I have a feature request for InsightVM remediation project creation and read from ICON.
Use case:
SCCM is currently patching our systems. we would like to utilize ICON to read SCCM collection groups to retrieve the devices (already a feature), then send those devices over to InsightVM as a static asset group (also already a feature) and create a remediation project with specified data ranges for reporting. Once the remediation project is complete, we would like to utilize ICON to generate an audit report showing missing patches.
I think that’s a valid use case. Right now I believe there’s no way to automate the creation of remediation projects in InsightVM since there’s not an associated API. But I can pass this along as a good example of how an API could be leveraged.
Big ol’ bump here… Holly, did this end up on a road map at all? We’re building out a workflow where we’d love to have the ability to create projects to assign out to folks outside of the Insight platform (tech support).
Hi Rick! Currently, this is not on the roadmap, in part due to other product areas that have taken greater priority. Would you (and @dreadpir8robots if you’d like) mind sharing a little bit more about your use cases and your desired flow of logic for programmatically creating these projects? That type of context is super helpful for our teams to better understand how this would be used.
Absolutely! So, right now we have our VM team identify assets that need remediations or follow-up from a technical support team member or developer by manually processing a list. We create a remediation project for each one of those assets so that the non-security person has an easy to read punch list of solutions to apply, and grant them access through the feature that allows people to view the project via link instead of needing platform credentials. The big reason that remediation projects are a win here is that as the agents report back that things are fixed, their solution list gets updated in real time. This makes less work than having to export a PDF asset report and then do it again and again on demand when they need to know if they’ve completed a remediation.
What we would like to do is use ICON to automate this process from start to finish. We can use the custom SQL report action in the InsightVM extension to code in our criteria for assets, and then loop over the assets to create a project for each and assign the project (and look up the responsible party in our inventory system), as well as generate a Slack or email notification to the person assigned to let them know what’s up and who to talk to if they have questions.
I know that one response to this from a product management side is probably “use automated ticketing,” but my requests to add our ticket system (Zendesk) to IVM haven’t gone anywhere in the last three years so I assume it won’t happen.
Thanks for the detailed info! I can’t speak to the future availability of a remediation projects API right now, but seeing your team’s process for this really gives us a better idea of how you’re using projects and the role automation could play here. I’ve passed this along to the team and can always share any updates as we have them.
@holly_wilsey: “Would you mind sharing a little bit more about your use cases and your desired flow of logic for programmatically creating these projects?”
This is an idea, rather than an urgent requirement, but I’m imagining something like this.
Insight Connect monitors a feed containing new vulnerabilities. I’m not yet sure what that feed looks like, not least because CVE resources like MITRE often don’t include details about the CVE until well after they’re publicly known.
When a new vulnerability appears on the feed which:
a) affects one of a list of products which we define as interesting; and
b) has CVSS exceeding a pre-defined threshold
Insight Connect raises a new remediation project via the hypothetical InsightVM API, possibly checking first that one hasn’t been created.
I’m thinking in particular of things where a lot of assets will be affected (e.g. browser 0-days).