Working with risks
Risks include missing patches, vulnerabilities, and compliance violations that are identified on assets.
In the TrueSight Network Automation endpoint manager, risks include only the vulnerabilities identified on the network devices (assets).
Risk type | Definition | Working with risks |
|---|---|---|
Missing patches | For TrueSight Server Automation endpoint manager only When patch policies identify missing patches on assets, details about the missing patches are displayed on the Missing Patches page under Risks. Missing patches are identified only for assets with Windows or Linux operating systems. | |
Vulnerabilities | You can import scan results for vulnerabilities that are scanned by the scanning systems such as Nessus, Qualys, and Rapid7. When you import the results in Automation Console, vulnerabilities get mapped to the remediation content automatically, or you may need to map them manually. Imported vulnerabilities are displayed on the Vulnerabilities page under Risks. You can also import scan results on assets with the following operating systems:
For any operating system, when the supported patch types do not include CVE IDs, you can manually map the CVE IDs later to patches by using the Patches API. For details, see Using-REST-APIs. You can create remediation operations for OS' only when the following requirements are met:
| |
Compliance violations | For TrueSight Server Automation endpoint manager only When you create a compliance scan policy, it runs based on a predefined schedule and collates data about compliance violations on the assets in the policy on the Risks > Compliance page. The Compliance page shows the total number of compliance violations, number of assets scanned by each policy, number of rules evaluated in a policy, and the compliance posture of the scanned assets, which is the percentage of compliant, non-compliant, and indeterminate assets. By using this data, you can further create remediation operations to resolve the violations. |
Navigating the Missing Patches page
For TrueSight Server Automation onlyOn the Risks > Missing Patches page, view the list of missing patches.
- The Missing Patches page contains the following information for each unique missing patch:
- Missing patch name
- Impacted Assets
- Patch Age, in days
- Severity
- Classification
- CVE IDs: CVE Identification numbers specified in the patch catalog.
Patch Age, Severity, and CVE IDs are provided by the patch vendor.
- You can enter the patch name, classification, or CVE ID, and click Search or use Advanced filter to filter patches.
Click Advanced filter and select the required filters, and click Done. You can select multiple search criteria from the following options:- Asset
- Classification
- CVE ID
- Missing Patch
- Operating System
- Patch Age
- Risk Owner
- Risk Score
- Risk Tag
- Severity
SLA
- Click Clear Filters to view unfiltered data.
- To view the list of impacted assets for a unique missing patch, do the following:
- Click the link for a patch in the Impacted Assets column.
The Managed Assets page shows the host name, IP address, operating system, and the total number of unique missing patches for each asset. - Click Clear to view all assets and unique missing patches in your environment.
- Click the link for a patch in the Impacted Assets column.
- To view more information about a patch, expand the patch.
- Asset Name
- Operating System
- Risk Owner
- Risk Score
- SLA
To export unique missing patches
On the Risks > Missing Patches page, do the following:
- Click Export and select any of these options from the list:
- Open Missing Patches
- Closed Missing Patches
- Enter a file name.
By default, the CSV report file name is Patching_Report_<dd-mm-yy>_<time>. - Click Export.
The file is saved in a zipped folder.
If you filter data using the advanced search options and then export, filtered data appears in the CSV file.
Navigating the Vulnerabilities page
On the Risks > Vulnerabilities page, view the list of vulnerabilities.
- The Vulnerabilities page contains the following information for each unique vulnerability:
- Vulnerability Name
- CVE IDs
- CVSS V2
- CVSS V3
- Exploit Available
- External ID
- Port
- Protocol
- Severity
- Mapping Status
- Mapped
- Automapped
- Unmapped
- Remediation: Click the link to view the remediation content, remediation type, and other details.
- Impacted Assets: Click the link to view the list of assets impacted by that vulnerability.
- Actions
- Map
- Remove Mapping
- Close Vulnerability
- Update Notes
- Update Vulnerability Instances Status
- Click Select Columns
to select the columns to be displayed on the Vulnerabilities page.
By default, the Vulnerability Name, CVE IDs, Severity, Status, Remediation, Impacted Assets, and Action columns are displayed on the page and you can clear the check boxes of the columns you want to hide. The Vulnerability Name and Action columns cannot be hidden.
- You can enter the vulnerability name or CVE ID, and click Search or use Advanced filter to filter vulnerabilities.
Click Advanced filter and select the required filters, and click Done. You can select multiple search criteria from the following options:- Asset
- CVE ID
- CVSS V2
CVSS V3
- Detection Date
- Exploit Available
- External ID
- Last Observed Date
- Managed Asset Tag
- Operating System
- Port
- Protocol
- Risk Owner
- Risk Score
- Risk Tag
- Scan File
- Scanned Asset Tag
- Severity
- SLA
- Vulnerability Instances Status
- Affected
- Not Affected
- Under Investigation
Vulnerability Name
Click Clear Filters to view unfiltered data.
- To view the vulnerabilities that are first detected during a specific period, perform the following steps:
- Select Risks > Vulnerabilities > Advanced filter.
- Click Detection Date.
- Select a period.
For example, you can apply an advanced filter to view vulnerabilities that are first detected in the last 6 months.
- To view the vulnerabilities that are last detected during a specific period, perform the following steps:
- Select Risks > Vulnerabilities > Advanced filter.
- Click Last Observed Date.
- Select a period.
For example, you can apply an advanced filter to view vulnerabilities that are last observed in the last 1 month.
- To view the list of impacted assets for a vulnerability, do the following:
- Click the link in the Impacted Assets column.
The Scanned Assets page shows the asset name, IP address, mapping status, scan file source, and operating system that are impacted by the vulnerability. - Click Clear Filters to view all assets and the number of vulnerabilities impacting those assets.
- Click the link in the Impacted Assets column.
- Expand the vulnerability, to view the following information about the vulnerability:
- Asset Name
- Operating System
- Risk Owner
- Risk Score
- SLA
- Detection Date
- Last Observed Date
- Remediation content (type)
Viewing details of a vulnerability
Click the vulnerability name to view its details. The vulnerability panel displays more information, including its severity level, CVEs that are included, description, notes, links to the related vendor (such as Microsoft), and links to the patches that can be deployed to fix the vulnerability.
For example, the following image shows the details of an SSL/TLS Server that shows the TLSv1.0:443 vulnerability.
Viewing details of a remediation
After a vulnerability has been mapped to the remediation content, you can view the remediation details such as the content type (BLPackage, Patch, NSH Script, Rule, and so on), catalog name, patch name, the path to the file, and any target rules that are defined for deploying the package. If an entry provides information for multiple remediation options, the panel lists the information for each remediation content.
To view details of remediation, click the remediation link in the Remediation column against the mapped vulnerabilities.
The remediation panel shows the following details:
- Remediation type and path where the remediation content is available
- Catalog names
- CVE IDs
- Target scope that includes these OS details: Type, vendor, version, and architecture
To remediate vulnerabilities
On the Risks page, you can create operations for the vulnerabilities that can be remediated.
To create a remediation operation, do the following:
- Navigate to the Risks > Vulnerabilities page.
- Click Remediate. You are directed to the Create Operation page.
- Create an operation. For details, see Working-with-operations.
To add and view notes for vulnerabilities
You can add more information about a vulnerability as notes. You can use these notes to categorize and filter vulnerabilities according to your requirements.
On the Risks > Vulnerabilities page, do the following:
- (Optional) Use the search feature to limit the number of vulnerabilities. For example, you might want to search by severity level so you can map vulnerabilities with the highest severity first.
- From Actions, select Update Notes for the vulnerability.
- Click Update Notes.
- In the Notes field, add the note content and click Save.
- Click the vulnerability name to view the notes.
To update vulnerability instance status for a vulnerability
You can update the status of each vulnerability instance for effective tracking of the vulnerability.
On the Risks > Vulnerabilities page, do the following:
- From Actions, select Update Vulnerability Instance Status for the vulnerability.
- Select the applicable status from the following options:
- Affected
- Not affected
- Under investigation
- Fixed
Click Save.
To export vulnerabilities
On the Risks > Vulnerabilities page, do the following:
- Click Export
- Enter a file name.
By default, the CSV report file name is Vulnerability_Report_<dd-mm-yy>_<time>. - Click Export.
The file is saved in a zipped folder. - Columns to be exported in CSV file: Vulnerability ID, Vulnerability Name, CVE ID, Severity, Vulnerability Instance Status, Impacted Assets, Violation Age, Notes, External ID, Port, Protocol, CVSS V2 Score, CVSS V3 Score, and Exploit Available.
To export vulnerability instances
On the Risks > Vulnerabilities page, do the following:
- Click Export and select any of these options from the list:
- Open Vulnerabilities
- Closed Vulnerabilities(For TrueSight Server Automation only) Vulnerabilities included in exceptions.
- Enter a file name.
By default, the CSV report file name is Vulnerability_Report_<dd-mm-yy>_<time>. - Click Export.
The file is saved in a zipped folder. - Enter a file name.
By default, the CSV report file name is Vulnerability_Report_<dd-mm-yy>_<time>. - Click Export.
The file is saved in a zipped folder.
In the 23.3 release, the Last Observed Date column is added to the vulnerability instances export report. It indicates the date on which a vulnerability was last detected.
If you filter data using the advanced search options and then export, filtered data appears in the CSV file. If the Status filter option is used in the advanced search, it doesn't consider the vulnerability status data while exporting to the CSV file.
To map vulnerabilities
Use the instructions in the following sections to map and unmap vulnerabilities.
To auto-map new vulnerabilities
When you import a scan file, if both of the following conditions are fulfilled, then the vulnerabilities get automatically mapped to the remediation content:
- Assets in the scan file are either automatically or manually mapped to the endpoints (managed assets) in the endpoint manager.
- Patch catalogs that contain remediation for Common Vulnerability and Exposure (CVE) numbers associated with the vulnerabilities are already imported in Automation Console.
If you import a patch catalog or map the CVE IDs to a patch after importing the scan file, vulnerabilities are not automatically mapped. You can click Automap new to trigger Automap again.
By default, Automation Console attempts to match the CVE ID of a vulnerability to a CVE ID associated with a patch in a catalog imported in Automation Console. These imported patch catalogs contain multiple patches as remediation content. Assets with vulnerabilities are mapped to this remediation content based on the operating system, OS vendor, and version of the assets and the type of remediation content. Consult the following table to understand the remediation content allowed for various OS and OS Vendor combinations.
OS | OS Vendor | Remediation Content Type |
|---|---|---|
Windows | Microsoft | BULLETIN |
Linux | Red Hat | ERRATA |
Linux | Oracle | ERRATA |
Linux | SuSE | SUSE_PATCH |
Linux | CentOS | RPM |
During auto-mapping, the following events occur:
- If a vulnerability with a CVE ID is mapped to patch catalogs of two different operating systems, and that same vulnerability is reported on the assets of different operating systems too, then Automation Console maps the remediation content to both the assets automatically.
- (Only for the TrueSight Server Automation endpoint manager) If multiple patches (remediation content) from the same catalog match the operating system type, vendor, and version of an asset, all the patches are mapped with the asset.
On the Risks > Vulnerabilities page, the vulnerability status shows the remediation content mapping status. Consult the following table to understand the scenarios for each status.
Vulnerability Status | Scenario | Action required |
|---|---|---|
Auto-mapped | There is a one-to-one mapping between CVE IDs and remediation content. For example, each CVE ID is mapped to one remediation content. | None. A remediation operation can be created with no changes required in the mapping. |
Partially Mapped | Multiple CVE IDs for a vulnerability, but remediation content is mapped only for a few CVE IDs. If an operation is created, this vulnerability is partially remediated and no longer appears in the Vulnerabilities list. Such a vulnerability still appears in the next scan. | None. A remediation operation can be created. However, the vulnerability is partially remediated for the CVE IDs for which the remediation content is available. |
Partially Mapped (Action Required) | One CVE ID is mapped to more than one remediation content from different catalogs. | Yes. Remove the current mapping and manually map the vulnerability to the appropriate remediation content. After mapping the status changes to Mapped. Now, a remediation operation can be created. |
Unmapped | Vulnerability is not mapped to any remediation content. This can happen if assets are not mapped to endpoints in the endpoint manager or patch catalogs are not imported in Automation Console. | Yes. Manually map the vulnerability to an appropriate remediation content. |
On the Risks > Vulnerabilities page, do the following:
- (Optional) Use the search feature to limit the number of vulnerabilities. For example, you might want to search by severity level so you can map vulnerabilities with the highest severity first.
- Click Automap New on the top of the page. All the unmapped vulnerabilities are checked against the content in the imported catalogs and the matching vulnerabilities are mapped to the content. Vulnerabilities that are auto-mapped are marked as Mapped in the Status column.
(Only for TrueSight Server Automation endpoint manager) The assets with a vulnerability are mapped with one or more matching patches of the same catalog.
To manually map vulnerabilities
If some of the vulnerabilities remain unmapped during import or during auto-mapping of new vulnerabilities, you can manually map them to remediation content. You can perform manual mapping for only one vulnerability at a time.
When mapping manually, the remediation content can be of the following types:
- BLPackages
- Network Shell (NSH) scripts
- Patches
- Installshield packages
- Microsoft Installer (MSI) packages
- Operating system service packs
- Red Hat packages
- Custom software
You can map multiple patches from the same catalog with an asset.
On the Risks > Vulnerabilities page, do the following:
- (Optional) Use the search feature to limit the number of vulnerabilities. For example, you might want to search by severity level so you can map vulnerabilities with the highest severity first.
- From Actions, select Map for the vulnerability.
The Vulnerability Mapping page shows the existing mappings, if any. - Click + Map Remediation Content.
The Map Content section displays the remediation content. - Search for the remediation content that you want to map to the selected vulnerabilities:
- Select a remediation content type, such as NSH Script or Package.
- Enter a text string in the Search text box.
The remediation content records that match the search string are displayed.
- (Only for TrueSight Server Automation endpoint manager) Select the patch (remediation content) that you want to deploy to the targets. You can select multiple patches.
- If you need to map multiple remediation packages to the same vulnerability, define the target scope that determines the types of targets where the package should be deployed.
Typically, target scope specifies different packages for different operating systems and architectures.- Use the default option, All, if you want to map remediation packages to all the targets.
- Click Specify Target Scope if you want to map remediation packages to specific targets.
A set of options appears that establish the scope for deploying the package.- In the row defining the scope, for the first field, select any of the following:
- OS–For example, Windows.
- OS Platform–For example, x86_64.
- OS Version–For example, 2008 R2.
- OS Patch Level–For example, SP1, SP2.
- OS Release–For example, 6.1
- OS Vendor–For example, Microsoft.
- In the last field of the first row, enter a text string as the search criteria. Evaluation is based on whether a field contains the string you entered. For example, if you are specifying the Windows operating system, enter a string such as win. When evaluating targets, if the OS name contains the string win, the package is deployed there.
- In the next row defining the scope, select whether the target must satisfy all or any of the values you provided in the first row.
- To add another rule defining the scope, click Add Criteria. A new row appears. Use its fields to define an additional rule.
- In the row defining the scope, for the first field, select any of the following:
- To define another set of target scope and rules for another remediation package, click + Map Remediation Content.
- Click Save. The selected remediation content items are mapped to the selected vulnerabilities. The Vulnerabilities page shows the mapped remediation content against the vulnerability when you expand it.
If the mapping is unsuccessful, a message indicating the same is displayed on the GUI.
To unmap vulnerabilities
You can unmap a vulnerability irrespective of whether it is mapped manually or automatically.
To unmap a vulnerability, select Remove Mapping for the vulnerability from Actions.
To manually close vulnerabilities without creating operations
To remediate vulnerabilities, you can use different applications and methods, such as TrueSight Server Automation jobs. Scanners might report such resolved vulnerabilities incorrectly in Automation Console. In such cases, you need to create operations in Automation Console to remediate these vulnerabilities, which is an extra overhead. You can now manually remove such vulnerabilities without creating any operation.
On the Risks > Vulnerabilities page, do the following:
- From Actions menu of intended vulnerability [mapped / unmapped], click Close Vulnerability.
It shows the list of all the assets where this vulnerability is reported. - Select the assets on which you want to close this vulnerability
or
Search for the asset name on which the selected vulnerability needs to be closed. - Click Confirm to remove the vulnerability.
The vulnerability is removed from the selected assets, and a confirmation message is displayed.is closed on the selected assets.
You can also use the API to remove multiple vulnerabilities manually.
To auto-close vulnerability records
You can remediate vulnerabilities using different applications and methods, such as TrueSight Server Automation jobs. Sometimes, scanners report resolved vulnerabilities incorrectly in Automation Console. To remediate such vulnerabilities, you must create operations in Automation Console, which is an additional step. With the built-in intelligence of Automation Console, it is possible to close eligible vulnerabilities. Currently, this is an API-only feature.
The /api /v2 /violations /close /auto-closure /vats API helps in closing vulnerability records in your system. Preview this API to confirm which records will be closed and what impact it will have. Thus, previewing the API helps in taking thoughtful decisions. You must provide one of the following filters when using the API:
Filter | Description |
|---|---|
latest_scan_policy_id | ID of a scan policy to which vulnerabilities belong to. |
asset_ids | Asset IDs of the server on which vulnerabilities are reported. |
compare_against_policies | IDs of policies that you want to compare. This filter is not applicable for tenable scan. |
After executing the API, Automation Console will have the latest records based on the filters provided. Vulnerability records, Tenable.sc connector, and records from all types of scanners such as Qualys, Rapid7, Nessus can use this logic.
This API considers only the vulnerability data posted by any external scanner through the build-in connectors e.g. Tenable.sc , Tenable.io. Normally if user does any changes at the external scanner end e.g. scanning only partial assets, updating the assets in already created active scans - this API considers only the data which is provided by the external scanner APIs. E.g. on Day 1, user scans 10 assets in Tenable.sc and reports 100 vulnerabilities. Tenable.sc connector receives 100 vulnerabilities and posts same in Automation Console. Next day, if user scans only 8 assets out of 10 and skips 2 or say 2 assets do not pose any vulnerabilities as those are fully remediated, , then the scanner API posts vulnerability data of 8 assets not for those skipped or completely remediated 2 assets. In such case auto-closure APIs will not be able to Automatically close latest list of Vulnerabilities from those 2 assets ( Skipped from scan or completely remediated ) .
For such cases user may manually close such records, which are not posted by external scanners by using /api/v2/violations/close/vats "
For more information about APIs, see Using-REST-APIs.
Navigating the Compliance page
For TrueSight Server Automation onlyOn the Risks > Compliance page, view the list of compliance scan policies.
- The Compliance page contains the following details:
- Compliance Scan Policy name
- Assets Scanned
- Rules Evaluated
- Last Scanned
- Compliance Posture: Shows a percentage of compliant, non-compliant, and indeterminate evaluations on the assets.
- You can either search by compliance policy name or use Advanced filter to filter compliance scan policies.
Click Advanced filter and select the required filters, and click Done. You can select multiple search criteria from the following options:- Asset
- Compliance Scan Policy
- Operating System
- Operating System Vendor
Click Clear Filters to view unfiltered data.
- To view details about a policy scan results, click the policy name and the following details are displayed:
- Compliance posture
- Number of scanned assets
- Number of associated rules
- Last scanned date and time
- List of rules and whether they are available for remediation, rule groups, and the number of compliant, non-compliant, and indeterminate assets.
To export compliance violations
On the Risks > Compliance page, do the following:
- Click Export and enter a file name.
By default, the CSV report file name is Compliance_Scan_Policy_Report_<dd-mm-yy>_<time>. - Click Export.
The file is saved in a zipped folder. If you filter data using the advanced search options and then export, filtered data appears in the CSV file.
To update risk owners and risk tags by using the REST API
Risk owner is a security group that owns a set of vulnerabilities. You can use it to remediate a patch or vulnerability. Risk owner is the default security group that is assigned to the user who imports vulnerabilities or creates patch or compliance policies. You can assign any value to the risk owner.
Risk tag is a tag that is applied to a vulnerability and asset combination or to a patch and asset combination. Risk tags are different from asset tags.
You can assign a risk score to a patch or vulnerability depending on the business context, impact, and urgency. The score is a numeric value that can range from 0 to 5.
Perform these steps to modify the risk owner, score, or tag value by using the REST APIs:
Create a custom tag by using the API.
Method : POST API : /api/v1/violations/tags
Request body:{
"key": "Location",
"description": "Description of the Location"
}Response:
{
"success": "Tag created."
}The following API provides a list of custom tags.
Method : GET API : /api/v1/violations/tagsUpdate violation fields such as risk score, SLA, risk owner, risk tags based on the any of the given filter criteria.
Method :PATCH API : /api/v1/violations
Request:{
"filters": {
"severity": [
"0",
"1",
"2",
"3",
"4",
"5"
],
"asset_name": [
"test-1234.bmc.com",
"test-9999.bmc.com"
],
"os_type": [
"windows",
"linux"
],
"cve_ids": [
"CVE-2014-3596",
"CVE-2014-3593"
],
"policy": [
"d41cedbb-a981-4a46-b658-111"
],
"vat_state": [
"1",
"2",
"3",
"4",
"5"
],
"violation_type": "patch",
"classification": [
"Security Patch",
"Non Security Patch",
"Security Tool",
"Software Distribution",
"Bug Fix",
"Product Enhancement",
"Unknown"
]
},
"data": {
"owner": "Testuser",
"risk_score": 3,
"sla_deadline": 90,
"sla_warning": 70,
"va_tags": [
{
"key": "Location",
"value": [
"Pune",
"Mumbai"
]
}
]
}
}Example
Request:{
"filters": {
"cve_ids": [
"CVE-2022-3787",
"CVE-2014-3618"
],
"violation_type": "vulnerability"
},
"data": {
"owner": "SecOps Admin",
"risk_score": 2,
"sla_deadline": 90,
"sla_warning": 60,
"va_tags": [
{
"key": "Location",
"value": [
"Austin",
"Houston"
]
}
]
}
}Response:
[
{
"task_id": 370,
"status": "Created",
"status_code": 201
},
{
"vat_ids": "9",
"status": "Accepted",
"status_code": 202
}
]