5 Using OPENVAS SECURITY INTELLIGENCE

Note

To ensure consistent and correct handling of login sessions, the internal clocks of the OPENVAS SECURITY INTELLIGENCE instance and the system used to access it must be synchronized or at least nearly identical. For achieving this, it is recommended to activate NTP on both systems.

For OPENVAS SECURITY INTELLIGENCE, NTP can be activated by executing timedatectl set-ntp true in the OPENVAS OS CLI or by activating NTP on the respective host system.

5.1 Supported Web Browsers

OPENVAS SECURITY INTELLIGENCE can be used with the desktop versions of the following web browsers:

  • Google Chrome

  • Mozilla Firefox

  • Microsoft Edge

The latest version and one major previous version of the browsers are supported.

5.2 Signing in to OPENVAS SECURITY INTELLIGENCE

OPENVAS SECURITY INTELLIGENCE can be accessed as follows:

  1. Open the web browser.

  2. Enter the IP address of OPENVAS SECURITY INTELLIGENCE.

  3. Sign in using the user name and password of the OPENVAS SECURITY INTELLIGENCE account (see Fig. 5.1).

    Note

    When signing in for the first time, a new password must be set.

    The password requirements are specified in the password policy by the super admin.

  4. Click Sign In.

    → The page that was last opened is displayed.

    _images/signin.png

    Fig. 5.1 Signing in to OPENVAS SECURITY INTELLIGENCE

5.3 Updating the Meta Feed

Note

The meta feed can only be updated by the super admin or an operator.

The meta feed that delivers CVEs, CSAF documents, CPEs and vulnerability tests is updated daily at 7:00 a.m. CET/CEST.

It can also be updated manually as follows:

  1. Select Data Management > Feed in the menu.

  2. Click Update Feed.

    → The feed update is running.

    The Notifications page shows the information message “Updating local database finished successfully” when the feed update is finished.

    Note

    The date and time displayed for Last feed update are only updated if the feed update actually included new content.

5.4 Filtering the Page Content

Many pages offer the possibility to filter the displayed content.

5.4.1 Applying a Filter

A filter can be selected and applied as follows:

  1. Click inside the filter bar at the top of the page.

  2. Select a filter attribute from the drop-down list.

    → The applicable filter operators are automatically displayed in a second drop-down list (see Fig. 5.2).

    _images/filter.png

    Fig. 5.2 Available filter operators

  3. Select a filter operator from the drop-down list.

    → Depending on the filter attribute selected in step 2, different options for specifying the filter value are displayed.

  4. Specify the filter value (see Fig. 5.3).

    • In case of a free text, enter the text in the input box and select the text in the drop-down list that is opened.

    • In case of predefined options, select the desired option from the drop-down list that is opened.

    • In case of a date, select the date in the displayed calendar.

    _images/filter-2.png

    Fig. 5.3 Specifying the filter value

  5. Click outside the filter bar to apply the filter (see Fig. 5.4).

    _images/filter-3.png

    Fig. 5.4 Applied filter

  6. Click All/Any at the left side of the filter bar to select the desired filter conjunction.

    Note

    • If All is selected, only results that match all selected filter parameters are displayed.

    • If Any is selected, all results that match at least one of the selected filter parameters are displayed.

5.4.2 Saving Filters

On the pages Dashboard, Assets and Vulnerabilities, filters can be saved as follows:

  1. Enter the desired filter parameters in the filter bar as described in Chapter 5.4.1.

  2. Move the cursor over at the right side of the filter bar and click Save filter.

    _images/save-filter.png

    Fig. 5.5 Saving a filter

  3. Enter a name for the filter in the input box.

    Note

    The filter name can contain any type of character and can be at most 255 characters long.

  4. Click Save.

    → Saved filters can be used by clicking at the left side of the filter bar and selecting the desired filter from the drop-down list.

5.4.2.1 Updating Saved Filters

Filters can be updated as follows:

  1. Click at the left side of the filter bar and select the desired filter from the drop-down list.

    → The filter is applied.

  2. Add more filter criteria, or remove existing ones.

  3. To overwrite the saved filter, move the cursor over at the right side of the filter bar and click Save filter.

    or

  1. To save the changed filter under a new name, move the cursor over at the right side of the filter bar and click Save filter as. Enter a name for the filter in the input box and click Save.

    Note

    The filter name can contain any type of character and can be at most 255 characters long.

5.4.2.2 Deleting Saved Filters

A saved filter can be deleted by clicking at the left side of the filter bar and then clicking for the filter in the drop-down list.

5.4.3 Overview of all Filter Options

The following table shows all filter options for each page of OPENVAS SECURITY INTELLIGENCE:

Filter Criteria

Filter Operators

Asset ID

  • is equal to

  • is not equal to

Host name

  • begins with

  • does not begin with

  • contains

  • does not contain

  • is equal to

  • is not equal to

IP address

  • contains

  • does not contain

  • is equal to

  • is not equal to

Last scan

  • before

  • after

Operating system

  • contains

  • does not contain

  • is equal to

  • is not equal to

Appliance name

  • begins with

  • does not begin with

  • contains

  • does not contain

  • is equal to

  • is not equal to

Tag > Tag name

  • contains

  • does not contain

  • is equal to

  • is not equal to

Vulnerability name

  • contains

  • does not contain

Severity

  • is equal to

  • is not equal to

  • is greater than

  • is greater than or equal to

  • is less than

  • is less than or equal to

QoD

  • is equal to

  • is not equal to

  • is greater than

  • is greater than or equal to

  • is less than

  • is less than or equal to

Solution type

  • is equal to

  • is not equal to

CVE

  • contains

  • does not contain

  • is equal to

  • is not equal to

CERT advisories

  • begins with

  • does not begin with

  • contains

  • does not contain

  • is equal to

  • is not equal to

Family

  • is equal to

  • is not equal to

Severity class

  • is equal to

  • is not equal to

  • is greater than

  • is greater than or equal to

  • is less than

  • is less than or equal to

EPSS score [%]

  • is equal to

  • is not equal to

  • is greater than

  • is greater than or equal to

  • is less than

  • is less than or equal to

EPSS percentile

  • is equal to

  • is not equal to

  • is greater than

  • is greater than or equal to

  • is less than

  • is less than or equal to

5.5 Enabling the Automatic Removal of Assets

Note

The automatic removal of assets can only be configured by the super admin or an operator.

Inactive assets are assets for which the last scan was performed some time ago and which may no longer exist. These assets can be automatically removed from OPENVAS SECURITY INTELLIGENCE. The removal happens automatically once per day.

Note

The time of the last scan can be found, for example, on the Assets page in the Last scan column (see Chapter 6.2.2.2.1).

The automatic removal of assets can be configured as follows:

  1. Select Settings > Asset Configuration in the menu.

  2. Click on the toggle switch to enable the automatic asset removal.

  3. Enter the minimum number of days since the last scan of an asset for it to be automatically deleted.

    Note

    Values from 1 to 365 can be entered.

    Assets for which the last scan was performed earlier than the specified number of days are removed.

    Example: if the value 30 is entered, assets that were last scanned 31 days ago or earlier will be removed.

  4. Click Save.

_images/automatic-removal-assets.png

Fig. 5.6 Enabling the automatic removal of assets

5.6 Using Alerts

Note

Communication channels and alerts can only be configured by the super admin or an operator.

With alerts, notifications can be sent via various communication channels. This can be used to receive information about completed or failed processes on the system.

Note

Only the super admin can create communication channels and alerts.

5.6.1 Setting up a Communication Channel

Alerts can be sent via email, Mattermost, or Microsoft Teams. Before an alert can be created and used, the corresponding communication channel must be configured.

5.6.1.1 Configuring a Mail Server

Note

Only one mail server can be configured.

A mail server can be configured as follows:

  1. Select Settings > Communications in the menu.

  2. Click Add in the section SMTP host.

    → The Set up an SMTP host dialog is opened.

  3. Enter the host name or IP address of the mail server in the input box Mailhub.

    _images/mail-server.png

    Fig. 5.7 Configuring a mail server

  4. Enter the port the e-mails are delivered through in the input box Port.

  5. Enter the e-mail address that should be displayed as the sender in the input box Sender email address.

  6. If the mail server requires authentication, click on the toggle switch SMTP authentication.

  7. Enter the user name and the password for the SMTP authentication.

  8. If the mail server uses TLS for encryption, click on the toggle switch SMTP enforced TLS.

  9. Define the maximum size of attachments per e-mail in the input box Max. attachment size.

  10. Define the maximum size of an e-mail including attachments in the input box Max. email size.

  11. Click Test connection.

    → The result of the test is displayed next to the button.

    If the connection is not successful, error messages are shown below the input boxes that require changes.

  12. Click Save.

5.6.1.2 Configuring a Microsoft Teams Webbhook

Note

Up to 20 webhooks can be configured.

A Microsoft Teams webhook can be configured as follows:

  1. Select Settings > Communications in the menu.

  2. Click Add in the section MS Teams webhook.

    → The Set up an MS Teams webhook dialog is opened.

  3. Enter a name for the webhook.

    _images/ms-teams-webhook.png

    Fig. 5.8 Configuring a Microsoft Teams webhook

  4. Enter the URL of the webhook in the input box Webhook.

    Note

    Instructions for how to create a Microsoft Teams webhook can be found in the Microsoft Teams documentation.

  5. If required, add a description for the webhook.

  6. Click Test connection.

    → The result of the test is displayed next to the button.

    If the connection is not successful, error messages are shown below the input boxes that require changes.

  7. Click Save.

5.6.1.3 Configuring a Mattermost Webhook

Note

Up to 20 webhooks can be configured.

A Mattermost webhook can be configured as follows:

  1. Select Settings > Communications in the menu.

  2. Click Add in the section Mattermost webhook.

    → The Set up a Mattermost webhook dialog is opened.

  3. Enter a name for the webhook.

    _images/mattermost-webhook.png

    Fig. 5.9 Configuring a Mattermost webhook

  4. Enter the URL of the webhook in the input box Webhook.

    Note

    Instructions for how to create a Mattermost webhook can be found in the Mattermost documentation.

  5. If required, add a description for the webhook.

  6. Click Test connection.

    → The result of the test is displayed next to the button.

    If the connection is not successful, error messages are shown below the input boxes that require changes.

  7. Click Save.

5.6.2 Creating an Alert

A new alert can be created as follows:

  1. Select Settings > Alert Settings in the menu.

  2. Click Add alert.

  3. Enter a name for the alert.

    _images/add-alert.png

    Fig. 5.10 Creating an alert

  4. Select the event types the alert should be sent for in the drop-down list Event types.

    • Info: An action finished successfully, or a user interaction was carried out successfully. Examples:

      • An SBOM scan finished successfully.

      • The download of new CSAF files finished successfully.

      • An SBOM scan was canceled successfully.

      • The download of new CSAF files was canceled successfully.

      • An import from an appliance was started.

      • An import from an appliance was finished successfully.

    • Warning: An action failed due to a faulty user interference. Example:

      • An SBOM scan was interrupted by a server shutdown.

    • Error: An action failed due to an incorrect configuration. Examples:

      • The download of new CSAF files failed due to an error on the CSAF provider side.

      • An SBOM main CPE generation failed because the necessary fields are invalid.

      • An import from an appliance failed.

    • Urgent: An event requires immediate attention.

  5. Select the components of OPENVAS SECURITY INTELLIGENCE the alert should be sent for in the drop-down list Origin.

  6. Select a previously created communication channel in the drop-down list Channel (see Chapter 5.6).

  7. Click Save.

5.6.3 Managing Alerts

All alerts are displayed when selecting Settings > Alert Settings in the menu.

  • Display details of the alert.

  • Edit the alert.

  • Delete the alert.

  • An alert can be activated or deactivated by clicking on the toggle switch.

_images/alerts-overview.png

Fig. 5.11 Managing alerts

5.7 Managing the User Settings

5.7.1 Changing the Language

OPENVAS SECURITY INTELLIGENCE is available in English and in German. The flag of the selected language is displayed in the upper right corner:

  • If English is selected, the flag for the United Kingdom (UK) is displayed.

  • If German is selected, the flag for Germany is displayed.

Click on the icon to change the language.

Note

OPENVAS SECURITY INTELLIGENCE saves the language setting for the next login.

5.7.2 Changing the Theme

OPENVAS SECURITY INTELLIGENCE supports a light and a dark color theme. The icon for the currently applied theme in displayed in the upper right corner:

  • If the light theme is selected, the sun icon is displayed.

  • If the dark theme is selected, the moon icon is displayed.

Click on the icon to change the theme.

Note

OPENVAS SECURITY INTELLIGENCE saves the theme setting for the next login.

5.7.3 Changing the Password

Every user can change their own password as follows:

  1. Move the cursor over the user name in the upper right corner and select Personal Settings in the drop-down list.

    → The user management is opened in a new browser tab.

  2. Select Account security > Signing in in the menu.

    _images/change-password.png

    Fig. 5.12 Changing the password

  3. Click Update.

  4. Enter the current password and click Sign In.

  5. Enter the new password in the New Password input box and confirm it.

    Note

    The password requirements are specified in the password policy by the super admin.

  6. Click Submit.

Note

The password can be reset by the super admin (see Chapter 4.2.5).

5.7.4 Setting up Two-Factor Authentication

Note

A smartphone with a authenticator app (for example, FreeOTP, Microsoft Authenticator, Google Authenticator) is required.

Every user can set up two-factor authentication as follows:

  1. Move the cursor over the user name in the upper right corner and select Personal Settings in the drop-down list.

    → The user management is opened in a new browser tab.

  2. Select Account security > Signing in in the menu.

  3. In the section Two-factor authentication, click Set up Authenticator application.

  4. Enter the current password to authenticate.

  5. Click Sign In.

  6. Open the authenticator app on the smartphone and use it to scan the QR code.

    → A one-time code is displayed in the authenticator app.

  7. Enter the one-time code from the authenticator app.

  8. Click Submit.

    → The two-factor authentication is enabled. When logging in, the user must now enter a one-time code from the authenticator app in addition to the password.

5.7.5 Deleting Two-Factor Authentication

The two-factor authentication can be deleted as follows:

  1. Move the cursor over the user name in the upper right corner and select Personal Settings in the drop-down list.

    → The user management is opened in a new browser tab.

  2. Select Account security > Signing in in the menu.

  3. In the section Two-factor authentication, click Delete.

  4. Enter the current password to authenticate.

  5. Click Sign In.

  6. Enter the one-time code from the authenticator app.

  7. Click Sign In.

  8. Click Confirm deletion.

    → The two-factor authentication is disabled. When logging in, the user must now only enter the password.

5.8 Opening the User Manual

The user manual can be opened by clicking in the upper right corner.

5.9 Signing Out of OPENVAS SECURITY INTELLIGENCE

Signing out of the platform can be done by moving the cursor over the user name in the upper right corner and select Sign out from the drop-down list (see Fig. 5.13).

If no action is performed on the platform for 30 minutes, the user is signed out automatically.

The remaining time until the user is automatically signed out is displayed next to the user name in the upper right corner. By clicking anywhere on the platform, the timeout can be reset.

_images/signout.png

Fig. 5.13 Signing out of OPENVAS SECURITY INTELLIGENCE