Skip to Content

Investigating vulnerabilities

As a vulnerability manager, you can view vulnerabilities and the services and assets impacted by them, and perform the following actions:

  • Investigate a service affected by vulnerabilities.
  • Investigate the details of a vulnerability and the impacted services and assets.
  • View the vulnerability summary, the suggested best action recommendations, and the remediation script generated by BMC HelixGPT.

Learn how to use BMC HelixGPT Vulnerability Resolver to investigate vulnerabilities impacting services in the following video (2:01):

icon_play.pngWatch the YouTube video about how to investigate vulnerabilities by using Vulnerability Resolver

Learn how to use BMC HelixGPT Vulnerability Resolver to get recommendations to remediate vulnerabilities in the following video (1:45):

icon_play.pngWatch the YouTube video about how to use Vulnerability Resolver to generate best action recommendations to remediate vulnerabilities

Related topics

Roles and permissions

Managing risks

Monitoring key performance indicators and entities

To investigate vulnerabilities for an impacted service

You can view the details of services impacted by vulnerabilities, assess the risks associated with these vulnerabilities, and quickly prioritize remediation.

  1. On the BMC Helix AIOps console, click Risks and then click Vulnerabilities.
  2. In the Top Impacted Services table, click a service to open the Service Details page.
    The following details are displayed:Vuln_Service details_261

     

    FieldDescription
    Risk ScoreThe risk score is based on the highest service criticality and the highest CVSS score of the vulnerabilities impacting the service. If a service is impacted by child services, the displayed risk score reflects the highest score among them.
    Critical vulnerabilitiesThe number of critical vulnerabilities
    Impacted assetsThe number of assets that have the selected service that are impacted by vulnerabilities
    Service ownerThe name of the user assigned to the selected service
    Impacting child servicesThe number of child services impacting the risk score of the parent service.
    Click to view the following details of the child services:
    • Severity
    • Risk score
    • Number of critical vulnerabilities
    • Number of impacted assets
    • Criticality
      Click child service navigate_254.png against the child service to navigate to its details page.
      Impacting child service details_254
  3. In the vulnerabilities section, the following information is displayed:
    • Vulnerability name
    • CVE ID
    • Automation—The value indicates whether any remediation is mapped against the vulnerability instance. Any impacted assets without mapped automations are indicated by a hyphen '-' in the Automations column.

      Click to view the following details of available remediations:

      • Asset name—Name of the impacted asset
      • Remediation Tool—Source of the remediation operations mapped to the impacted asset
      • Remediation content type—This could be a patch, MSI package, action, or rule
      • Remediation—The name of the content of the remediation operation
        For information about how to plan automations for remediating vulnerability instances, see Plan automations.
    • Severity
    • CVSS Score—The CVSS V3 score is assigned by the NIST NVD.
    • Impacted assets—Click to view the details of impacted assets.Service_details_impacted_assets_253.png

       

      FieldDescription
      Asset nameThe name of the asset impacted by the vulnerability.
      Operating systemThe names of the operating systems installed in the impacted assets.
      VersionThe version of the operating system installed in the impacted asset.
      Remediation ownerThe name of the user assigned to remediate the impacted asset.
      SLA StatusThe assets are listed in order of SLA status criticality, with the assets exceeding the SLA listed first. The SLA is calculated according to the date when the vulnerability is first reported by the scanner.
      Status

      The status of the vulnerability impacting the asset.

      • Affected
      • Not Affected
      • Under Investigation
      • Fixed
      Source

      The source of the vulnerability instance, for example, Qualys or Rapid7.

      Information
      Important

      You can filter the list of impacted assets by entering the host name of a specific asset in the search box.

    • First Reported—The date the vulnerability instance was first recorded. 
    • Status—The aggregated status of all the assets that are impacted by the vulnerability.
      • Affected
      • Not Affected
      • Under Investigation
      • Fixed
    • Categories—Categories assigned to the vulnerabilities according to their area of impact.
      The following options are available for creating and assigning categories to vulnerabilities:
      • Categories can be created and assigned by using the REST API. For more information, see Assigning categories to vulnerabilities by using REST API.
      • You can leverage BMC HelixGPT to automatically assign categories to newly ingested vulnerabilities that do not already have a category. For more information, see Risks overview.
        • The Categories column header has the information icon Info icon by default, indicating that automatic categorization is not enabled.
        • If automatic categorization is enabled, the Categories column header has the BMC HelixGPT sparkles AI categories, indicating
        • that the assigned categories are AI-generated.
        • If a category is manually assigned or updated, a manual edit icon Manual categories appears next to the assigned category to indicate user intervention.AI_Manual_Categories_254.png
          Information
          Important

          To enable BMC HelixGPT, contact BMC Helix Support. BMC Helix Support will enable the feature flag to trigger automatic assignment of categories to vulnerabilities.

  4. To assign a category to a vulnerability or to update an assigned category from the UI, perform the following steps:

    1. Click Action menu Action menu icon.png against the vulnerability and select Update Categories.
    2. Select the required categories in the Update Categories window.
      You can select up to four categories.
    3. Click Save.
      You can assign multiple categories to a vulnerability.
      Update category_253.gif
  5. (Optional) Click Show/Hide Columns Dynamic cols_25101.pngand select the columns that you want to view in the Vulnerabilities section.
    The CVE IDs, Severity, CVSS Score, Impacted Assets, and First Reported columns are displayed by default. You cannot remove the Vulnerability Name column from the table.
  6. Continue with To investigate a vulnerability.

To investigate a vulnerability

The vulnerability manager can view vulnerability details, such as the vulnerability summary, the CVSS score, and the number of impacted assets, and can assess the risks associated with these vulnerabilities to quickly prioritize remediation.

  1. On the BMC Helix AIOps console, click Risks and then click Vulnerabilities.
  2. From the Top Vulnerabilities table, click a vulnerability to open the Vulnerability Details page and view the following details:Vulnerability_details_261

     ​If BMC HelixGPT is enabled, the following details are displayed:

    • A human-readable AI-generated summary of the vulnerability.
    • Best action recommendations, which is a list of suggested steps that can be used to remediate the vulnerability. Additionally, a BMC HelixGPT-driven wizard offers remediation automation code to accomplish individual steps on different platforms such as Ansible or TrueSight Server Automation.
    FieldDescription
    SeveritySeverity level assigned by the scanner connector.
    CVE-IDA unique code to identify publicly known vulnerabilities.
    CVSS ScoreThe CVSS V3 score is assigned by the NIST NVD.
    Impacted servicesThe names of the services impacted by the vulnerability.
    Risk ScoreThe risk score is based on the highest service criticality and the highest CVSS score of the vulnerabilities impacting the service. If a service is impacted by child services, the displayed risk score reflects the highest score among them.
    Impacted assetsThe number of assets impacted by the vulnerability.
    First ReportedThe date the vulnerability instance was first recorded. 
    Categories

    Categories assigned to the vulnerabilities according to their area of impact.

    The following options are available for creating and assigning categories to vulnerabilities:

    • Categories can be created and assigned by using the REST API. For more information, see Assigning categories to vulnerabilities by using REST API.
    • You can leverage BMC HelixGPT to automatically assign categories to newly ingested vulnerabilities that do not already have a category. For more information, see Risks overview.
      • The Categories column header has the information icon Info icon by default, indicating that automatic categorization is not enabled.
      • If automatic categorization is enabled, the Categories column header has the BMC HelixGPT sparkles AI categories, indicating that the assigned categories are AI-generated.
      • If a category is manually assigned or updated, a manual edit icon Manual categories appears next to the assigned category to indicate user intervention.

    Important: To enable BMC HelixGPT, contact BMC Helix Support. BMC Helix Support will enable the feature flag to trigger automatic assignment of categories to vulnerabilities.

  3. In the impacted assets section, the following information is displayed:

    FieldDescription
    Asset nameThe names of the assets that are impacted by the vulnerability.
    Operating systemThe names of the operating systems installed in the impacted assets.
    VersionThe version of the operating system installed in the impacted assets.
    Remediation ownerThe name of the user assigned to remediate the impacted asset
    SLA StatusThe assets are listed in order of SLA status criticality, with the assets exceeding the SLA listed first. The SLA is calculated according to the date when the vulnerability is first reported by the scanner.
    Status

    The aggregated status of all the assets impacted by the vulnerability

    • Affected
    • Not Affected
    • Under Investigation
    • Fixed
    SourceThe source of the vulnerability instance.
    ServicesThe names of all the services that are impacted by the vulnerability.
    Automation

    The value indicates whether any remediation is mapped against the vulnerability instance. Any impacted assets without mapped automations are indicated by a hyphen '-' in the Automations column.

    Click to view the following details of available remediations:

    • Asset name—Name of the impacted asset
    • Remediation Tool—Source of the remediation operations mapped to the impacted asset
    • Remediation content type—This could be a patch, MSI package, action, or rule.
    • Remediation—The name of the content of the remediation operation

    For information about how to plan automations for remediating vulnerability instances, see Plan automations.​​

    Remediation status

    The value indicates the status of the remediation mapped against the vulnerability instance. 

    • Unmapped—No remediations are mapped against the vulnerability instance.
    • Awaiting Attention— 
      • Remediation content is mapped in BMC Helix Automation Console
      • Remediation was attempted for this vulnerability instance, but did not succeed for any reason.
    • Awaiting Execution—The remediation operation has been created in BMC Helix Automation Console, but its scheduled start time has not yet arrived, so execution has not begun.
    • Awaiting Approval—The remediation operation is created in BMC Helix Automation Console, but is pending approval before execution can begin.
    Remediation ToolSource of the remediation operations mapped to the vulnerability instance, for example, TSSA (TrueSight Server Automation) or TSNA (TrueSight Network Automation).
    End of LifeThe date indicates when the asset reaches the end of its lifecycle. You can sort this column to identify assets that have already reached End of Life and prioritize their remediation.
    End of SupportThe date indicates when vendor support for the asset ends. You can sort this column to identify assets that are no longer supported and prioritize their remediation.
    Business Owner <Name>The name of the Business Owner assigned to remediate the impacted asset in BMC Helix Discovery. Any impacted assets without an assigned business owner are indicated by a hyphen '-'.
    IT Owner <Name>The name of the IT Owner assigned to remediate the impacted asset in BMC Helix Discovery. Any impacted assets without an assigned IT owner are indicated by a hyphen '-'.
    Support Manager <Name>The name of the Support Manager assigned to remediate the impacted asset in BMC Helix Discovery. Any impacted assets without an assigned support manager are indicated by a hyphen '-'.
    TagScanned asset tags imported from BMC Helix Automation Console. Asset tags are unique identifiers, such as RFID tags, QR codes, or barcodes, attached to physical assets that allow users to identify and track assets within the system. For more information, see To import tags for managed and scanned assets.
  4. (Optional) To filter the list of impacted assets according to the following criteria, click Advanced filter:Advanced filters_impacted assets_261
    • Asset name—The assets that are impacted by the vulnerability.
    • Business Owner—The name of the Business Owner assigned to remediate the impacted asset.
    • IT Owner—The name of the IT Owner assigned to remediate the impacted asset.
    • Remediation Tool
    • Services—The services impacted by the vulnerability.
    • Status—The status of the assets impacted by the vulnerability.
      • Affected
      • Under Investigation
      • Not Affected
    • Support Manager—The name of the Support Manager assigned to remediate the impacted asset.
    • Tags—Scanned asset tags imported from BMC Helix Automation Console.
      You can enter a term in the search bar to filter the criteria, and then select the required values.
      Advanced filters_Asset tags_254.png
  5. To update the status of the impacted assets, perform the following steps:
    1. Select the required assets, click the Action menu at the top right-hand side of the Impacted Assets list, and select Update Status.
    2. (Optional) To update the status of a single asset, click Action menu Action menu icon.png against the asset name, and select Update Status.
    3. In the Update Vulnerability Instance Status window, select the required status. 

    4. Click Save.

      Information
      Important

      If you click the checkbox against Asset Name, it selects all the impacted assets listed on the page. Any impacted assets listed on subsequent pages are not selected.

      Update status_253.gif

  6. (Optional) Click  Dynamic cols_25101.pngand select the columns that you want to view in the Impacted Assets section.
    The Remediation Owner, SLA Status, Status, Services, Automation, Remediation Status, and Remediation Tool columns are displayed by default. You cannot remove the Asset Name column from the table.
  7. Continue with To view best action recommendations.

To generate best action recommendations for remediating vulnerabilities

As a vulnerability manager, make sure that you contact BMC Helix Support to enable BMC HelixGPT to trigger the generation of best action recommendations for vulnerability remediation. 

  1. On the Vulnerability details page, review the AI-generated summary (short problem statement, brief summary, and detailed problem context) of the selected vulnerability.
    Vuln summary_253.png
  2. In the Select OS field, select the appropriate operating system and then select the version.
    The Select OS field is populated with the operating systems linked to the affected assets. If multiple operating systems are listed in the field, select the appropriate operating system and version. The impacted assets are filtered according to your selection, and the Generate Remediation button is activated.
    Select OS_version_253
  3. Click Generate Remediation.
    The recommended steps to remediate the vulnerability are displayed.
    Generate remediation_252.png
  4. (If available) Click Code wizard.
    For some manual steps, the Code wizard option is not available.
  5. Select your preferred remediation target, such as Ansible or PowerShell. The code is displayed based on your selection.
    BMC HelixGPT     generates a code that can be used to run the recommended steps.
    Code wizard_254.png
    ​​​​
  6. (Optional) Click Edit to update the code according to your requirements.
  7. Click Save to save the updated code.
  8. Click Copy to clipboard and use the code in your existing script to run the recommended remediation steps.
  9. Close the code wizard.
    The Generate remediation button is relabelled as Regenerate remediation. When you click it, BMC HelixGPT generates a new set of best action recommendations and a new remediation script for the same OS and version selected by you.
  10. Click Code Information icon_info.png to view details about the generated code, such as the selected remediation target, the name of the user who saved the code, and the date and time when the code was saved.

  11. Click Create change request to open a Change Request form in BMC Helix IT Service Management; enter the relevant details; and submit the change request for approval.
    For more information, see Creating a change request at the Initiate stage.

    Information
    Important

    To be able to create a change request, as an administrator, install, subscribe to, and configure BMC Helix ITSM. For more information, seeSetting up and going live.

To plan automation for remediating vulnerabilities

As a vulnerability manager, make sure that you have the additional permissions assigned in BMC Helix Portal to enable you to plan remediations for vulnerability instances directly from the Vulnerability details page. For more information, see Vulnerability Manager permissions.

 To plan automation for remediating vulnerability instances, select one of the following options:

  • To plan automation for remediating multiple vulnerability instances, perform the following steps:
    1. Select the assets for which you want to plan automation.
      You can automate remediations only for assets associated with the same remediation tool and that have automations already mapped to them. 
    2. Click the Action menu Action menu icon.png at the top right-hand side of the Impacted Assets list, and select Plan Automation. You are redirected to the Create Operation page in BMC Helix Automation Console.
    3. Create a vulnerability remediation operation that executes the mapped remediation content for the vulnerabilities and generates a Patch, NSH, or Deploy job. For more information, see Working with operations.
  • To automate the remediation of a single asset, perform the following steps:
    1. Click the Action menu Action menu icon.png against the asset name and select Plan Automation. You are redirected to the Create Operation page in BMC Helix Automation Console.
    2. Create a vulnerability remediation operation that executes the mapped remediation content for the vulnerabilities and generates a Patch, NSH, or Deploy job. For more information, see Working with operations.

After you create the operation, the Automations column for the assets will display the value Available

Plan automation_261

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*

BMC Helix AIOps 26.1