Prior to Vulnerability Response v10.0, configure vulnerability groups (VG) to help
analysts and remediation specialists organize vulnerable items (VI) and analyze them in bulk.
The criteria by which groups are formed is configured so that you do not have to manually assign
vulnerable items into groups. Using vulnerability groups, you can monitor progress and drive the
remediation process more efficiently.
Understanding vulnerability groups
Vulnerability groups represent a set of vulnerable items to remediate. Grouping vulnerable
items has many advantages. You can move vulnerable items through the remediation states,
mark them under investigation, defer them, mark them resolved in bulk by using groups. You
can create conditions to automatically group all items with specified vulnerabilities,
departments, locations, and any other data related to the vulnerable item. Vulnerable items
can belong to more than one vulnerability group giving you the flexibility to actively work
with one group and monitor another. It all depends on your organizational needs. For
example, you could group by department, and also create a group containing all currently
exploitable vulnerabilities.
Vulnerability groups are created as follows.
From a vulnerability group, the group of vulnerable items may be assigned to a user,
deferred until later, used to create a Change Request , and so on.
When it is determined that a new vulnerable item can be added to a group, the vulnerability
item is included in the Vulnerable Items list of the vulnerability
group. Conversely, the vulnerability group appears in the Vulnerability
Group list of Vulnerable Items .
When updating the state of a vulnerability group, associated vulnerable items can have
their state updated to match this vulnerability group. See Vulnerability Response group and vulnerable item states for more information on state
changes.
You can create security incidents and change requests from vulnerability groups, as
needed.
Refreshing vulnerable items automatically
Note: Vulnerable item refresh automation applies only to groups created using the condition
filter or filter group. Automation does not apply to VIs that were added manually or grouped
using vulnerability group rules (VGRs).
When the Automatically refresh vulnerable items check box is
selected, new VIs matching the vulnerability group filter criteria are automatically added
to the group. Vulnerable items in the group that no longer match the filter criteria are
automatically removed from the group.
By default, when the group leaves the Open state, the check box is cleared. If you want
vulnerable items to continue being added to the group, regardless of state, disable the
Set auto refresh vulnerable items business rule.
You can select the check box again manually from the Under Investigation state.
Automatically refresh vulnerable items is not disabled when the
group moves into the Awaiting Implementation state. Once in the Awaiting Implementation
state, no new vulnerable items can be added to the existing group, nor can existing
vulnerable items be removed from the group.
Note: When a group is created manually, and VIs
are added using the Condition filter or Filter
Group , the check box is unchecked. You have the choice to select the box or
not.
Refreshing vulnerable items manually
For manually created vulnerability groups with a Filter Group or
Condition filter, when you click the Refresh associated
vulnerable items related link on the Vulnerability
Group page, any vulnerable items that match the filter criteria are added.
Items no longer matching the criteria are removed. This action allows an immediate update of
the list of vulnerable items and is used whether the Automatically refresh
vulnerable item check box is selected or not.
Manually created vulnerability groups using Condition or
Filter Group filter types are refreshed once an hour.
Understanding vulnerability group rules
Vulnerability groups rules allow you to define how vulnerable items are automatically
grouped and assigned. A default rule,
Vulnerability , is included in
the base system grouping vulnerable items based on its vulnerability. However, you can group
by any other set of values in columns accessible from the VI. These values could include
configuration item (CI) support group, vulnerability severity, and, so on. You can use up to
five keys and any number of conditions.
You can automate group assignment, as well.
See
Create or edit vulnerability group rules (Prior to v10.0) and
Filtering within Vulnerability Response for more information.
Note: To make Rapid7 InsightVM asset tags available
for use in the Condition filter for Vulnerability Group Rules, you must run the Rapid7 InsightVM Asset List integration before the other Rapid7 InsightVM integrations.
For example, you can group your vulnerable items by the cost center of the vulnerable CI,
or by the attack vector of the vulnerability. You can have one group rule for low severity
vulnerabilities or low risk CIs. You can have another group rule for critical servers, and
vulnerabilities with exploits — vulnerable items that expose the company to more risk.
A different set of rules can be used for vulnerable items that expose the company to more
risk. The VGR name is appended to the vulnerability group key values to make the short
description of the new vulnerability group. See Create a Vulnerability
Response group for more information on available fields.
When a new vulnerable item is created, imported, or reopened after being closed, the
vulnerability rules are evaluated against it. A VI is only evaluated once, unless it is
reopened after being closed.
The following process is used for each new or reopened VI:
For each vulnerability group rule, the VI is compared to the VGR filter.
For each rule where the VGR condition matches, the rule pulls the data from the group
key columns on the VI. It builds a group name and key. In this case, High
Risk: QID-32342: Accounting: Joan Doe – VGR Name, vulnerability name,
department, and manager). The rule checks to see if there is a matching
Open vulnerability group that is assigned to the same
assignment group as the VI. If the group is found, the VI is added to the existing
group in the Open state.
If no group in the Open state is found, the rule creates a
High Risk: QID-32342: Accounting: Pat Doe group, assigns it
to the same assignment group as the VI, and places the VI in it.
More than one VGR can be defined, to group different kinds of vulnerabilities. Since each
vulnerability is compared with the VGR conditions before putting it in a group, too many
VGRs may have a performance impact.
By default, VGRs use the assignment group set by the Assignment
Rules on the vulnerable item when grouping the items, and assigns the
vulnerability group to match the vulnerable items. If you want different behavior, see
Advanced vulnerability group assignment.
As part of the Vulnerability group rule, the assignment of these
vulnerability groups is controlled by the rules in the Assignment
Rules module. For more information on assignment rules, see Vulnerability Response assignment rules overview .
Advanced vulnerability group assignment
If you want the VGR to create groups and assign them differently, use the Advanced
Assignment view in VGRs to display your assignment options. See Create or edit vulnerability group rules (Prior to v10.0) for more information on vulnerability
group rule options.
When a vulnerability group assignment is made or changed, the Assignment
group and the Assigned to fields roll down to all
vulnerable items, except for those where the vulnerable item has a different assignment
group than the VG.
There are three different ways to assign the groups by:
Assignment by: This option allows you to select any of the following:
Assignment group: This option allows you to choose any platform group. For
example, you can define:
Assignment rule 1 as: Vulnerability Summary
contains Java, Assignment group: IT Security, Order: 100.
Assignment rule 2
as: Vulnerability Summary contains Microsoft Service Pack, Assignment group: IT
Operations, Order: 200.
Assignment group field: This option allows you to choose any assignment group
field available using the cmdb_ci table. By default you see the following three
group fields:
Configuration Item: Approval Group
Configuration Item: Assignment Group
Configuration Item: Support Group
Assignment Rules: This option uses pre-defined Assignment
Rules . See Vulnerability Response assignment rules overview for more
information.
These assignments are used automatically for this group on the next
import.