that was imported.

When you select an option from Scan Data, the dashboard automatically updates to show the information you have selected.

Showing vulnerability information by security group

If you belong to more than one security group, use the Security Group drop-down list at top to show vulnerability information for that group. If you belong to one security group only, this option is not enabled.

Mapped, unmapped, and unscanned assets and vulnerabilities

At the top of the Operator Dashboard, you see statistics showing mapped, unmapped, and unscanned assets and mapped and unmapped vulnerabilities. Unscanned data is only available if you have set up a connection to BMC Discovery, and that capability is currently only available if you are connected to TrueSight Server Automation. If you have not established a connection to BMC Discovery, "Unscanned" does not appear.

The statistics at top left provide information about:

  • Mapped assets—How many assets detected in scans are mapped.
    NEW IN 3.0.01If you are using exceptions to exclude your assets and vulnerabilities from remediation, and if for an asset all vulnerabilities have been considered for exclusion while importing an exception, and so, the exception has been applied on an asset that is affected by all the vulnerabilities, that asset is excluded from this count. For example, if you have specified All vulnerabilities for an asset in the import file, then asset count decreases by 1. 
  • Unmapped assets—How many assets detected in scans are not mapped. 
    NEW IN 3.0.01If you are using exceptions to exclude your assets and vulnerabilities from remediation, and if for an asset all vulnerabilities have been considered for exclusion while importing an exception, and so, the exception has been applied on an asset that is affected by all the vulnerabilities, that asset is excluded from this count. For example, if you have specified All vulnerabilities for an asset in the import file, then asset count decreases by 1. 
  • Unscanned assets—TrueSight Server Automation only: How many servers have been detected using BMC Discovery but are not included in any scan files. Unscanned assets are essentially blind spots for security and operations personnel concerned with the overall integrity of a server  environment. You can export a list of unscanned assets, so that list can be used to add assets to scan files in the future.
  • Mapped vulnerabilities—How many vulnerabilities detected in scans are mapped to remediation content. 
    NEW IN 3.0.01If you are using exceptions to exclude your assets and vulnerabilities from remediation, and if for a vulnerability all assets have been considered for exclusion while adding or importing an exception, and so, the exception has been applied on all the assets that are affected by the vulnerability, that vulnerability is excluded from this count. For example, if for a vulnerability, you have specified All assets, then vulnerability count decreases by 1. 
  • Unmapped vulnerabilities—How many vulnerabilities detected in scans are not mapped to remediation content.
    NEW IN 3.0.01If you are using exceptions to exclude your assets and vulnerabilities from remediation, and if for a vulnerability all assets have been considered for exclusion while adding or importing an exception, and so, the exception has been applied on all the assets that are affected by the vulnerability, that vulnerability is excluded from this count. For example, if for a vulnerability, you have specified All assets, then vulnerability count decreases by 1. 

Vulnerabilities by Age (Status) chart

The Vulnerabilities by Age (Status) chart shows the status and number of open vulnerabilities by age. The X axis measures age, the Y axis counts the number of open vulnerabilities. Color indicates vulnerability SLA status (red for exceeding, yellow for approaching, green for within SLAs). Filters such as SLA Status and Severity let you limit the information displayed to vulnerabilities you need to address. Using all of this information, you can spot problematic vulnerabilities at a glance. For example, on a particular date there might be 50 red vulnerabilities, meaning they have exceeded the SLA.

NEW IN 3.0.01If you are using exceptions to exclude your assets and vulnerabilities from remediation, and if for a vulnerability all assets have been considered for exclusion while adding or importing an exception, and so, the exception has been applied on all the assets that are affected by the vulnerability, that vulnerability is excluded from this count. For example, if for a vulnerability, you have specified All assets, then vulnerability count decreases by 1. If only selected targets or tags are considered, then the count remains unchanged. 

After you have finished filtering information on the dashboard, the Actionable Vulnerabilities list at bottom shows the vulnerabilities that match your filtering criteria. These are the vulnerabilities you may want to remediate. 

Note

Dashboard statistics may not show the most recent vulnerability status, depending on how often data from the endpoint manager is updated using the Data Refresh capability.

Unmapped Vulnerability Count by SLA Status chart

The Unmapped Vulnerability Count by SLA Status pie chart shows vulnerabilities that have not been mapped. Using this information you can quickly see that some vulnerabilities may be reaching a critical status (approaching or exceeding SLAs) but cannot fixed right away because they are unmapped. 

NEW IN 3.0.01If you are using exceptions to exclude your assets and vulnerabilities from remediation, and if for a vulnerability all assets have been considered for exclusion while adding or importing an exception, and so, the exception has been applied on all the assets that are affected by the vulnerability, that vulnerability is excluded from this count. For example, if for a vulnerability, you have specified All assets for exclusion, then vulnerability count decreases by 1. If only selected targets or tags are considered, then the count remains unchanged.

Hover your cursor over each wedge of the pie chart to determine the severity of vulnerabilities represented by that wedge.


 


Filtering vulnerability information

Using the filters at top, you can limit the amount of information that the Operator Dashboard shows. All charts, counts, graphs, and the contents of the Actionable Vulnerabilities list update dynamically based on your filtering choices. Filtering is particularly useful if you plan to launch remediation actions for the vulnerabilities listed on this page.

By default, the Operator Dashboard uses the same filters last set in the Security Dashboard. This allows users of the Security Dashboard to refine their view of vulnerabilities. Then, operators can open the Operator Dashboard to display the same set of vulnerabilities immediately. In addition, settings for the Tags filter persist when you move between the Operator Dashboard, the Security Dashboard, and the Assets page.

To filter data, select any of the following options:

  • BULLETIN IDSCCM only: Shows information for specific vulnerabilities, as identified by Microsoft bulletin ID. 
  • CVE —TrueSight Server Automationand TrueSight Network Automation only: Shows information for specific vulnerabilities, as identified by common vulnerability and exposure (CVE) number. 
  • Device collectionsSCCM only: Shows information about selected device collections, which are groupings of devices. You can choose from all the device collections accessible to your Active Directory group.

  • Device type—TrueSight Network Automation only: Shows information about selected network devices.
  • O/S—TrueSight Server Automation only: Shows information about selected operating systems. 

  • Server Group—TrueSight Server Automation only: Shows information about vulnerabilities detected for a selected BladeLogic server group. Because you can select smart groups, this filtering option can be very useful for limiting the information displayed.

  • Severity—Shows information about vulnerabilities with a specific severity.

  • SLA—Shows the SLA status of vulnerabilities: within, approaching or exceeding SLAs. 

  • Software Instance—Shows information about servers that include the types of software you specify.

    Note

    To enable the Software Instance filter, you must set up a connection to BMC Discovery.

  • Status—Shows vulnerabilities that are in progress or awaiting attention. A vulnerability in progress can be awaiting approval or execution. Any vulnerability not in progress is awaiting attention.
  • Tags—Shows the tags that are present in the system, when you click the drop-down arrow. These tags are associated with only assets or a combination of vulnerabilities and assets (also called vulnerability-asset tags). 

    • When you select a tag that is associated only assets, the following statistics change on the dashboard:
      • Only the vulnerabilities that are affecting the assets associated with the selected tags are shown.
      • Only the assets that are associated with the selected tags are shown.
    • NEW IN 3.0.01When you select a tag that is associated with both vulnerabilities and assets, the following statistics change on the dashboard:
      • Only the vulnerabilities that are part of the vulnerability and asset combination on which selected tags are created are shown.
      • Only the assets that are part of the vulnerability and asset combination on which selected tags are created are shown.

To apply filtering choices

After making filtering choices, click Apply Filters to activate your selections. 

Actionable Vulnerabilities

The Actionable Vulnerabilities list shows mapped vulnerabilities that are discovered on mapped assets. The mapped vulnerabilities must occur within the specified time frame and match your filtering criteria. 

NEW IN 3.0.01If you are using exceptions to exclude your assets and vulnerabilities from remediation, and if for a vulnerability all assets have been considered for exclusion while adding or importing an exception, and so, the exception has been applied on all the assets that are affected by the vulnerability, that vulnerability does not appear in this list. For example, if for a vulnerability, you have specified All assets, then that vulnerability does not appear in this list. If only selected targets or tags are considered, then the list remains unchanged.

In addition, if for an asset all vulnerabilities have been considered for exclusion while importing an exception, and so, the exception has been applied on an asset that is affected by all the vulnerabilities, the row containing that asset does not appear in this list. If only selected vulnerabilities are considered, then the list remains unchanged. For example, if you have specified All vulnerabilities for an asset in the import file, then asset count decreases by 1. If only selected vulnerabilities are considered, then the count remains unchanged.

Each item in the list is a mapped vulnerability that occurs on a mapped asset. If the same vulnerability exists on an asset for different ports, the vulnerability can appear multiple times on the Actionable Vulnerabilities list, once for each port.

After generating a list of actionable vulnerabilities, click Remediate to launch the Remediation operation wizard.

Showing tags as columns

You can choose to display tags as columns in the Actionable Vulnerabilities list. Tag values appear in the column rows if the associated assets has that tag value. After displaying a tag column, you can sort the values listed in the column. By displaying tags, you can quickly identify the actionable vulnerabilities associated with a particular category of information such as an asset owner or an application type.

To display tags as columns, click Display Columns and then select the tags you want to display. A count of selected tags appears in the header of the Display Columns option. You can hover over that count to see a list of the selected tags, as shown below.

To remove a tag column from the Actionable Vulnerabilities list, clear that selection in the Display Columns option.

Launching the Remediation operation wizard

Click Remediate to open the Remediation operation wizard, which allows you to select the assets to be modified and schedule remediation operations.

For more information on using the Remediation operation wizard, see:

 Why isn't the Remediate button enabled?

The Remediate button is only enabled when a set of conditions are satisfied, as illustrated in the following flowchart.

EnableRemediationButtonCloud

If you answer yes to all the questions in the flowchart and the Remediate button is still not enabled, contact BMC Support

How exceptions affect the Operator Dashboard

NEW IN 3.0.01This section explains how exceptions change the statistics on the Operator Dashboard.

Exception for a vulnerability on all assets

Whenever you apply an exception for a particular vulnerability to all assets, vulnerability count changes on the Operator Dashboard depending on the status of the exception. For example, in the following figure, the number of Mapped vulnerabilities is 4. At this stage, no exception has been applied to assets that are affected by these vulnerabilities.

Now, you add an exception for the Microsoft Font Driver Remote Code Driver Execution vulnerability, which is applied to all the assets. After applying the exception for that vulnerability, vulnerability count decreases by 1 and the vulnerability no longer appears in the list of Actionable Vulnerabilities. For example, in the following figure, the number of Mapped vulnerabilities is 3. Similarly, vulnerability count changes in other sections of the dashboard.

Exception on an asset for all vulnerabilities

Whenever you import an exception for a particular asset for all vulnerabilities, asset count changes on the Operator Dashboard depending on the status of the exception. For example, in the following figure, the number of Mapped assets is 5 and number of rows in the Actionable Vulnerabilities section is 20. At this stage, no exception has been applied on the assets that are affected by vulnerabilities.

Now, you import an exception on the asset, clm-aus-008436 for All vulnerabilities that are affecting these assets. After applying the exception on this asset, asset count decreases by 1 and the rows containing this asset no longer appear in the list of Actionable Vulnerabilities. For example, in the following figure, the number of Mapped assets is 4 and number of rows in the Actionable Vulnerabilities section is 16.

Exporting data

You can export the current contents of Operator Dashboard. Data is exported in a comma-separated value (CSV) format and stored in a ZIP file. After exporting, you can open the file in a spreadsheet and then manipulate the data in any way you want.

If you have set up a connection to BMC Discovery, two exports are generated: one export shows vulnerability asset information and the other shows data about unscanned assets. If you have not set up a connection to BMC Discovery, only the vulnerability asset information is exported.

If you filter data by software instance, a vulnerability asset export shows the applicable software instances per server. If you do not filter by software instance but a connection to BMC Discovery is enabled, the export lists all software instances that are discovered. 

If you have imported tag data, the export file includes a column for each tag. NEW IN 3.0.01 If an exception has been created for a vulnerability, the file includes an extra column, Active Exception. The values in this column are YES or NO, depending upon whether or not exception has been applied.

Large exports are broken into multiple files within the ZIP file. Each file contains 40,000 to 50,000 rows.

When you export the Operator Dashboard, the VAT Status column in the exported file displays one of the following states:

  • IMPORTED: The vulnerability is imported into the system. No action has been taken so far on this vulnerability.
  • TARGET_MAPPED: The vulnerability is imported into the system and assets on which it is reported are mapped to targets.
  • OPERATION_CREATED: A remediate operation has been created in the system for that vulnerability.
  • AWAITING_APPROVAL: A remediation operation has been created for the vulnerability, but still the operation is pending for approval. This statistics are not applicable for TrueSight Network Automation or SCCM.
  • AWAITING_EXECUTION: A remediation operation has been created for the vulnerability and the approval has been received (if it was configured while creating the operation), however, operation is still waiting for execution on the server.
  • REMEDIATION_RUNNING: Remediation operation is in progress for the vulnerability. 
  • CLOSED: Assets affected by the vulnerability are remediated.

To export the contents of the dashboard

Click Export, at top right. Using your browser, you can open the file or save it locally. 

Was this page helpful? Yes No Submitting... Thank you

Comments