Configure Policy Rules

You create remediation policy rules to identify conditions that determine when tickets are created, who they are assigned to, and how quickly they should be resolved.

Check out this video:

 

Have you thought about which hosts and vulnerabilities you want to create tickets for and who those tickets should be assigned to? We can help you sort this out quickly - review the basics for some ideas.

Remediation - The Basics

 

It's simple to get started. Go to VM/VMDR > Remediation > Policies > New > Rule, and tell us:

1) which hosts the rule applies to,

Notes:

-While selecting assets, asset groups and asset tags, if you do not select the network then the remediation ticket gets created for the custom/global default network for the scanned assets in the selected asset group and tags.

-While selecting the IP ranges, selecting the network for the IP range is mandatory.

2) which vulnerabilities the rule applies to, and

3) what action you want to take.

Vulnerability search lists are required for defining rule conditions. If a vulnerability is found that matches any search list in the policy rule, then the action specified for the rule is taken. To create a search list, go to VM/VMDR > KnowledgeBase > Search Lists.

Tell us what action to take when rule conditions are met. Note that policy rules are applied to scan results in the order in which they are listed. If a detected vulnerability matches more than one rule, the action specified for the first rule it matches takes precedence.

Your options are:

Create tickets - set to Open. Tickets will be created in Open state and assigned to a user with a deadline for resolution. The clock starts ticking as soon as the scan that resulted in the ticket completes.

Create tickets - set to Closed/Ignored. Tickets will be created in Closed/Ignored state and assigned to a user. You have the option to automatically reopen the tickets in a set number of days. When enabled, the ticket state is changed from Closed/Ignored to Open on the due date, assuming the issue still exists, and the ticket is marked as overdue. If the issue was resolved at some point while the ticket was in the Closed/Ignored state, then the ticket state is changed from Closed/Ignored to Closed/Fixed.

NoteIf you do not select the Reopen ticket in checkbox to automatically reopen the tickets in a set number of days while creating or editing a policy rule, the expired/existing remediation tickets do not reopen automatically.

Do not create tickets. A rule with this action must be at the top of the rules list to ensure it is applied first. Tickets will not be created when the rule conditions are met as long as this is the first rule that's matched. Use this option for hosts or vulnerabilities that should never trigger the creation of a ticket.

Tell us who will be responsible for the tickets created as a result of this policy rule. You can choose a specific user from the list or select one of the following options.

User Running Scan - select this option to assign each ticket to the user who started the scan that resulted in the ticket. In the case of agent scans, tickets are assigned to the Manager Primary Contact for the subscription.

Asset Owner - select this option to assign each ticket to the user who has been designated as the owner of the host the ticket applies to.

How do I assign an owner to a host?How do I assign an owner to a host?

Managers and Unit Managers can assign owners to hosts by editing host information (under Assets > Host Assets).

What if I assign tickets to the "Asset Owner" but there isn't one?What if I assign tickets to the "Asset Owner" but there isn't one?

If the hosts have not been assigned owners, then the tickets will be assigned to the user who launched the scan. Managers and Unit Managers can assign owners to hosts by editing host information (under Assets > Host Assets).

It's possible that multiple kernels are detected on a single Linux host. By selecting this option, you can be sure tickets are only created for vulnerabilities found on the running Linux kernel.

 

After creating your policy rules, you must start new vulnerability scans. As your scans finish and the results are processed, the results will be compared to your policy rules and tickets will be automatically created. Go to VM/VMDR > Scans > New > Scan to start a new scan.

Using cloud agent? Agent scan results will also be compared to your policy rules and tickets will be created. When the policy assignee is set to User Running Scan, we'll assign tickets to the Manager Primary Contact for the subscription.

As tickets are created they appear on the Tickets list. Go to VM/VMDR > Remediation > Tickets to view and manage your tickets.

Policy rules are applied to scan results in the order in which they are listed. The rule at the top of the list has the highest priority and is applied first. Move a rule up in the list to increase its priority or move it down to decrease its priority.

Tip - If you have a rule that specifies tickets should not be created when conditions are met, then that rule should be at the top of the list so it is applied first.

Here are the steps: Go to VM/VMDR > Remediation > Policies. Select Reorder from the New menu. Select a rule in the list and use the Move Up and Move Down buttons.

 

Quick Links

Search Lists

Start Scanning for Vulnerabilities

VM Video Series

Tip Move rules with the action "Do not create tickets" to the top of the rules list so they are applied first. This is the only way to ensure tickets are not created for the rule conditions.