Workflow (Remediation/Exception)
      Back to home
      1. Knowledge Base
      2. Analyst/Remediator Learning Path
      3. Workflow (Remediation/Exception)

      How do I send a remediation plan to an external destination?

      You will learn how you can send an email or create ITSM tickets for each plan created.

      Last Updated: 12/24/2023

      Overview

      All remediation plans created by users within the NopSec platform create an internal record that is displayed in the Remediate page under the Remediation Plans tab. Some clients have a use case to also send these remediation plans to an external system via Email or ITSM. Users can now do this via Remediation Plan Destinations.

      Terminology

      A quick recap on terminology:

      • Action: Users select one or more vuln instances via the Prioritize page and determine to create a remediation plan. This is considered the Action (the selection of items deemed important to begin work on). Users are presented with a modal to decide how to then create the subsequent Remediation Plans from that Action by choosing how to group the vulnerability instances either by Target, Vulnerability, Vuln Instance, or No Grouping at all.
        • This decision should be based on how you plan on assigning the work to a remediation team and how they prefer to receive their tasks. For instance, some clients' remediation teams prefer to work on a set of tasks that are broken down by Target or by Vulnerability. Others prefer to just receive a list of items that need to be worked on without any grouping because they will determine the best way to group the work (this is No Grouping). In few situations, it might be useful to highlight one or a few specific vuln instances that need to be worked by one or more remediation teams, in this case Vuln Instance should be chosen.
        • As an example, say you selected 100 vuln instances that need to be remediated. These 100 vuln instances exist across 10 targets. There may be 5 overall vulnerabilities found in those 100 vuln instances. 
          • If you choose Group By Target then NopSec will create 1 Action with 10 remediation plans.
          • If you choose Group By Vulnerability then NopSec will create 1 Action with 5 remediation plans.
          • If you choose Group By Vuln Instance (not available yet) then NopSec would create 1 Action and 100 remediation plans.
          • If you choose Group By No Grouping then NopSec will create 1 Action and 1 remediation plan.  
        • This is important to understand as the same logic will be used to determine how many emails or tickets to create for your destination.
          • Each Remediation Plan equals the number of Emails or Tickets that will be created.
      • Remediation Plan: This is the collection of specific vuln instances that you would like a remediation team to focus on. Depending on the grouping it allows the remediation team to follow their workflows to best accomplish the work in a timely manner. So, check with your remediation teams to see how they prefer to be tasked.
      • Destination: A destination is a specific set of recipients or a specific ITSM Project or Table to create tickets in. When creating remediation plans you can only choose ONE destination per Action.
      • Note: Email is supported for two use cases; generic emails sent to user email accounts or Email to Ticketing use cases that productivity tools such as Asana, Trello, and Jira support where an Email is sent to a specific productivity tool's email address and they convert that email to a ticket/card/task. 

      Configuring Destinations

      Roles with the "Integrations.read" and "Integrations.write" permissions can configure the integrations for Email, Jira, and ServiceNow. 

      Each product can have one or more integrations which count against your approved number of integrations based on your subscription plan. 

      • For example, you may create two Integrations for Jira; one labeled Jira Staging and another Jira Production. 

      Each Integration can then have one or more destinations configured.

      • Email type Integrations can configure Destinations that house the list of emails that are the recipients for this destination.
      • ITSM type Integrations can configure Destinations that point to specific ITSM projects (Jira) or tables (SNOW).
        • For Jira, Destination Names must be the Project Key usually a 3-letter key such as VMI.
        • For SNOW, Destination names must be the Table name such as Incidents.
      • Each Destination can then be configured to support specific Group By selections from Analysts. This is to ensure proper adherence to client specific workflows and expectations. 
        • For example, you may want to enforce that all Email destinations only allow No Grouping as that would create 1 email per remediation plan. Otherwise, if you allowed Group By Target for instance, each remediation plan will send the same email to the same email destination list.
        • Similarly, if your ITSM procedure requires all tickets to be a Group by Target you can configure your destination to adhere to that process and ensure all tickets created are the same.
      • Each Destination Group By can then be configured to have specific formatting. For now, this is controlled by your Customer Success Team so please submit a ticket providing them with how the email or ticket should be formatted.
        • Please Include the ITSM Ticket XML for the destination so that the CS team can properly configure the data mapping to ensure the proper fields are used and updated when creating a ticket.
        • You can normally export an XML from Jira or ServiceNow by clicking the "three-dot" icon for settings and clicking Export XML or View XML.
      • Each Destination can also be mapped to one or more Teams that can see this destination.
        • You may want to control what teams can create tickets or which teams can create tickets to specific destinations this is where you configure which teams can see specific destinations.
        • For example, you may have a Destination that only your Infrastructure teams should use and a different one for your Applications teams. You can ensure that the Infrastructure teams only see their destinations and are not able to create tickets to the Application team's destination.

      Configuration Steps:

      1. Find the Integration Product you'd like to configure.
      2. Give your Integration a Name such as Jira Prod or Email.
      3. Configure a Destination by giving it a name (ensuring you follow the above requirements for Jira vs Snow)
      4. Configure the Recipients for the destination.
        1. This is required for both Email and ITSM but will only be used in Email use cases. 
        2. You can provide a list of NopSec users by name or email or provide a list of Teams.
      5. Configure which Group By options are allowed to be chosen for the specific Destination.
      6. Configure which teams can choose this destination by searching for their team's name.
      7. Hit Save Changes

       

      Viewing Remediation Plans with Destinations

      All Remediation Plans that have been created with a destination will display:

      • A Destination Type
        • Internal Only
        • Email
        • Jira
        • SNOW
      • The Destination Details
        • If Email the Destination Name which will be clickable to show the list of emails used
        • If Jira/SNOW, the Destination Name, the destination ID, the destination assignee, and the destination status.
      • NopSec will continue syncing with the destination to identify any changes to Assignee and Status and will reflect those changes on the remediation plan.
        • Note: NopSec will leverage your Scanner as the source of truth regarding Vulnerability remediation status. If your ticket is closed, but your vuln instances are still open, your remediation plan will remain open.