About Vulcan Cyber ExposureOS Campaigns
To remediate vulnerabilities, the Vulcan Cyber ExposureOS platform offers two remediation methods: manual and automated. Taking Action on a vulnerability (or more), whether manual or automated, results in a Campaign.
One of the most common uses of Vulcan Cyber ExposureOS is utilizing the scanners' findings and data to take manual or automated remediation actions. Every remediation action taken on a vulnerability generates a Remediation Campaign. Through the Vulcan Cyber ExposureOS platform, you can manage and monitor all Remediation Campaigns and gain visibility into the overall progress of remediation actions.
Creating Campaigns Manually
Every time you Take Action on an asset or a vulnerability, a campaign is created. This is a manual campaign because the user triggers it manually through the Vulnerabilities or Assets page.
Take Action on a Vulnerability
Assuming there is a vulnerability (or more) you want to take Action on and remediate or share its information in an email, all you need to do is select the vulnerability(ies) from the Vulnerabilities Page and click Take Action.
Go to Vulnerabilities > filter and select the desired vulnerabilities. You can also filter by Business Group to target assets by a business unit.
Click Take Action.
Select the Take Action method:
Opening a ticket through your integrated ticketing systems such as JIRA, ServiceNow, etc.
Report/share information on the Vulnerability through your integrated reporting systems such as email, Slack, etc.
Fill in the required fields.
Note: Vulcan Cyber ExposureOS automatically pre-populates some fields with summarized, actionable information about the vulnerability.Optionally, select the assets to include in the ticket. By default, all vulnerable assets are included.
Optionally, select the remedies to include in the ticket. By default, all solutions are included.
Optionally, manually set the due date. By default, the SLA sets the due date as configured under Settings.
Click "Open Ticket".
Take Action on an Asset
Assuming there is an asset you want to Take Action on, select the asset(s) from the Asset Page and click Take Action.
Go to Assets > filter and select the desired asset.
Click Take Action.
Select the Take Action method:
Fill in the required fields.
Note: Vulcan Cyber ExposureOS automatically pre-populates some fields with summarized, actionable information about the assets/vulnerabilities.Optionally, select the vulnerabilities to remediate to include in the ticket. By default, all vulnerable assets are included.
Optionally, select the remedies to include in the ticket. By default, all solutions are included.
Optionally, manually set the due date. By default, the SLA sets the due date as configured under Settings.
Click "Open Ticket".
What's the difference between taking Action on a vulnerability vs. an asset?
When taking Action on a Unique Vulnerability, the generated ticket contains a list of all the assets affected by the vulnerability. You can include a call for Action on none, all, or several assets in one ticket.
When taking Action on an Asset, the generated ticket contains a list of all findings (instances) affecting the asset, including all the available remedies. You can include a call for Action on none, all, or several findings (instances) and remedies in one ticket.
The question is, what do you want to do?
If you want to remedy all the vulnerabilities affecting the asset, you should Take Action on the asset level. On the other hand, if you fix High/Critical vulnerabilities on specific assets (or all affected assets), you should Take Action on the vulnerability level.
Creating Automated Campaigns
A Campaign is automatically created when an automation playbook is triggered for the first time. By "triggered" we mean the first time the Playbook's conditions are met and generate a remediation action (a ticket/email/etc.). Once a campaign is created, it keeps getting fed and updated with subsequent discoveries by the Playbook (if configured in the Ticket Settings). This means that each Playbook has one Campaign that is constantly updated.
Opening tickets automatically through Playbooks
To learn how to create automation playbooks campaigns, let's look at the example below that demonstrates the workflow of the following common scenario:
"I want to automatically open a JIRA ticket on existing and new critical and high-risk vulnerabilities from Rapid7 that apply to a specific high-impact business group".
First, let's filter the vulnerabilities to see what we focus on.
Go to Vulnerabilities > Unique Vulnerabilities tab > filter to match the required criteria.
In the example below, we selected the Business Group "Public Servers" and filtered for Critical and High vulnerabilities.The resulting view shows 8 Unique vulnerabilities: 5 in Critical and 3 in High. In this case, every unique vulnerability has one finding (instance) (affecting one asset).
Since we want to track every new critical vulnerability under these criteria automatically, we need to create an automated action by creating a new Automation Playbook.
Go to Automations > New Playbook.
We'll apply the conditions on the new Playbook to target every new critical and high vulnerability under the "Public Server" business group.
Learn all about creating Playbooks and Automation here.
This how would the conditions look like for our specific example:Note: When creating Business Groups, ensure the assets associated with the Business Group have the appropriate indicative Tag (usually the business group's name as a tag).
After setting up the playbook conditions, select the type of Action you want to apply to the findings of the automated Playbook:
TIP: The most common use is to apply a ticket for the relevant remediation team within the organization.
Complete creating the automation following the instructions here.
Campaigns - Main Page Overview
After an automated or manual remediation action is created, a new Campaign is automatically created with the relevant details on that Action in the Campaigns tab.
The Campaigns page contains a tab for Open campaigns and one for Closed campaigns.
The information presented in the Campaigns table includes the following columns:
Type: Manually created or through automation (Playbook)
Name: The campaign name inserted manually / the name generated from the Playbook
Started: The date of campaign creation
Sources: The vulnerability(ies) source(s) (connectors)
Max Risk: The risk score of the finding (instance) with the highest risk in the Campaign
Vulnerabilities: The unique vulnerability name for which the campaign was initially opened. If more than one unique vulnerability is included in the Campaign, the number of included vulnerabilities is shown.
Resolved Instances: Number of fixed assets (findings (instances)) out of the total assets (findings (instances)) included in the Campaign.
SLA Status: The number of assets (findings (instances)) exceeding SLA.
Action: The tool through which the Action was taken when the Campaign was created (Jira, ServiceNow, Email, etc.)
Tracking Campaign Progress
To gain insight into a campaign's status and progress, go to Campaigns and click on the relevant Campaign.
Progress Percentage
You can track the progress in % of the Campaign and review stats such as Resolved Instances count and Last Activity action and time. For example, hover over the Resolved Instances count to view how many vulnerabilities are Fixed, Archived, or Ignored/acknowledged in the Campaign.
Campaign's Progress = The percentage of findings (instances) resolved out of the total instances the campaign covers.
Resolved Vulnerability Instance = The integrated scanner connector reported to the Vulcan Cyber ExposureOS platform that the affected asset no longer has that finding (instance).
Manual vs. Automated Campaign Progress
"Progress" in manually opened campaigns
Manual campaigns don't get updated with subsequent discoveries as they cover only the vulnerabilities/assets initially included. Once a campaign is manually created, the Campaign's progress can reach 100% and automatically close if all the assigned findings (instances) are fixed.
"Progress" in automated campaigns
Once an automated campaign is created, it gets fed and updated with subsequent discoveries by the Playbook. This means that each Playbook has one Campaign that is constantly updated. As long as the Campaign runs, it will keep opening more tickets or updating existing ones with more discovered vulnerabilities/affected assets. This means that the progress percentage of the Campaign is dynamic and can increase or decrease based on the number of resolved findings (instances) and affected assets. Automated campaigns rarely reach 100% (and shouldn't).
Campaign Actions
The Actions tab provides insight into the actions taken on the associated tickets (created or updated), attachments included, vulnerabilities involved, SLA, and more.
Campaign Vulnerabilities
The Vulnerabilities tab provides details of the vulnerabilities addressed in the campaign. This view allows you to group the data by:
Assets involved (findings (instances))
Unique Vulnerabilities addressed
Export Campaign Vulnerability Instances (Findings)
Export all findings (instances) associated with a specific campaign into a CSV file, including a comprehensive set of columns mirroring those available for tickets. The export helps with effectively tracking and monitoring the vulnerability status of a campaign.
Note: Archived findings (instances) are excluded from the report.
Once the file is ready, a dedicated system notification appears with a link to download the CSV file and an email is sent to the user who initiated the export.
What columns/info does the file include?
Vulnerability Name, Site Name, Asset Name, Status, Risk, Sources (Connectors), Risk Score, First Seen, Last Seen, Threats (Threat Tags), CVEs, Vulnerability Description, Vulnerability Instance Details, Scanner Resolution, Tags, Business Groups, Owners (Dynamic Properties), Inclusion Date, Fix Due Date, OS, OS Version, IP, Cloud Instance ID, Address.
What if I don't see the file in the Notifications Center?
Refresh the page and check again.
Campaign Activity
The Activity tab describes all the activities in the Campaign and associated tickets.
The Open Tickets view provides visibility into the opened tickets status and links to the tickets in the ticketing system.
Managing Campaigns
Editing Campaign Name
There are several ways to edit a campaign name:
The Campaigns view has an edit icon next to each row. Clicking on this icon will prompt a campaign name change. Once you have typed your new campaign name, press "Enter" or click anywhere else on the screen. To cancel, click "Esc".
A notification at the bottom right of your screen will indicate that your campaign name has been successfully changed.
From within a specific campaign, clicking on the edit icon next to the campaign name or the name itself will prompt a change to a campaign name. Once you have typed your new campaign name, press "Enter" or click anywhere else on the screen. To cancel, click "Esc".
A notification at the bottom right of your screen will indicate that your campaign name has been successfully changed.
For playbook-created campaigns only:
If you change the name of a playbook, the corresponding Campaign will also change its name to match the Playbook. This also works in the opposite direction - changing the name of a playbook-created campaign will change the name of the Playbook.
When a campaign name has been successfully changed, an activity will be logged in the Campaign's Activity tab. In addition, it will provide details regarding which user changed the campaign name and what change was made.
Adding Notes to a Campaign
Open a specific campaign from the Campaigns view table.
On the right, there is a "Notes" field - add your notes here.
When you have finished writing notes, click anywhere outside the field.
You will see a notification at the bottom right of your screen, indicating that your note has been successfully saved.
Campaign Reports (Analytics)
The Campaign Report analytics page presents Campaign Coverage KPIs and trends, generating a bigger picture of findings (instances) covered by campaigns and the campaign coverage workload in your organization.
FAQ
What happens if I cancel a campaign?
When the user cancels a campaign, Vulcan Cyber ExposureOS no longer has access to manage the tickets in the campaign (the tickets will not auto-close).