Documentation update To provide a better user experience, we have now created a separate documentation space for BMC Helix Automation Console (previously called BMC Helix Vulnerability Management). Users of BMC Helix Automation Console can find the latest documentation at BMC Helix Automation Console..

Working with risks

This topic provides instructions on viewing risks, exporting risks data to a CSV file, and mapping and unmapping vulnerabilities to the remediation content depending on your endpoint manager. For TrueSight Server Automation, you can view a list of missing patches, vulnerabilities, and compliance violations. For TrueSight Network Automation, you can view the vulnerabilities.

To learn more about missing patches, vulnerability mapping process, and compliance violations see Risks.

Viewing and exporting unique missing patches

For TrueSight Server Automation onlyOn the Risks > Missing Patches page, view the list of missing patches.

  • The Missing Patches page contains the following information for each unique missing patch:
    • Missing patch name
    • Impacted Assets
    • Patch Age, in days
    • Severity
    • Classification
    • CVE IDs: CVE Identification numbers specified in the patch catalog.
      Patch Age, Severity, and CVE IDs are provided by the patch vendor. 
  • You can either search by patch name, classification, and CVE ID (basic search) or by severity, SLA, asset, operating system, CVE IDs, risk owner, risk score, risk tag, classification, and patch age (advanced search). 
    Click Clear Filters to view unfiltered data. 
  • To view the list of impacted assets for a unique missing patch, do the following:
    1. Click the link for a patch in the Impacted Assets column.
      The Managed Assets page shows the host name, IP address, operating system, and the total number of unique missing patches for each asset.
    2. Click Clear Filters to view all assets and unique missing patches in your environment.
  • To view more information about a patch, expand the patch.
    • Asset Name
    • Operating System
    • Risk Owner
    • Risk Score
    • SLA

Exporting missing patches

On the Risks > Missing Patches page, do the following:

  1. Click Export and select any of these options from the list:
    • Open Missing Patches
    • Closed Missing Patches
  2. Enter a file name.
    By default, the CSV report file name is Patching_Report_<dd-mm-yy>_<time>
  3. Click Export.
    The file is saved in a zipped folder.

If you filter data using the advanced search options and then export, filtered data appears in the CSV file.  

Viewing and exporting vulnerabilities

On the Risks > Vulnerabilities page, view the list of vulnerabilities.

  • The Vulnerabilities page contains the following information for each unique vulnerability:
    • Vulnerability Name
    • CVE IDs
    • Severity
    • Status (Mapped, Automapped, or Unmapped)
    • Remediation: To view the remediation content, remediation type, and other details, click the link.
    • Impacted Assets: To view the list of impacted assets by that vulnerability, click the link.

  • You can either search by vulnerability name and CVE ID (basic search) or by using 'Advanced filters' for Asset, Asset Tag, CVE ID, Operating System, Risk Owner, Risk Score, Risk Tag, Scan File, Severity, SLA, Status or Vulnerability Name.

    Note

    When you select the Operating System filter, the list of operating systems is populated depending upon the imported scan file. 

    Click Clear Filters to view unfiltered data.

  • To view the list of impacted assets for a vulnerability, do the following:
    1. Click the link in the Impacted Assets column.
      The Scanned Assets page shows the asset name, IP address, mapping status, scan file source, and operating system that are impacted by the vulnerability.
    2. Click Clear Filters to view all assets and the number of vulnerabilities impacting those assets.
  • To view more information about a vulnerability, expand the vulnerability.
    • Asset Name
    • Operating System
    • Risk Owner
    • Risk Score
    • SLA
    • Remediation content (type)

Viewing details of a vulnerability

Click the vulnerability name to view its details. The vulnerability panel displays more information, including its severity level, CVEs that are included, description, notes, links to the related vendor (such as Microsoft), and links to the patches that can be deployed to fix the vulnerability.

For example, the following image shows the details of an SSL/TLS Server that shows the TLSv1.0:443 vulnerability.

view notes.PNG

Viewing details of a remediation

After a vulnerability has been mapped to the remediation content, you can view the remediation details such as the content type (BLPackage, Patch, NSH Script, Rule, and so on), catalog name, patch name, the path to the file, and any target rules that are defined for deploying the package. If an entry provides information for multiple remediation options, the panel lists the information for each remediation content.

To view details of remediation, click the remediation link in the Remediation column against the mapped vulnerabilities.

The remediation panel shows the following details: 

  • Remediation type and path where the remediation content is available
  • Catalog names
  • CVE IDs
  • Target scope that includes these OS details: Type, vendor, version, and architecture

remediation_details.png

Remediating vulnerabilities

On the Risks page, you can create operations for the vulnerabilities that can be remediated.

remediate_risks.JPG

To create a remediation operation, do the following:

  1. Navigate to the Risks > Vulnerabilities page.
  2. Click Remediate. You are directed to the Create Operation page. 
  3. Create an operation. For details, see Working-with-operations.

The filters that are configured on the Risks page are applied while creating an operation.

Adding and viewing notes for vulnerabilities

You can add more information about a vulnerability as notes. You can use these notes to categorize and filter vulnerabilities according to your requirements.

On the Risks > Vulnerabilities page, do the following:

  1. (Optional) Use the search feature to limit the number of vulnerabilities. For example, you might want to search by severity level so you can map vulnerabilities with the highest severity first.
  2. From Actions, select Update Notes for the vulnerability.
  3. Click Update Notes.
  4. In the Notes field, add the note content and click Save.
  5. Click the vulnerability name to view the notes.

Exporting vulnerabilities

On the Risks > Vulnerabilities page, do the following:

  1. Click Export 
  2. Enter a file name.
    By default, the CSV report file name is Vulnerability_Report_<dd-mm-yy>_<time>.
  3. Click Export.
    The file is saved in a zipped folder.
  4. Columns to be exported in CSV file : Vulnerability Name, CVE IDs, Severity, Status, Violation Age, Impacted Assets, Notes.

    export notes.PNG

Exporting vulnerabilities instances

On the Risks > Vulnerabilities page, do the following:

    1. Click Export and select any of these options from the list;
    • Open Vulnerabilities
    • Closed Vulnerabilities
    • (For TrueSight Server Automation only) Vulnerabilities included in exceptions
  2. Enter a file name.
    By default, the CSV report file name is Vulnerability_Report_<dd-mm-yy>_<time>.
  3. Click Export.
    The file is saved in a zipped folder.

If you filter data using the advanced search options and then export, filtered data appears in the CSV file. If the Status filter option is used in the advanced search, it doesn't consider the vulnerability status data while exporting to the CSV file.

Mapping and unmapping vulnerabilities

Use the instructions in the following sections to map and unmap vulnerabilities.

Auto-mapping new vulnerabilities

If Automation Console is not able to auto-map vulnerabilities during import, you can attempt to auto-map the unmapped vulnerabilities to remediation content.

To auto-map content, patch catalogs must be imported and assets must be mapped to endpoints in the TrueSight Server Automation endpoint manager.

On the Risks > Vulnerabilities page, do the following:

  1. (Optional) Use the search feature to limit the number of vulnerabilities. For example, you might want to search by severity level so you can map vulnerabilities with the highest severity first.
  2. Click Automap New on the top of the page. All the unmapped vulnerabilities are checked against the content in the imported catalogs and the matching vulnerabilities are mapped to the content. Vulnerabilities that are auto-mapped are marked as Mapped in the Status column.
    (Only for TrueSight Server Automation endpoint manager) The assets with a vulnerability are mapped with one or more matching patches of the same catalog.

Important

In releases earlier to 21.3, a single patch (remediation content) is mapped to a vulnerability and asset combination even though multiple patches from patch catalogs matched the vulnerability. If a vulnerability is already mapped to a single patch before 21.3, upgrading TrueSight Automation Console to 21.3 does not automatically map the other matching patches from the patch catalog to the vulnerability. The existing mapping of single patch is not affected.

Example scenario:

Patch 1 is already auto-mapped with asset A1 to remediate vulnerability V1. Patches 2 and 3 from the same patch catalog also match vulnerability V1. However, after you upgrade to TrueSight Automation Console 21.3, patches 2 and 3 are not auto-mapped with asset A1. To map these patches with asset A1, do one of the following:

  • Unmap the vulnerability and map it again using the Automap New option.
  • Delete the scan file and import it again. For details, see Working-with-scans.

Manually mapping vulnerabilities

If some vulnerabilities remain unmapped during import or during auto-mapping of new vulnerabilities, you can perform a manual mapping procedure.

On the Risks > Vulnerabilities page, do the following:

  1. (Optional) Use the search feature to limit the number of vulnerabilities. For example, you might want to search by severity level so you can map vulnerabilities with the highest severity first.
  2. From Actions, select Map for the vulnerability.
    The Vulnerability Mapping page shows the existing mappings, if any.
  3. Click + Map Remediation Content.
    The Map Content section displays the remediation content.
  4. Search for the remediation content that you want to map to the selected vulnerabilities:
    1. Select a remediation content type, such as NSH Script or Package. 
    2. Enter a text string in the Search text box.
      The remediation content records that match the search string are displayed.
  5. (Only for TrueSight Server Automation endpoint manager) Select the patch (remediation content) that you want to deploy to the targets. You can select multiple patches.

    manual_mapping.png

  6. If you need to map multiple remediation packages to the same vulnerability, define the target scope that determines the types of targets where the package should be deployed.
    Typically, target scope specifies different packages for different operating systems and architectures.
    • Use the default option, All, if you want to map remediation packages to all the targets.
    • Click Specify Target Scope if you want to map remediation packages to specific targets.
      A set of options appears that establish the scope for deploying the package.
      1. In the row defining the scope, for the first field, select any of the following:
        • OS–For example, Windows.
        • OS Platform–For example, x86_64.
        • OS Version–For example, 2008 R2.
        • OS Patch Level–For example, SP1, SP2.
        • OS Release–For example, 6.1
        • OS Vendor–For example, Microsoft.
      2. In the last field of the first row, enter a text string as the search criteria. Evaluation is based on whether a field contains the string you entered. For example, if you are specifying the Windows operating system, enter a string such as win. When evaluating targets, if the OS name contains the string win, the package is deployed there.
      3. In the next row defining the scope, select whether the target must satisfy all or any of the values you provided in the first row.
      4. To add another rule defining the scope, click Add Criteria. A new row appears. Use its fields to define an additional rule.
  7. To define another set of target scope and rules for another remediation package, click + Map Remediation Content.
  8. Click Save. The selected remediation content items are mapped to the selected vulnerabilities. The Vulnerabilities page shows the mapped remediation content against the vulnerability when you expand it. 
    If the mapping is unsuccessful, a message indicating the same is displayed on the GUI.

Unmapping vulnerabilities

You can unmap a vulnerability irrespective of whether it is mapped manually or automatically.

To unmap a vulnerability, select Remove Mapping for the vulnerability from Actions.

Closing vulnerabilities manually without creating operations

To remediate vulnerabilities, you can use different applications and methods, such as TrueSight Server Automation jobs. Scanners might report such resolved vulnerabilities incorrectly in Automation Console. In such cases, you need to create operations in Automation Console to remediate these vulnerabilities, which is an extra overhead. You can now manually remove such vulnerabilities without creating any operation.

On the Risks > Vulnerabilities page, do the following:

  1. From Actions menu of intended vulnerability [mapped / unmapped], click Close Vulnerability.
    It shows the list of all the assets where this vulnerability is reported.
  2. Select the assets on which you want to close this vulnerability
    or
    Search for the asset name on which the selected vulnerability needs to be closed.
  3. Click Confirm to remove the vulnerability.
    The vulnerability is removed from the selected assets, and a confirmation message is displayed.is closed on the selected assets.

You can also use the API to remove multiple vulnerabilities manually.

Auto-Closing the vulnerability records

To remediate vulnerabilities, you can use different applications and methods, such as TrueSight Server Automation jobs.  Also scanners might report such resolved vulnerabilities incorrectly in Automation Console. In such cases, you need to create operations in Automation Console to remediate these vulnerabilities, which is an extra overhead.  Automation Console takes care of such vulnerability records automatically using auto closure APIs.

This API [​ /api​/v2​/violations​/close​/auto-closure​/vats ] has an ability to close the vulnerability records from your system. Human errors may affect lot of work in worst case for user. To avoid this, user can use the preview API first [  /api​/v2​/violations​/close​/auto-closure​/vats​/preview ] to make sure that which all records are going to get closed first and what will be its impact. This helps user to take thoughtful decision and close the vulnerabilities only when its confirmed ! 

You need to provide either of the following filters - 

  • latest_scan_policy_id Id of scan policy which vulnerabilities belongs to OR
  • asset_ids asset Ids of server on which the vulnerabilities are reported OR
  • compare_against_policies - compare among different policies [ policy Ids of more than 1 policy and which you want to compare among]

and  Automation Console will auto close the eligible vulnerabilities using build-in intelligence. Currently this is an API only support. Automation Console swagger documentation explains the usage of these APIs under Violations and Dashboard Service further. After execution of these APIs, Automation Console will have the latest records in system based on the filters provided. This logic is applicable to vulnerability type of records only and records from all type of scanners [Qualys,Rapid7, Nessus] and Tenable.sc connector.

Viewing and exporting compliance violations

For TrueSight Server Automation onlyOn the Risks > Compliance page, view the list of compliance scan policies.

  • The Compliance page contains the following details:
    • Compliance Scan Policy name
    • Assets Scanned
    • Rules Evaluated
    • Last Scanned
    • Compliance Posture: Shows a percentage of compliant, non-compliant, and indeterminate evaluations on the assets.
  • You can either search by compliance policy name (basic search) or by asset, compliance scan policy name, operating system, or operating system vendor (advanced search)
    Click Clear Filters to view unfiltered data. 
  • To view details about a policy scan results, click the policy name and the following details are displayed: 
    • Compliance posture
    • Number of scanned assets
    • Number of associated rules
    • Last scanned date and time
    • List of rules and whether they are available for remediation, rule groups, and the number of compliant, non-compliant, and indeterminate assets. 

Important

When you apply the advanced filter on the Missing Patches or Vulnerabilities pages, the associated violations are filtered. However, the assets count that is displayed in the Impacted Assets column is not affected.

Exporting compliance violations

On the Risks > Compliance page, do the following:

  1. Click Export and enter a file name.
    By default, the CSV report file name is Compliance_Scan_Policy_Report_<dd-mm-yy>_<time>
  2. Click Export.
    The file is saved in a zipped folder. If you filter data using the advanced search options and then export, filtered data appears in the CSV file. 

Updating risk owners and risk tags by using the REST API

Risk owner is a security group that owns a set of vulnerabilities. You can use it to remediate a patch or vulnerability. Risk owner is the default security group that is assigned to the user who imports vulnerabilities or creates patch or compliance policies. You can assign any value to the risk owner. 

Risk tag is a tag that is applied to a vulnerability and asset combination or to a patch and asset combination. Risk tags are different from asset tags.

You can assign a risk score to a patch or vulnerability depending on the business context, impact, and urgency. The score is a numeric value that can range from 0 to 5.

Perform these steps to modify the risk owner, score, or tag value by using the REST APIs:

  1. Create a custom tag by using the API.
    Method : POST API : /api/v1/violations/tags
    Request body:

    {
      "key": "Location",
      "description": "Description of the Location"
    }

    Response:

    {
      "success": "Tag created."
    }

    The following API provides a list of custom tags.
    Method : GET  API : /api/v1/violations/tags

  2. Update violation fields such as risk score, SLA, risk owner, risk tags based on the any of the given filter criteria.
    Method :PATCH  API : /api/v1/violations
    Request:

    {
        "filters": {
            "severity": [
                "0",
                "1",
                "2",
                "3",
                "4",
                "5"
            ],
            "asset_name": [
                "test-1234.bmc.com",
                "test-9999.bmc.com"
            ],
            "os_type": [
                "windows",
                "linux"
            ],
            "cve_ids": [
                "CVE-2014-3596",
                "CVE-2014-3593"
            ],
            "policy": [
                "d41cedbb-a981-4a46-b658-111"
            ],
            "vat_state": [
                "1",
                "2",
                "3",
                "4",
                "5"
            ],
            "violation_type": "patch",
            "classification": [
                "Security Patch",
                "Non Security Patch",
                "Security Tool",
                "Software Distribution",
                "Bug Fix",
                "Product Enhancement",
                "Unknown"
            ]
        },
        "data": {
            "owner": "Testuser",
            "risk_score": 3,
            "sla_deadline": 90,
            "sla_warning": 70,
            "va_tags": [
                {
                    "key": "Location",
                    "value": [
                        "Pune",
                        "Mumbai"
                    ]
                }
            ]
        }
    }

    Example
    Request:

    {
        "filters": {
            "cve_ids": [
                "CVE-2022-3787",
                "CVE-2014-3618"
            ],
            "violation_type": "vulnerability"
        },
        "data": {
            "owner": "SecOps Admin",
            "risk_score": 2,
            "sla_deadline": 90,
            "sla_warning": 60,
            "va_tags": [
                {
                    "key": "Location",
                    "value": [
                        "Austin",
                        "Houston"
        ]
                }
            ]
        }
    }

    Response:

    [
    {
    "task_id": 370,
    "status": "Created",
    "status_code": 201
    },
    {
    "vat_ids": "9",
    "status": "Accepted",
    "status_code": 202
    }
    ]

Importance

If same vulnerability asset is posted again, the risk owner is not updated. You must use the API to update it.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*