Scan Import

The Scan Import page lets you import results of scans performed by vulnerability management systems such as Qualys, Nessus, or Rapid7. After you use one of those systems to scan for potential issues in your data center environment, you can export the results so they can be imported into TrueSight Vulnerability Management. The export must be in XML format.

When a vulnerability scan file is imported into TrueSight Vulnerability Management, assets that are included in the scan are automatically mapped to endpoints managed by the underlying endpoint manager.

The automatic mapping process depends on the endpoint manager:

For TrueSight Server Automation and SCCM—TrueSight Vulnerability Management matches the domain name server (DNS) and then the IP address of an asset in a vulnerability scan to an endpoint managed in TrueSight Server Automation or SCCM.
For TrueSight Network Automation—TrueSight Vulnerability Management matches the device address and then the IP address of an asset in a vulnerability scan to an endpoint with the same information managed in TrueSight Network Automation.

The presence of networking gear such as firewalls, load balancers, and proxies can cause mapping discrepancies. As a result, automatic mapping may not always correctly map all endpoints. For any assets that are not automatically mapped to the correct endpoints, use the Assets page to perform manual mapping.

This topic contains the following sections:

Note: The Address (CIDR Format) filter is available from version 3.0.01.

Export files

You can import two types of export files into TrueSight Vulnerability Management:

Scan Reports—An export file that collects information about assets (such as servers) and the vulnerabilities associated with those assets.
Asset Group Reports—A file that exports information about groupings of assets, such as server groups. You can optionally grant access to asset groups using the Asset Groups setting when configuring security groups. Click here for a full description of that process.

For more information about what constitutes a valid scan file to be imported, see Obtaining scan files eligible for import.

Compressed files

To improve upload times, you can optionally compress the scan files you are importing into TrueSight Vulnerability Management. The import process automatically extracts the contents of the compressed file.

If you choose to compress scan files, be aware that the compressed file can only contain a single scan file. You cannot include multiple scan files in the compressed file.

Obtaining scan files eligible for import

Only export files that meet certain requirements can be imported into TrueSight Vulnerability Management.

Rapid7 scan files

Scan files exported from Rapid7 must use the format called XML Export 2.0. For mapping to be successful during and after the import, ensure that the reference element under the vulnerability element is populated with CVE ID in the exported file, as shown in the following example:
<vulnerability …> <reference source="CVE">CVE-2014-3596</reference></vulnerability>

Qualys scan files

The following image shows how to generate a scan export using Qualys.

Scan exports created with Qualys must meet the following requirements:

The file must comply with the following DTD: https://qualysguard.qg2.apps.qualys.com/scan-1.dtd
The file cannot be based on report templates.
The file must be in XML format and the file ending must be .xml. Other formats for saving scan data are not supported.
For mapping to be successful during and after the import, ensure that cveid attribute of the VULN element is populated with CVE ID in the exported file, as shown in the following example:
<VULN number="122474" severity="3" cveid="CVE-2014-3560">

A sample scan export is attached to this page. Below you can see the first few lines of that file. Highlighted regions flag the XML version, the DTD, and the scan ID.

Nessus scan files

Scan exports created with Nessus must meet the following requirements:

The scan file can be based on different types of scans (such as OS or network scans) but at minimum it must include:
- Server name
- Server IP address
- Server operating system
- Associated plugin IDs (a plugin is a check for a vulnerability)
The file must be in XML format and the file ending must be .nessus. Other formats for saving scan data are not supported.
For mapping to be successful during and after the import, ensure that the <cve> element under the ReportItem element is populated with CVE ID in the exported file, as shown in the following example:
<ReportItem pluginID="70322" pluginName=”” …><cve>CVE-2013-5472</cve>

A sample scan export from Nessus is attached to this page. See Creating and importing a Nessus scan file for a description of how to create and download a Nessus scan file.

Asset group report files

Currently, only Qualys lets you generate asset group files, but you can manually create an asset group file using the format in the sample attached to this page.

The following image shows how to generate an asset group export using Qualys.

Importing a vulnerability management scan file

Use this procedure to import a vulnerability management scan file. Only scan files with certain characteristics are eligible for import.

You can import multiple scan files one after another. The Assets and Vulnerabilities pages show all data that you import, not just the results of the most recent import. When you import a scan file, asset and vulnerability information is added to any information already imported.

If you need to import the same scan file more than once:

For Qualys and Rapid7, scan files are identified by a unique <SCAN> tag within the XML file. If you are using those vulnerability management tools and you want to import the same scan file more than once, you can manually modify the value of the <SCAN> tag. BMC recommends you also change the name of each scan file to avoid confusion.
For Nessus, you must edit the existing .nessus file and provide a new name value for the <Report> tag. For example, in a tag such as <Report name="ProdAdmins_Linux" xmlns:cm="http://www.nessus.org/cm">, you would change name="ProdAdmins_Linux".

Before you begin

Before you start importing a scan file, consider the following:

If scan times for imported scan files do not include a time zone, they are assumed to be Greenwich Mean Time (GMT).
BMC recommends importing scan files larger than 400 MB from a local area network with a latency of less than 50 milliseconds. Imports of large scan files from remote networks may not succeed.
Scan import supports:
- Scan files up to 5 GB
- Total record counts up to 25 million
  A record is one asset with one vulnerability. For example, two assets with 10 vulnerabilities each equals 20 records.
  If subsequent scans include assets that are already scanned with vulnerabilities that are already found, those vulnerabilities do not increase the record count.
  To manage record counts, you can reduce the scope of a scan (for example, scanning only for vulnerabilities with severity 4 and 5) or remove unneeded devices from the scan, such as endpoints not managed with TrueSight.
If you are importing large scan files, you can improve performance by compressing the scan files, as described above.

To import a vulnerability management scan file

If you have not already displayed the Scan Import page, select TrueSight Vulnerability Management > Import.
For Select Vendor, choose the type of vulnerability management system data that you want to import.
For Scan Report, click Browse and navigate to a scan file exported from a vulnerability management system.
To make choices about the type of data you are importing, take the following steps:
1. For Operating System, select the operating system data that you want to import.
  Note
  
  If you are importing data for networking devices, be sure to select Other. Networking devices are not always associated with an operating system.
  If you are importing data for SuSE devices, be sure to select both Linux and Other.
2. For Severity, select the vulnerability severity levels you want to import.
  Qualys, Nessus, and Rapid7 use different scoring for severity levels. Qualys uses scores of 1-5. Nessus uses scores of 0-4. Rapid7 uses scores of 1-10. To maintain consistency, BMC increases the Nessus severity levels by one (so they become 1-5) and maps the ten Rapid7 severity levels to five levels.
3. For IP Address (CIDR Format), specify the IP addresses in the Classless Inter-Domain Routing (CIDR) format, for which you want to import data. From the scan file, data only for the servers that belong to the specified IP address range is imported. Default value of this option is 0.0.0.0/0, which imports data for all the assets from the scan file.
  You can specify the following values:
  - Single IP address (CIDR format). Example: 168.19.13.12/24
  - Comma-separated multiple IP addresses (CIDR format). Example: 168.19.13.12/24,10.25.24.12/12
  - A combination of the above formats: Example: 168.19.13.12/24, 168.19.13.12/32,10.25.24.12/12
Click Import Scan.
A confirmation message warns that large imports can require extended amounts of time. To check on their status, click Activity Status. After the import is complete, a message such as the one shown below confirms that the file was imported and tells how many assets were automatically mapped to endpoints.

After you import

When the import process is complete, ensure that the Vulnerabilities page shows the CVE ID for each vulnerability in the CVE column.

What if the CVE ID does not appear in the CVE column?

In a Nessus scan file exported from the scanner, ensure that the <cve> element under the ReportItem element is populated with CVE ID, as shown in the following example:
<ReportItem pluginID="70322" pluginName=”” …><cve>CVE-2013-5472</cve>
In a Qualys scan file file exported from the scanner, ensure that cveid attribute of the VULN element is populated with CVE ID, as shown in the following example:
<VULN number="122474" severity="3" cveid="CVE-2014-3560">
In a Rapid7 scan file exported from the scanner, ensure that the reference element under the vulnerability element is populated with CVE ID, as shown in the following example:
<vulnerability …> <reference source="CVE">CVE-2014-3596</reference></vulnerability>

Importing an assets group report file

Use this procedure to import an assets group report file, which contains information about asset groupings (such as server groupings). You can optionally grant access to asset groups using the Asset Groups setting when configuring security groups. Click here for a full description of that process.

If you import multiple asset group reports, only the information in the report most recently imported is used. Previously imported asset group reports are discarded.

When you import asset group files, they must have a specified format.

Do the following to import an assets group report file:

For Assets Group Report, click Browse and navigate to the scan file exported from a vulnerability management system.
Click Import Asset Group.

Deleting a scan file

The Scan Import page includes a table that lists all scan files imported into TrueSight Vulnerability Management.

You can use this table to delete scan files that were previously imported. When you delete a scan file, all associations between endpoints and vulnerabilities contained in that file are deleted unless the same association is also included in another scan file.

In the list of imported files at the bottom of the Scan Import page, find the file you want to delete.
If the list is long, filter entries using the text boxes at the top of each column. Enter any number of characters into a text box. As you enter characters, the list narrows to show only items with data in that column that includes the text string you have entered. Clear all text from the search box to show all items. You can enter data in multiple columns to show only results that match all criteria.
At right, for the file you want to remove, click Delete. You are prompted to confirm the deletion.
Deleting a scan file may launch a process that runs for a long time. To track its progress, use the Activity Status page.