Documentation update To provide a better user experience, we have now created a separate documentation space for BMC Helix Automation Console (previously called BMC Helix Vulnerability Management). Users of BMC Helix Automation Console can find the latest documentation at BMC Helix Automation Console..

Working with operations

This topic provides instructions on adding operations for remediating risks depending on the endpoint manager, TrueSight Server Automation or TrueSight Network Automation. Starting 21.02.01, TrueSight Automation Console also supports TrueSight Network Automation as an endpoint manager.
To understand the concept of operations, see Operations

Adding a patch remediation operation 

For the TrueSight Server Automation endpoint manager only.

On the Operations page, click Add Operation, and do these steps: 

  1. Enter a unique operation name, and an optional description, and then click Next.
    Operation name must always be unique (up to 150 characters) even if users with different roles are creating it.
  2. On the Patch Selections page, do these steps: 
    1. Select a patch policy (policy having missing patches).
    2. To specify assets, do one of the following:
      • Select associated groups (server groups or server smart groups imported from the policy).
      • Select associated assets and then select individual assets.
  3. To specify reboot options for the assets, select one of the following options: 
    • Honor Patch Reboot Settings: Adheres to the reboot settings defined for the patch in the patch catalog
    • Do Not Reboot: Does not reboot automatically after installing the required patches
    • Reboot at the End: Reboots all assets after the patching process is complete
  4. To specify a schedule for the operation, select one of the following options: 
    1. I will do it later: Change approval is not applicable and you skip to step 6.
    2. Set a schedule
      1. Click the calendar icon in the Date and Time field, and specify the date and time. 
      2. Select the hours or minutes in the Staging Before field to specify a staging and analysis window. 
        A staging window determines the time before which the patches and payload data must be downloaded on the assets before running the remediation operation. If you select 1 hour for staging, analysis starts an hour before the staging phase. Maximum limit is 999 hours.
    3. Execute now
  5. To configure change request creation and approval, select the following options: 
    The Change Approval Management page appears only if change automation is enabled in your environment.  

    1. Enable Create Change Ticket.

      Is the Create Change Ticket option mandatory? How can I disable the change request creation?

      You can enable or disable change ticket creation depending on how administrators have configured the TrueSight Orchestration connector configuration. If the connector is configured with Change Approval as required, you cannot disable the option or skip this step.

      If already selected, continue to select values in other fields for creating a change request. 

    2. ChangeTemplateName
    3. Urgency
    4. Impact
    5. ReasonforChange
    6. ChangeClass
  6. To configure notifications, select any of the following options: 
    • Send email to: Specify a comma-separated list of email addresses, and then select one or more of the following options: 
      • Select the status to send an email based on the operation status. 
      • Select Attach patch analysis results to the email, and then specify the email attachment size limit. 
      • Specify whether to send a list of assets where the operation failed. 
    • Send SNMP trap to: Specify a host name or IP address of the server to notify the operation results and then select one or more status options when a notification should be sent.
  7. View the summary of options selected for the operation and save changes. 
    The operation runs according to the defined schedule. If a change request is created, the operation runs after the change is approved. If you want to update the schedule for an operation in BMC Remedy ITSM, update the Schedule Start Date or the Schedule End Date for the task and not the change request. 

Adding a vulnerability remediation operation

On the Operations page, click Add Operation, and do these steps: 

  1. Enter a unique operation name, and an optional description, and then click Next.
    Operation name must always be unique (up to 150 characters) even if users with different roles are creating it.
  2. Select Vulnerability Selections and do these steps: 

    • Enter a vulnerability name, asset host name or IP address, or a CVE ID, and click Search.
      Assets with vulnerabilities that are mapped to remediation content are displayed and selected in the operation. 

      Can I perform an empty search?

      No. However, you can place your cursor in the search box, add a space, and click Search. All assets with vulnerabilities mapped to the remediation content are displayed.

      You can either use basic search or Advanced Search to select vulnerabilities. Results from only the latest search are selected for the operation. 

    • Click Advanced Search and choose one or more of the following options:

      • Asset
      • Managed Asset Tag
      • CVE ID 
      • Operating System
      • Risk Owner
      • Risk Score
      • Risk Tag
      • Scan File
      • Scanned Asset Tag
      • Severity

      • Vulnerability Name

        When you select the Operating System filter, the list of operating systems is populated dynamically depending upon the imported scan file.

        Assets with vulnerabilities that match the search results are displayed and selected in the operation. 

      To view details about the vulnerabilities, expand the asset name. Vulnerability name, port, CVE IDs, severity, remediation, and the remediation type are displayed. 
      Vulnerability details.png

  3. To configure additional remediation options based on the remediation content, do these steps: 
    • If there are no configuration options, click Next
    • For a Patch type of operation, select one of the following options: 
      • Honor Patch Reboot Settings: Adheres to the reboot settings defined for the patch in the patch catalog
      • Do Not Reboot: Does not reboot automatically after installing the required patches
      • Reboot at the End: Reboots all assets after the patching process is complete
  4. To specify a schedule for the operation, select one of the following options: 
    • I will do it later: Change approval is not applicable and skip to step 6. 
    • Set a schedule: Click the calendar icon in the Date and Time field, and specify the date and time. 
    • Execute now
  5. To configure change request creation and approval, select the following options:For the TrueSight Server Automation endpoint manager only.The Change Approval Management page appears only if change automation is enabled in your environment. 

    1. Enable Create Change Ticket.

      Is the Create Change Ticket option is mandatory? How can I disable the change request creation?

      You can enable or disable change ticket creation depending on how administrators have configured the TrueSight Orchestration connector configuration. If the connector is configured with Change Approval as required, you cannot disable the option or skip this step.

      If already selected, continue to select values in other fields for creating a change request. 

    2. ChangeTemplateName
    3. Urgency
    4. Impact
    5. ReasonforChange
    6. ChangeClass
  6. To configure notifications, select any of the following options: 
    • Send email to: Specify a comma-separated list of email addresses, and then select whether to send an email based on the operation status. 
    • Send SNMP trap to: Specify a host name or IP address of the server to notify the operation results and then select one or more status options when a notification should be sent.

  7. View the summary of options selected for the operation and save changes. 
    A parent operation is created, which creates child operations based on the remediation type. Depending on the remediation type such as NSH script, patch, or a deploy type, separate jobs are created in TrueSight Server Automation. For example, if the vulnerabilities require only an NSH script, and a deploy job, two separate jobs are created in TrueSight Server Automation and two operations are displayed under the parent operation on the Operations page. 

    If change approval is configured, after a change request is created, the change request ID appears on the Operations page for all type of operations. Click the ID to view the status and other details.
    Operation.png

    If you want to update the schedule for an operation in BMC Remedy ITSM, update the Schedule Start Date or the Schedule End Date for the task and not the change request. 
    Consult the following table to understand the correlation between the change request status and the operation status and the impact on the vulnerabilities and assets state.

    Change request status
    Operation status
    Vulnerabilities and assets state
    Not applicable yet
    Awaiting attention
    Awaiting attention
    New
    Awaiting approval
    Awaiting approval
    Ready to Execute
    Awaiting executionSuccess (After the operation completes successfully)
    Awaiting executionClosed (After the operation completes successfully)
    Ready to execute
    Cancelled due to schedule timeout
    Awaiting attention
    Cancelled
    Cancelled due to approval rejection
    Awaiting attention

Adding a compliance remediation operation

For the TrueSight Server Automation endpoint manager only.On the Operations page, click Add Operation, and do these steps: 

  1. Enter a unique operation name, and an optional description, and then click Next.
    Operation name must always be unique (up to 150 characters) even if users with different roles are creating it.
  2. On the Compliance Selections page, do these steps: 
    1. Select a compliance scan policy.
      Non-compliant assets are displayed.
  3. To specify a schedule for the operation, select one of the following options: 
    • I will do it later: Change approval is not applicable and skip to step 5. 
    • Set a schedule: Click the calendar icon in the Date and Time field, and specify the date and time. 
    • Execute now
  4. To configure change request creation and approval, select the following options: 
    The Change Approval Management page appears only if change automation is enabled in your environment.  

    1. Enable Create Change Ticket.

      Is the Create Change Ticket option is mandatory? How can I disable the change request creation?

      You can enable or disable change ticket creation depending on how administrators have configured the TrueSight Orchestration connector configuration. If the connector is configured with Change Approval as required, you cannot disable the option or skip this step.

      If already selected, continue to select values in other fields for creating a change request. 

    2. ChangeTemplateName
    3. Urgency
    4. Impact
    5. ReasonforChange
    6. ChangeClass
  5. To configure notifications, select any of the following options: 
    • Send email to: Specify a comma-separated list of email addresses, and then select whether to send an email based on the operation status. 
    • Send SNMP trap to: Specify a host name or IP address of the server to notify the operation results and then select one or more status options when a notification should be sent.
  6. View the summary of options selected for the operation and save changes.
    To view details of an operation, click Actions > View and the operation summary page is displayed. 
    The operation runs according to the defined schedule. If change approval is configured, after a change request is created, the change request ID appears on the Operations page. Click the ID to view the status and other details. If you want to update the schedule for an operation in BMC Remedy ITSM, update the Schedule Start Date or the Schedule End Date for the task and not the change request. 
    Consult the following table to understand the correlation between the change request status and the operation status and the impact on the vulnerabilities and assets state.
    Change request status
    Operation status
    Vulnerabilities and assets state
    Not applicable yet
    Awaiting attention
    Awaiting attention
    New
    Awaiting approval
    Awaiting approval
    Ready to Execute
    Awaiting executionSuccess (After the operation completes successfully)
    Awaiting executionClosed (After the operation completes successfully)
    Ready to execute
    Cancelled due to schedule timeout
    Awaiting attention
    Cancelled
    Cancelled due to approval rejection
    Awaiting attention


Adding an adhoc operation

For the TrueSight Server Automation endpoint manager only.NEW IN 21.02.01 On the Operations page, click Add Operation, and do these steps: 

  1. Enter a unique operation name, and an optional description, and then click Next.
    Operation name must always be unique (up to 150 characters) even if users with different roles are creating it.
  2. Select Adhoc Job Selections, and do the following:
    1. From the Job Type list, select one of these job types: NSH Script, Deploy, or Batch
      Important
      • To create Batch jobs, use the latest compatible version of TrueSight Server Automation as mentioned in System-requirements..
      • Batch jobs that are configured using the "Use the following servers for all jobs" option in TrueSight Server Automation are supported.
    2. In the Select Job Name field, click Browse and select the required job name.
    3. In the Save Job In field, click Browse and select the path where you want to save the job, which triggers the selected job in TrueSight Server Automation.
    4. (Optional) From the Assets list, select the assets and/or asset groups where you want to run the job. You can use the advanced search to quickly locate the required assets. By default, the Assets table displays the assets and asset groups that are associated with the selected job. 
    5. Click Next.

  3. To configure the script parameters, do the following:

    • NSH Script Job: Click edit_icon.png corresponding to the parameter that you want to configure, and specify a value for the parameter. Similarly, configure other parameters.
    • Deploy Job: Click edit_icon.png corresponding to the parameter that you want to configure, and specify a value for the parameter. Similarly, configure other parameters.
      The Reboot Option list displays the reboot option configured for the existing TrueSight Server Automation job and changing this option is not supported. 
    • Batch Job: Not applicable

    If the number of parameters are more, use the scroll bar to quickly navigate through the parameter list.

  4. To specify a schedule for the operation, select one of the following options: 
    • I will do it later: Change approval is not applicable and skip to step 5. 
    • Set a schedule: Click the calendar icon in the Date and Time field, and specify the date and time. 
    • Execute now
  5. To configure change request creation and approval, select the following options: 
    The Change Approval Management page appears only if change automation is enabled in your environment.  

    1. Enable Create Change Ticket.

      Is the Create Change Ticket option is mandatory? How can I disable the change request creation?

      You can enable or disable change ticket creation depending on how administrators have configured the TrueSight Orchestration connector configuration. If the connector is configured with Change Approval as required, you cannot disable the option or skip this step.

      If already selected, continue to select values in other fields for creating a change request. 

    2. ChangeTemplateName
    3. Urgency
    4. Impact
    5. ReasonforChange
    6. ChangeClass
  6. To configure notifications, select any of the following options: 
    • Send email to: Specify a comma-separated list of email addresses, and then select whether to send an email based on the operation status. 
    • Send SNMP trap to: Specify a host name or IP address of the server to notify the operation results and then select one or more status options when a notification should be sent.
  7. Review the summary of options selected for the operation, and save the changes.
    To view details of an operation, click Actions > View and the operation summary page is displayed. 
    The operation runs according to the defined schedule. If the change approval is configured, the change request ID appears on the Operations page after a change request is created. Click the ID to view the status and other details. If you want to update the schedule for an operation in BMC Remedy ITSM, update the Schedule Start Date or the Schedule End Date for the task and not the change request.
    Consult the following table to understand the correlation between the change request status and the operation status and the impact on the vulnerabilities and assets state.
    Change request status
    Operation status
    Vulnerabilities and assets state
    Not applicable yet
    Awaiting attention
    Awaiting attention
    New
    Awaiting approval
    Awaiting approval
    Ready to Execute
    Awaiting executionSuccess (After the operation completes successfully)
    Awaiting executionClosed (After the operation completes successfully)
    Ready to execute
    Cancelled due to schedule timeout
    Awaiting attention
    Cancelled
    Cancelled due to approval rejection
    Awaiting attention

Viewing operation results

On the Operations page, do the following:

  1. Click the operation name.
    The Operation Run Results page shows the following details:

    • Date, time, and duration of the operation
    • Date, time, and status of the policy scan conducted as part of the operation (for a patch operation only)
    • Date, time, and status of the operation (for a vulnerability and a compliance operation)
    • Total number of assets on which the operation is performed, and their status
    • List of assets and the number of patches installed or missing on them (for a patch operation only)
  2. To view the list of patches installed for each asset, click the asset name (for a patch operation only).
    Operation run results.png
    The patch name and the status is displayed. You can view the patch severity for each patch. 
  3. To view detailed logs for an operation, click logs. 
    For a patch operation, remediation and a post-analysis logs are displayed. Detailed log messages with a timeline are displayed for each asset. 

To search for an operation, enter the operation name in the search box. The relevant results are displayed.

For a Batch job operation, note the following: NEW IN 21.02.01

  • You can drill down to view the additional details of NSH Script and Deploy type of member jobs. Drill down is not available for other member job types, such as Snapshot, Update Server Properties, and File Deploy.

    batch_job_member_jobs_status.png
  • A Batch job operation can also contain other Batch jobs as member jobs. However, only the logs are displayed for these child Batch jobs.
  • The details of a Batch job operation run include only the member job logs.

    batch_job_operation_run_results.png

Editing a patch remediation operation

For the TrueSight Server Automation endpoint manager only.

On the Operations page, do the following:

  1. Click edit action corresponding to the operation that you want to update.

  2. Edit the following configurations:

    • Description
    • Assets in patch deployment
    • Reboot options
    • Operation schedule
    • Notifications

    For the configuration details, see Adding a patch remediation operation.

    The operation name and patch policy cannot be modified.

  3. To update the change approval management details, do the following:
    1. On the Connectors page, edit the TrueSight Orchestrator Connector configuration.
    2. For editing operations, specify whether you want to create a new change ticket for approved operations.
    3. Do one of the following:

      • Enable Create a New Change Ticket on operation edit to enforce change during the operation edit.
        This option is enabled by default. With this configuration, 

        Automation Console

         cancels any existing change ticket and creates a new one. 

      • Disable Create a New Change Ticket on operation edit to use the existing change ticket or create a new one. 
        For any non-approved change ticket, 

        Automation Console

         always cancels the existing change ticket and creates a new one. When the change approval is not mandatory, you can skip the approval and cancel any existing change ticket.

      • Based on this, followings are the possible combinations where user may mandate the change ticket creation during operation Create and / or Edit and the change ticket option i.e. Create a New , Use Existing, Skip Approval - will be available to him while editing the patch remediation operation, on Change Approval Management page.

        Make Change approval

        mandatory 

        Create a new ticket on

        operation edit

        Operation Status

        is Awaiting Approval ?

        'Create a New'

        option available

        'Use Existing'

        option available

        'Skip Approval'

        option available

        Yes

        Yes

        Yes

        Yes

        No

        No

        Yes

        No

        Yes

        Yes

        No

        No

        No

        Yes

        Yes

        Yes

        No

        Yes

        No

        No

        Yes

        Yes

        No

        Yes

        Yes

        Yes

        No

        Yes

        No

        No

        Yes

        No

        No

        Yes

        Yes

        No

        No

        Yes

        No

        Yes

        No

        Yes

        No

        No

        No

        Yes

        Yes

        Yes

      • Use existing change ticket option is available in Operation edit, only when operation is in Awaiting execution state i.e. ticket is approved and operation is waiting for its execution. Provided necessary messages on selecting these option by user on this page e.g. Use Existing option will not update any details of change in ITSM, but in TSSA job.
  4. Save the changes.

Removing an operation

Any patch, vulnerability, or compliance operation can only be run once. You may want to remove operations periodically to ensure that your application does not contain irrelevant data. 

When you remove a vulnerability remediation parent operation, its child operations are also removed. 

On the Operations page, do the following:

  1. To delete a parent operation, click Action > Remove.
    OR
    To delete a child operation only, expand the parent operation and click Action > Remove
  2. Click Continue.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*