Views:

Manually or periodically mitigate risks posed by highly-exploitable CVEs detected on your managed internal and internet-facing assets.

A highly-exploitable CVE is a critical vulnerability that is highly likely (or has been proven) to be exploited if not remediated. For more information about highly-exploitable CVEs on managed assets, see Vulnerabilities.
Important
Important
You must have the Attack Surface Risk Management entitlement enabled and the following required data sources configured to create CVEs with Global Exploit Activity playbooks:
  • CVEs with Global Exploit Activity - Internal Assets: XDR Endpoint Sensor or third-party data sources (Nessus Pro, Qualys, Rapid7, or Tenable.io)
  • CVEs with Global Exploit Activity - Internet-Facing Assets: Root domain configuration in Attack Surface Risk Management

Procedure

  1. Go to Workflow and AutomationSecurity Playbooks.
  2. On the Playbooks tab, choose AddCreate playbook.
  3. On the Playbook Settings panel, select the Vulnerability type, specify a unique name for the playbook, and click Apply.
  4. On the Trigger Settings panel, select the trigger type and click Apply.
    • Manual: Allows you to start the playbook execution by clicking the Run icon (run=fddd0df8-993a-4aa5-b09c-51ad84aec2a4.png)
    • Scheduled: Allows you to schedule the playbook to run daily, weekly, or monthly
  5. On the Target Settings panel, select and configure the Target for the playbook and click Apply.
    If you need to mitigate risks for more than one target type, use the add node (plus_icon=e074b462-87df-4630-ab7f-552d598013d7.png) on the right of the Trigger node.
  6. If you need to take actions when specific conditions are met, configure the Condition node.
    1. Click the add node (plus_icon=e074b462-87df-4630-ab7f-552d598013d7.png) on the right of the Target node and click Condition.
    2. Create a condition setting by specifying the Parameter, Operator, and Value.
      Setting
      Description
      Parameter
      For more information about the parameters, see the Highly-Exploitable CVEs widget in the Operations Dashboard app.
      Operator
      • IS: The condition is triggered if any of the values is matched
      • IS NOT: The condition is triggered if none of the values is matched
      Value
      For more information about the values for each parameter, see the Highly-Exploitable CVEs widget in the Operations Dashboard app.
    3. If you need to configure multiple sets of condition settings, click Add.
      The condition operator is evaluated using a logical AND.
    4. Click Apply.
    5. If you need to add more than one parallel Condition node, click the add node (plus_icon=e074b462-87df-4630-ab7f-552d598013d7.png) on the right of the Target node.
    6. If you need to configure action settings for the Condition node, add an Action node by clicking the add node (plus_icon=e074b462-87df-4630-ab7f-552d598013d7.png) on the right.
      For details, see Step 7.
    7. If you need to configure else-if conditions or else actions, add an Else-If Condition or Else Action node by clicking the add node (plus_icon=e074b462-87df-4630-ab7f-552d598013d7.png) under the Condition node.
      For details, see Step 9.
  7. Configure actions by adding an Action node.
    1. Click the add node (plus_icon=e074b462-87df-4630-ab7f-552d598013d7.png) on the right of the Condition node and click Action.
    2. On the Action Settings panel, select Generate CSV file from the Action drop-down list.
      The playbook consolidates CVEs detected and generates .CSV files that contain information about the CVEs and the affected assets.
    3. Select whether you want to get separate .CSV files by CVE.
      This setting determines whether the playbook sends consolidated or separate notifications if you also configure notification actions in a second Action node.
    4. Select whether to send a notification to request manual approval to create general actions, and then configure the notification settings if you require manual approval.
      Note
      Note
      Actions pending manual approval for over 24 hours expire and cannot be performed.
      Setting
      Description
      Notification method
      • Email: Sends an email notification to specified recipients
      • Webhook: Sends a notification to specified webhook channels
      Subject prefix
      The prefix that appears at the start of the notification subject line
      Recipients
      The email addresses of recipients
      The field only appears if you select Email for Notification method.
      Webhook
      The webhook channels to receive notifications
      The field only appears if you select Webhook for Notification method.
      Tip
      Tip
      To add a webhook connection, click Create channel in the drop-down list.
    5. Click Apply.
    6. If you need to add more than one parallel action, use the add node (plus_icon=e074b462-87df-4630-ab7f-552d598013d7.png) on the right of the Target or Condition node.
  8. Configure notification settings by adding the second Action node.
    1. Click the add node (plus_icon=e074b462-87df-4630-ab7f-552d598013d7.png) on the right of the first Action node and click Action.
    2. On the Action Settings panel, specify how to notify recipients of the playbook results.
    3. For email and webhook notifications, configure the following settings.
      Setting
      Description
      Subject prefix
      The prefix that appears at the start of the notification subject line
      Recipients
      The email addresses of recipients
      The field only appears if you select Email for Notification method.
      Webhook
      The webhook channels to receive notifications
      The field only appears if you select Webhook for Notification method.
      Tip
      Tip
      To add a webhook connection, click Create channel in the drop-down list.
    4. For ServiceNow ticket notifications, configure the following settings.
      Setting
      Description
      Ticket profile
      The ServiceNow ticket profile to use
      Tip
      Tip
      If you need to add a ticket profile, click Create ticket profile in the drop-down list.
      Ticket profile settings
      The ticket profile settings for the playbook
      Selecting a ticket profile automatically loads the settings. Changing the settings overrides the ticket profile for the playbook.
      • Assignment group: The ServiceNow assignment group you want to assign the ticket to
      • Assigned to: The ServiceNow user you want to assign the ticket to
      • Short description: A short description of the ticket which displays in ServiceNow
    5. If you require manual approval for sending playbook results, follow Step 7.d to configure the notification settings.
      Note
      Note
      This setting is available only to ticket notification action.
    6. Click Apply.
  9. Configure Else-If Conditions or Else Actions if necessary.
    1. Click the add node (plus_icon=e074b462-87df-4630-ab7f-552d598013d7.png) below the condition node and click Else-If Condition or Else Action.
    2. Configure a Condition node by following Step 6 or an Action node by following Step 7 or Step 8.
    Note
    Note
    • The nodes that can be added by using an add node (plus_icon=e074b462-87df-4630-ab7f-552d598013d7.png) vary depending on the preceding node. For example, an Action node can only be possibly followed by another Action node; a Condition node can be followed by an Action node or have an Else-If Condition or Else Action attached to it.
    • When a condition is false, the playbook performs the Else Action or checks if its Else-If Condition is met. If the Else-If Condition is met, the playbook continues to perform the corresponding Else Action.
    • Multiple Action nodes configured in a serial mode are taken sequentially.
  10. Enable the playbook by toggling the Enable control on.
  11. Click Save.
    The playbook appears on the Playbooks tab in the Security Playbooks app.