About Vulcan Campaigns
To remediate vulnerabilities, the Vulcan Platform offers two remediation methods: manual and automated. Taking Action on a vulnerability (or more), whether manual or automated, results in a Campaign.
One of the most common uses in Vulcan is utilizing the scanners' findings and data in taking manual or automated remediation actions. Every remediation action taken on a vulnerability generates a Remediation Campaign. Through the Vulcan Platform, you can manage and monitor all Remediation Campaigns and gain visibility into the overall progress of remediation actions.
Creating Campaigns Manually
Every time you Take Action on an asset or a vulnerability, a campaign is created. This is a manual campaign because it is triggered manually by the user through the Vulnerabilities or Assets page.
Take Action on a Vulnerability
Assuming there is a vulnerability (or more) you want to take Action on and remediate or share its information in an email; all you need to do is select the vulnerability(ies) from the Vulnerabilities Page and click Take Action.
Go to Vulnerabilities > filter and select the desired vulnerabilities. You can also filter by Business Group to target assets by a business unit.
Click Take Action.
Select the Take Action method:
Opening a ticket through your integrated ticketing systems such as JIRA, ServiceNow, etc.
Report/share information on the Vulnerability through your integrated reporting systems such as email, Slack, etc.
Fill in the required fields.
Note: Vulcan automatically pre-populates some fields with summarized, actionable information about the vulnerability.Optionally, select the assets to include in the ticket. By default, all vulnerable assets are included.
Optionally, select the remedies to include in the ticket. By default, all solutions are included.
Optionally, manually set the due date. By default, the SLA sets the due date as configured under Settings.
Click “Open Ticket”.
Take Action on an Asset
Assuming there is an asset you want to Take Action on, select the asset(s) from the Asset Page and click Take Action.
Go to Assets > filter and select the desired asset.
Click Take Action.
Select the Take Action method:
Fill in the required fields.
Note: Vulcan automatically pre-populates some fields with summarized, actionable information about the assets/vulnerabilities.Optionally, select the vulnerabilities to remediate to include in the ticket. By default, all vulnerable assets are included.
Optionally, select the remedies to include in the ticket. By default, all solutions are included.
Optionally, manually set the due date. By default, the SLA sets the due date as configured under Settings.
Click “Open Ticket”.
What's the difference between taking action on a vulnerability vs. an asset?
When taking Action on a Unique Vulnerability, the generated ticket contains a list of all the assets affected by the vulnerability. You can include a call for Action on none, all, or several assets in one ticket.
When taking Action on an Asset, the generated ticket contains a list of all vulnerability instances affecting the asset, including all the available remedies. You can include a call for Action on none, all, or several vulnerability instances and remedies in one ticket.
The question is, what do you want to do?
If you want to remedy all the vulnerabilities affecting the asset, you should Take Action on the asset level. On the other hand, if you fix High/Critical vulnerabilities on specific assets (or all affected assets), you should Take Action on the vulnerability level.
Creating Automated Campaigns
A Campaign is automatically created when an automation playbook is triggered for the first time. By "triggered" we mean the first time the Playbook's conditions are met and generate a remediation action (a ticket/email/etc.). Once a campaign is created, it keeps getting fed and updated with subsequent discoveries by the Playbook (if configured in the Ticket Settings). This means that each Playbook has one Campaign that is constantly updated.
Opening tickets automatically through Playbooks
To learn how to create automation playbooks campaigns, let's look at the example below that demonstrates the workflow of the following common scenario:
"I want to automatically open a JIRA ticket on existing and new critical and high-risk vulnerabilities from Rapid7 that apply to a specific high-impact business group".
First, let's filter the vulnerabilities to see what we focus on.
Go to Vulnerabilities > Unique Vulnerabilities tab > filter to match the required criteria.
In the example below, we selected the Business Group "Public Servers" and filtered for Critical and High vulnerabilities.The resulting view shows 8 Unique vulnerabilities: 5 in Critical and 3 in High. In this case, every unique vulnerability has one instance (affecting one asset).
Since we want to track every new critical vulnerability under these criteria automatically, we need to create an automated action by creating a new Automation Playbook.
Go to Automations > Create a new playbook.
We'll apply the conditions on the new Playbook to target every new critical and high vulnerability under the "Public Server" business group.
Learn all about creating Playbooks and Automation here.
This how would the conditions look like for our specific example:Note: When creating Business Groups, ensure the assets associated with the Business Group have the appropriate indicative Tag (usually the business group's name as a tag).
After setting up the playbook conditions, select the type of Action you want to apply to the findings of the automated Playbook:
TIP: The most common use is to apply a ticket for the relevant remediation team within the organization.
Complete creating the automation following the instructions here.
Campaigns - Main Page Overview
After an automated or manual remediation action is created, a new Campaign is automatically created with the relevant details on that Action in the Campaigns tab.
The Campaigns page contains a tab for Open campaigns and one for Closed campaigns.
The information presented in the Campaigns table includes the following columns:
Type: Manually created or through automation (Playbook)
Name: The campaign name inserted manually / the name generated from the Playbook
Started: The date of campaign creation
Source: The vulnerability(ies) source(s) (connectors)
Max Risk: The risk score of the vulnerability instance with the highest risk in the Campaign
Vulnerabilities: The unique vulnerability name the campaign was initially opened for. If more than one unique vulnerability is included in the Campaign, the number of included vulnerabilities is shown.
Resolved Instances: Number fixed vulnerability instances (assets) out of the total assets (vulnerability instances) included in the Campaign.
SLA Status: The number of assets (vulnerability instances) exceeding SLA.
Action: The tool through which the Action was taken when the Campaign was created (Jira, ServiceNow, Email, etc)
Tracking Campaign Progress
To gain insight into a campaign's status and progress, go to Campaigns and click on the relevant Campaign.
Progress Percentage
You can track the progress in % of the Campaign and review stats such as Resolved Instances count and Last Activity action and time. For example, hover over the Resolved Instances count to view how many vulnerabilities are Fixed, Archived, or Ignored/acknowledged in the Campaign.
Campaign's Progress = The percentage of vulnerability instances resolved out of the total instances the campaign covers.
Resolved Vulnerability Instance = The integrated scanner connector reported to the Vulcan Platform that the affected asset no longer has that vulnerability instance.
Manual vs. Automated Campaign Progress
"Progress" in manually opened campaigns
Manual campaigns don't get updated with subsequent discoveries as they cover only the vulnerabilities/assets initially included. Once a campaign is manually created, the Campaign's progress can reach 100% and automatically close if all the assigned vulnerability instances are fixed.
"Progress" in automated campaigns
Once an automated campaign is created, it gets fed and updated with subsequent discoveries by the Playbook. This means that each Playbook has one Campaign that is constantly updated. As long as the Campaign runs, it will keep opening more tickets or updating existing ones with more discovered vulnerabilities/affected assets. This means that the progress percentage of the Campaign is dynamic and can increase or decrease based on the number of resolved vulnerability instances and affected assets. Automated campaigns rarely reach 100% (and shouldn't).
Campaign Actions
The Actions tab provides insight into the actions taken on the associated tickets (created or updated), attachments included, vulnerabilities involved, SLA, and more.
The Vulnerabilities tab summarizes all the instances covered in the Campaign and their remediation progress. You can group by Assets or Vulnerabilities.
Campaign Vulnerabilities
The Vulnerabilities tab provides details of the vulnerabilities addressed in the campaign. This view allows you to group the data by:
Assets involved (vulnerability instances)
Unique Vulnerabilities addressed
Export Campaign Vulnerability Instances
Export all vulnerability instances associated with a specific campaign into a CSV file, including a comprehensive set of columns mirroring those available for tickets. The export helps with effectively tracking and monitoring the vulnerability status of a campaign.
Note: Archived vulnerability instances are excluded from the report.
Once the file is ready, a dedicated system notification appears with a link to download the CSV file and an email is sent to the user who initiated the export.
What columns/info does the file include?
Vulnerability Name, Asset Name, Status, Risk, Sources (Connectors), Risk Score, First Seen, Last Seen, Threats (Threta Tags), CVEs, Vulnerability Description, Vulnerability Instance Details, Scanner Resolution, Tags, Business Groups, Owners (Dynamic Properties), Inclusion Date, OS, OS Version, IP, Cloud Instance ID.
What if I don't see the file in the Notifications Center?
Refresh the page and check again.
Campaign Activity
The Activity tab describes all the activities in the Campaign and associated tickets.
The Open Tickets view provides visibility into the opened tickets status and links to the tickets in the ticketing system.
Managing Campaigns
Editing Campaign Name
There are several ways to edit a campaign name:
The Campaigns view has an edit icon next to each row. Clicking on this icon will prompt a campaign name change. Once you have typed your new campaign name, press "Enter" or click anywhere else on the screen. To cancel, click "Esc".
A notification at the bottom right of your screen will indicate that your campaign name has been successfully changed.
From within a specific campaign, clicking on the edit icon next to the campaign name or the name itself will prompt a change to a campaign name. Once you have typed your new campaign name, press "Enter" or click anywhere else on the screen. To cancel, click "Esc".
A notification at the bottom right of your screen will indicate that your campaign name has been successfully changed.
For playbook-created campaigns only:
If you change the name of a playbook, the corresponding Campaign will also change its name to match the Playbook. This also works in the opposite direction - changing the name of a playbook-created campaign will change the name of the Playbook.
When a campaign name has been successfully changed, an activity will be logged in the Campaign's Activity tab. In addition, it will provide details regarding which user changed the campaign name and what change was made.
Adding Notes to a Campaign
Open a specific campaign from the Campaigns view table.
On the bottom right is a "Notes" field - add your notes here.
When you have finished writing notes, click anywhere outside the field.
You will see a notification at the bottom right of your screen, indicating that your note has been successfully saved.
Campaign Analytics
The Campaign Report analytics page presents Campaign Coverage KPIs and trends, generating a bigger picture of vulnerability instances covered by campaigns and the campaign coverage workload in your organization.
FAQ
What happens if I cancel a campaign?
When the user cancels a campaign, Vulcan no longer has access to manage the tickets in the campaign (the tickets will not auto-close).