Working with exceptions

In certain situations, you may want to exclude remediating vulnerabilities collated in 
TrueSight Automation Console.
For example:

  • Assets or network devices with vulnerabilities that are planned for decommissioning. 
  • Vulnerabilities that may be less critical or in legacy applications on production servers.
  • Vulnerabilities that are to be remediated in a planned maintenance window at a later date.

In such scenarios, you can create exceptions to exclude specified vulnerabilities while creating remediation operations.

Only users with administrative rights can create exceptions. All other users can only view the exception details.

When you create an exception for the current date, it is in the Active state. When you create an exception for a future date, it is in the Enabled state, and on the specified date, the status changes to Active.

The impact of exceptions for vulnerabilities is described in the following table:

Enabled state

Active state

  • All the vulnerability and asset combinations appear on the Risks and Assets pages.
  • You can create remediation operations for the vulnerabilities.
  • The vulnerability data appears with the reduced number of impacted assets or network devices on the Risks page.
  • The scanned asset or network device data appears with the reduced number of vulnerabilities on the Assets page.
  • You cannot create remediation operations for the vulnerabilities.

If you create an exception for a vulnerability on all the assets or network devices, then the same vulnerability data does not appear on the Risks > Vulnerabilities and Dashboard > Vulnerability Dashboard pages. 

Sometimes, the vulnerability scanning systems result wrongly indicates vulnerabilities in the assets. In this case, you can create permanent exceptions to restrict those vulnerabilities from getting reported in future scan results. To extend an exception for vulnerabilities for which the remediation content is still not available, you can update the end date of that particular exception.

Creating an exception

As an administrator, on the Manage > Exceptions page, click Create Exception and perform the following steps:

  1. Enter a unique name and a justification.
  2. (Optional) Select the Permanent Exception check box and enter the start date to permanently exclude a vulnerability. 
    The end date for permanent exceptions is set to 100 years from the start date. You can always modify the end dates after creating an exception.
  3. Select the start and end dates for the exception. 
    The exception expires after the end date at 12 AM UTC.
  4. (Optional) Enter the Change Request ID, if it has been created in the IT Service Management system.
  5. (Optional) Enter the name or email address of the user who owns the exception.
  6. Click Select Vulnerabilities and use any of the following search options to select the vulnerabilities to be excluded from remediation:
    • Choose one or more vulnerabilities from the list. You can select the check box next to Vulnerability Name to choose all the vulnerabilities in the list.

    • Enter a vulnerability name and click Search Search icon.png.

      You can either enter a search term or use Advanced filter to select vulnerabilities.

    • Click Advanced filter and select the required filters, and click Done. You can select multiple search criteria from the following options:
      • CVE ID
      • Operating System
      • Severity

      • Status

        Important

        When you select the Operating System and Severity filters, you can click Select all to select all the sub-criteria, and click Clear all to clear your selection.

        The vulnerabilities that match the search results are displayed.

  7. Click Select Assets and use any of the following search options to select the assets with vulnerabilities to be excluded from remediation:
    • Choose one or more assets from the list. You can select the check box next to Asset Name to choose all the assets in the list.

    • Enter an asset name and click Search Search icon.png.

      You can either enter a search term or use Advanced filter to select assets.

    • Click Advanced filter and select the required filters, and click Done. You can select multiple search criteria from the following options:
      • Asset
      • Asset Tag
      • Operating System

      • Status

        Important

        When you select the Asset, Operating System and Status filters, you can click Select all to select all the sub-criteria, and click Clear all to clear your selection.

        The assets that match the search results are displayed.

  8. Choose the assets or network devices for which the exception is to be created.
  9. Click Save to create the exception. 
    It appears on the Manage Exceptions page. Depending on the start date, the status is either Active (if Start Date is the current date) or Enabled (if Start Date is a future date). You can create a remediation operation when the exception is in the Enabled state. If an exception is permanent, its end date is displayed as NA.

Important

If you create a remediation operation for a vulnerability and then create an exception on that vulnerability, the vulnerability is still remediated. However, the exception is considered in the remediation operations that are created after the exception was created. 

Viewing exceptions

On the Manage Exceptions page, view the following details:

  • Exception Name and justification
  • Owner
  • Start and End Dates
  • Created and Updated Dates
  • Status

To search for an exception, enter an exception name or status, and click search.png.

Click the exception name to view details.

  • As a non-administrative operator user, you can see the list of applicable vulnerabilities and impacted assets or network devices.
  • As an administrator, to view additional details for an active exception, click View Vulnerability and Asset Combination
    The vulnerability, severity level, CVE IDs, and the total number of impacted assets are displayed.

Disabling and enabling an exception

You can disable an exception if you want it to be inactive for a while. 

On the Manage > Manage Exceptions page, do the following: 

  • Select an exception and click Actions >Disable and click Continue
    The exception status changes to Disabled. It still appears in the exceptions list. 
  • Select an exception and click Actions >Enable.
    The exception status changes to Enabled. The exception becomes Active on the start date. 

When you disable an exception, vulnerabilities appear on the Risks page and are available for remediation. On the Vulnerability Dashboard, the Vulnerabilities by Stage widget reflects the changes. If you disable an older exception (not created today), data in the Vulnerability Trend widget is not updated immediately as the trend widget is refreshed at 12 AM UTC every night.

Extending an exception date

On the Manage > Manage Exceptions page, do the following:

  1. Select an exception and click Actions > Edit Exception Date.
  2. Select a new end date.
  3. Click Save.

Important

For Expired exceptions, you can edit both the start and end dates. For exceptions in an Active, Enabled, or Disabled states, you can only edit the end date.

Deleting an exception

You can delete an exception in any state. When an exception is deleted, you can create remediation operation for the vulnerabilities on the assets.

On the Manage > Manage Exceptions page, do the following:

  1. Select an exception and click Actions > Delete.
  2. Click Continue.

What happens to an exception when I delete a scan file?

All vulnerabilities are deleted from the exception unless they exist in some other scan file. Exception status remains the same.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*