Documentation update To provide a better user experience, we have now created a separate documentation space for BMC Helix Automation Console (previously called BMC Helix Vulnerability Management). Users of BMC Helix Automation Console can find the latest documentation at BMC Helix Automation Console..

Working with scans

This topic provides instructions on importing and deleting scans. The following endpoint managers are supported:

  • TrueSight Server Automation
  • TrueSight Network Automation

To obtain scans from a vulnerability management system, see Scans

Importing a Nessus scan file automatically

You can integrate
TrueSight Automation Consolewith TrueSight Orchestration to automatically import scan files from the Nessus vulnerability scanning system. To understand and enable auto-import of Nessus scan files, see Use-case-Automatically-importing-vulnerability-scan-files.

Can I auto-import scan files from Qualys and Rapid7 too?

No. Currently, auto-import is available for Nessus only.

Importing a scan file manually

On the Manage > Import page, click Import Scan, and do the following:

  1. Select the vulnerability management vendor.

  2. Attach the scan file based on the selected vendor.
    BMC recommends that you import files larger than 400 MB from a local area network with a latency of less than 50 milliseconds as large scans from remote networks might not succeed. You can also import a compressed file (single file only).

    Is there a file size limit for importing a scan file?

    Yes. You can import files up to 1 GB.

  3. To apply filters while importing data from a scan file, do the following:
    1. Select the operating systems.
      When you select Others, the scan file includes the scanning results for the assets of various operating systems such as AIX, HP-UX, Solaris, CentOS, SUSE, Ubuntu, Debian, and Oracle Linux ULN. If you are importing a vulnerability scan file for the TrueSight Network Automation endpoint manager, we recommend selecting Others.

    2. Choose one or more vulnerability severity options.

      Severity levels

      Qualys, Nessus, and Rapid7 use different scoring for severity levels. Qualys uses scores of 1-5. Nessus uses scores of 0-4. Rapid7 uses scores of 1-10. To maintain consistency, BMC increases the Nessus severity levels by one (so they become 1-5) and maps the ten Rapid7 severity levels to five levels. 

    3. Specify the IP addresses in the Classless Inter-Domain Routing (CIDR) format.
      Data is imported from the scan file only for the servers that belong to the specified IP address range. Default value is 0.0.0.0/0, which imports data for all the servers from the scan file.
      You can specify one of the following values:
      • Single IP address. Example: 168.19.13.12/24
      • Comma-separated multiple IP addresses. Example: 168.19.13.12/24,10.25.24.12/12
      • A combination of the above formats. Example: 168.19.13.12/24, 168.19.13.12/32,10.25.24.12/12
  4. Click Import.
    After the import is complete, a message confirms that the scan was imported and informs how many assets were automatically mapped to endpoints. To search for a scan file, enter the scan file name in the search field and the results that match the search term are displayed. 

Scan results

  • If you have configured the Tenable.sc connector, the Import page displays the scan results that are automatically imported from the Tenable.sc instances.
  • The scan results include the vulnerability detection date. If you have configured the Tenable.sc connector, the scan results display the vulnerability detection date as follows:
    • For fresh installations, a detection date indicates when a vulnerability is first seen in Tenable.
    • For upgrades, a detection date for an existing vulnerability indicates when a vulnerability is posted in TrueSight Automation Console.
  • In a scan file, the vulnerability detection date indicates the date the scan was conducted.
  • When you import scan results for vulnerabilities on CentOS assets, the vulnerabilities are not automatically mapped to the remediation content. You must manually map vulnerabilities with the remediation content later to perform remediation operations. 
  • If you import multiple scan files one after another, the Scanned Assets page and Import page show all the data that you import, not just the results of the most recent import. When you import a scan file, asset and vulnerability information is added to any information that is already imported. The operating system is defined in the scan file. For example, if an AIX asset is defined as Linux in a Nessus scanning file, the asset shows Linux as the operating system. If the same asset is classified as AIX in a scan file from Qualys, then when you import the scan file, the latest data is considered.

Importing the same scan file more than once

If you need to import the same scan file more than once, do the following:


    • For Qualys and Rapid7, scan files are identified by a unique <SCAN> tag within the XML file. If you are using those vulnerability management tools and you want to import the same scan more than once, you must modify the value of the <SCAN> tag. BMC recommends that you change the name of each scan to avoid confusion.

    • For Nessus, you must edit the existing .nessus file and provide a new name value for the <Report> tag. For example, in a tag such as <Report name="ProdAdmins_Linux" xmlns:cm="http://www.nessus.org/cm">, the new name value could be, name="NewProdAdmins_Linux"

      If the imported scans do not include a time zone, which time zone is considered?

      If no time zone is specified, it is browser's time zone.

Deleting a scan file

On the Manage > Import page, click Action > Remove for a file.

If the scan file size is large, it may take some time for deletion. 

Consult the following table for the impact of deleting a scan file on each of the entities in Automation Console.

Impact of scan file deletion

Vulnerabilities

  • All associations between the endpoints and vulnerabilities contained in the scan file are deleted, unless the same association is also included in another scan file. 

Operations

  • If an operation is created but not yet executed (scheduled), vulnerabilities get removed from the remediation operations.
  • If you import the deleted scan file again, the same vulnerabilities are considered in the operation automatically. 

Exceptions

  • The vulnerabilities are removed from the exception created on it.
  • If an exception is created for a vulnerability on selected assets, after deleting the file and importing it again, the vulnerabilities are not added in the exception automatically. You have to create new exceptions for those vulnerabilities.
  • If an exception is created for a vulnerability on all the assets, after deleting the file and importing it again, the old exception gets Active. 

Sharing a scan file

You can share a scan file that you imported with one or more security groups. However, users of these security groups cannot delete or further share this scan file.

Do the following:

  1. On the Manage > Import page, click Action > Share for the file that you want to share with security groups.
  2. From the Security Groups list, select the required groups to share the scan file. You can use the search filter to quickly locate the required groups.
  3. Click Share.

The names of security groups with which the file is shared are displayed under the Shared with Security Groups column.

You can use the same option to stop sharing the file or share it with different security groups.

  • To stop the sharing, click Clear in the Security Groups list and click Share.
  • To share the file with additional or different security groups, select the required groups from the Security Groups list and click Share
  • To stop sharing the file with a specific specific security group, click delete corresponding to the security group.

    delete_security_group.png

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*