Portal-Quick User Guide v4 en

Security Services
Customer Web Portal
Quick User Guide
April 2022 cybersecurity.telefonica.com

QUICK USER GUIDE
Index
General Information ………......................…………………………………......... P 03 Tickets ............................................................................................................ P 34
Services ….........................................................………...…………….....……. P 06 Ticket’s View ............................................................................. P 35
Digital Risk Protection …...................………………………..…... P 08 Ticket’s Filters ........................................................................... P 36
Vulnerability Risk Management …...................………………..... P 10 New Ticket ................................................................................ P 38
Managed Detection & Response ……...................……………... P 12 Documents ..................................................................................................... P 40
SIEM Management …………………………................………..... P 13 Reports .......................................................................................................... P 47
Device Management ………………………….................……….. P 14 Admin ............................................................................................................. P 59
Integrated Risk Management …………………..................…….. P 15 Digital Risk Protection .................................................................................. P 70
Login …………..……………………………………………………....................... P 16 Vulnerability Risk Management ...................................................................... P 89
Access Configuration ..................................................................................... P 25 Managed Detection & Response ................................................................ P 118
Global Dashboards ....................................................................................... P 31 SIEM Management & Device Management .................................................. P 123
Security Services | Customer Web Portal

2
Quick User Guide – v4
INDEX
General Information

GENERAL INFORMATION
What can I find? INDEX
The portal is distributed in the following sections:
• Drop-down menu with access to Services and Configuration.
• All Services: Access to Global Tools, cross-cutting to all services.
• Specific Services modules, classified by Family
• NEXTDEFENSE
• DRP - DIGITAL RISK PROTECTION
• VRM - VULNERABILITY RISK MANAGEMENT
• MDR – MANAGED DETECTION & RESPONSE
• MANAGED SECURITY
• SM - SIEM MANAGEMENT
• DM - DEVICE MANAGEMENT
• INTEGRATED RISK MANAGEMENT
• IRM – INTEGRATED RISK MANAGEMENT
• Configuration: with access to the Incident Catalog and Administration.
• Context selector: to choose the OB or Client.
• User menu:
• User email.
• My data: allows the user to configure some of their own profile information and the Second Factor
Authentication (2FA) in their Access Configuration.
• Questions and complaints: allows you to send feedback about the Portal.
• Logout: closing session
• Global Tools: functionalities available for all services included in the Security Services Portal.
• Dashboards: relevant KPIs to understand the general state of corporate security.
• Tickets: service tickets management.
• Documents: a centralized document storage system for all services.
• Reports: list of all common reports, investigations and informative notes available to be downloaded.
• List: access to editing and configuration of lists.

4
GENERAL INFORMATION
Which browsers are supported? INDEX
The Security Services Portal supports the following browsers:

• Microsoft Edge, latest stable version.
• Chrome, latest stable version.
• Firefox, latest stable version.
Note: JavaScript must be enabled for all browsers.

5
INDEX
Services

SERVICES
Services with specific modules INDEX
• Digital Risk Protection: protects your business, brand and reputation

against the digital risks to which they are exposed in the digital world.
• Vulnerability Risk Management: is the service that continuously
manages all vulnerabilities that pose a security threat to your
organization.
• Managed Detection & Response: is the service that incorporates
Advanced Threat Detection technologies and Threat Intelligence
capabilities into our client-facing Security Operation Centers (SOCs).
• SIEM Management: service that offers maximum protection thanks to
the combination of advanced detection technologies of the latest
generation based on Big Data and machine learning with automatic
management and immediate notification of incidents from Telefónica's
Security Operations Centers (SOC).
• Device Management: you can manage security policies and
automatically control the health of your IT security devices, remotely
and permanently, by using a proprietary monitoring platform. Your
company will learn about security incidents in real time and will receive
24/7/365 protection.
• Integrated Risk Management: the perfect complement to create a
program for the governance, risk management and effective
compliance of your organizations' information security.

7
SERVICES
INDEX
Digital Risk Protection 1/2
•
•
•
•
•
•
•

8
SERVICES
INDEX
Digital Risk Protection 2/2
•
•
•
•
•
•
•
•
•

9
SERVICES
INDEX
Vulnerability Risk Management 1/2
Telefónica's Vulnerability Risk Management service offers a global vision of an organisation's weaknesses, helping to
identify security threats and possible attack methods, discovering all of an organisation's assets exposed on the
Internet and enabling rapid management of their correction. It helps to prioritize and focus on the correction of the
vulnerabilities found, monitor the status and propose a package of preventive and corrective measures and
recommendations to ensure an adequate level of security. It provides the following sections:
• GLOBAL FUNTIONS
• Dashboards: represented by a house shaped icon. It is the page you see by default when accessing the Service
Portal. It allows to view at a single glance all the vulnerabilities detected and to prioritize their correction by status,
severity or category and to see the evolution of their status and the level of support for the correction of
vulnerabilities.
• Documents: access to the repository of the organization files.
• Reports: access to the management of reports generated and possibility of creating new reports.
• MSSP FUNTIONS
• Assets: it gives access to the management of your organization's assets initially uploaded to the Service Portal,
and to those detected by the Vulnerability Analysis and Persistent Pentesting modules.
• Vulnerabilities: you can access the full information of the vulnerabilities detected in the projects.

10
SERVICES
INDEX
Vulnerability Risk Management 2/2
• SERVICE TOOLS
• Projects: you can access the complete information of your executed and planned projects.
• Resources: this dropdown menu provides access to the latest updates of the data feeds used in the
VRM service: CVE’s, CPE’s, Exploits, CWE’s and CAPEC’s
• Service Settings: this dropdown menu provides access to the Administrators to configure the specific
Service Settings
•
•
•

11
SERVICES
INDEX
Managed Detection & Response
With Managed Detection & Response service we focus on Advanced Threat Detection, Threat Intelligence,
Hunting and Digital Forensics & Incident Response. It provides the following sections:
• MSSP FUNCTIONS
• The Dashboards section shows the status in real time and contains information on the number of
incident-related cases generated. It contains the following widgets: Active incidents, Mitigated
incidents, Silent endpoints, Case evolution.
• The Alerts section shows the alerts collected in this service. By default, it shows the alerts collected
today but you can filter by multiple parameters including the alert timestamp.
• The Managed Devices section displays devices managed by the SOC in a manner equivalent to a
CMDB.

12
SERVICES
INDEX
SIEM Management
With SIEM Management service we focusing on Maximum protection thanks to the combination of state-of-
the-art advanced detection technologies based on Big Data and machine learning. In addition to the
automatic management and immediate notification of incidents from Telefónica's Security Operations Centres
(SOC). It provides the following sections:
• MSSP FUNCTIONS
incident-related cases generated. It contains the following dashboards: Security Monitoring,
Network Activity and User Behavior.
• The Event Sources section displays the total number of events reported by a device (Firewall, IPS,
IDS, Proxy, etc.) on a specific date with daily periodicity in list format.
• Lists: custom data tables related to this service. For example, blacklists and whitelists.

13
SERVICES
INDEX
Device Management
With Device Management service you delegate the administration and supervision activities of your security
equipment (Firewall, IDS / IPS, antivirus, and so on) to the global Telefónica's SOCs network. With immediate
notification about the real status of your security and risk management. It provides the following sections:
• MSSP FUNCTIONS
incident-related cases generated. It contains the following dashboards: Security Monitoring,
Network Activity and User Behavior.
• The Managed Devices section displays devices managed by the SOC in a manner equivalent to a
CMDB.
• Lists: custom data tables related to this service.

14
SERVICES
INDEX
Integrated Risk Management
Integrated Risk Management service helps organizations support their business strategy, improve their operational performance, reduce
operational risks and ensure regulatory compliance. IRM is the perfect complement to create a programme for the governance, risk management
and effective compliance of your organizations' information security.
It provides the following sections:
• Dashboards / Home: are defined with a set of Indicators and a set of Module access cards.
• Architecture: is the way in which we can describe a theoretical model that represents the reality of the organisation so that we can identify the
critical technological assets and how the risks that could materialise on them affect the services and business processes.
• Project: are entities that group tasks together and can be tracked in this section. These tasks can be, for example, implementation tasks of controls
that have been selected as treatment of risk scenarios, improvement actions suggested as a consequence of dissatisfaction of implemented
controls, etc.
• Measurement: is where the Dashboards are managed. Among them, it is worth distinguishing the Main Dashboards, which are the ones that make
up the Use Cases shown on the Home page.
• Document Manager: stores service documents, reports and any other additional information for the customer. It includes upload, download, edit
details, delete, search and other management options.
• Import: has import capabilities of various types of entities and even with the PILAR tool. The elements for the main functionalities can be imported
by means of excel files. With the option 'Download Template' we will obtain the excel file to be able to fill it in and import it later.
• Configuration: here you will find the options for defining the organizational and functional structures of the Organization. From here, we can also
manage the Users and their Roles and even view the access log of all users.
• Help: in this section you can find the documentation and specific user manuals.
NOTE: The classic navigation layout is maintained in this service.
For more information, please check the IRM Help section.

15
INDEX
Login

LOGIN
How do I log in to the portal? INDEX
1. Access the Portal through the URL:

https://cybersecurity.telefonica.com
2. Enter your previously registered email, your password and click
on 'Login’.
3. If you have 2FA, follow further steps explained later.
• If you do not remember your password:

• Click on 'Forgot your password?'
• Enter the email you registered with.
• Follow the instructions you will receive in your email.

17
LOGIN
Details INDEX
• Only five consecutive failed login attempts are allowed. Once this
limit has been reached, the user will be blocked and redirected to
the password change page.
• When changing the password, the last ten passwords cannot be
used.
• Once authenticated, the portal displays the date, time and IP of
the last session, and the number of failed attempts since the last
session.
• The password must be changed 120 days after the last change.
• Remember that the password must:
• Have at least 8 characters.
• Be different from the last 10 passwords used.
• Not contain your login email.
• Contain, at least, one capital letter, one lower
case letter, one number and one special
character.

18
LOGIN
How do I recover my password? INDEX
In the case of a forgotten password, by clicking on 'Forgotten your

password?' a pop-up window will request the e-mail address with
which the user registered. Clicking on 'Change password' will
send an email with the link to change the password.

19
LOGIN
Second Factor Authentication (2FA) INDEX
• 2FA (Second Factor Authentication) is a method of authentication

in which the user can access a website or application only after
providing two or more evidences to an authentication system.
• You will be required to use a 2FA method stronger than or equal to
the minimum required depending on the configuration of the
clients to which you have access.
• If you do not have 2FA configured or it is not configured to the
appropriate level, you will be asked to configure it beforehand.

20
LOGIN
How do I log in with 2FA TOTP? INDEX
• In 'My Data' section the User has TOTP in Access Configuration.

• After you insert the right user and password you will be required to
place the code that TOTP App has generated.

21
LOGIN
How do I log in with 2FA Latch? INDEX
• In 'My Data' section the User has Latch in Access Configuration.

• Before login it is required that you slide the latch in Latch App to
unlock access.

22
LOGIN
How do I log in with 2FA Latch + OTP? INDEX
• In 'My Data' section the User has Latch + OTP in Access

Configuration.
• Before login it is required that you slide the latch in Latch App to
unlock access.
• After you insert the right user and password you will be required to
place the OTP that Latch App shows.

23
LOGIN
Inactivity INDEX
There is an automatic management of user inactivity. Users will be first blocked and later removed if they do not log in to the portal:
• Users that has not logged in for more than 83 days (7 days before blocking) will be notified by email that they will be blocked if they do not
log in within the next 7 days.
• Users that has not logged in for more than 90 days will be blocked automatically. They can be unblocked by a user with admin
permissions in the user admin section.
• Users that has not logged in for more than 150 days (60 days after they have been blocked) will be removed from the portal.

24
INDEX
Access Configuration

ACCESS CONFIGURATION
How does a Client set up 2FA? INDEX
• A user with an Administrator profile can configure the type of 2FA

(None, Latch, TOTP or Latch+OTP) in the Admin section by
editing "Client data" under the "Authentication & Access" block.

26
How do I configure 2FA? INDEX
• In 'My Data' section you can view your current status (None,
Latch, TOTP or Latch+OTP), followed by the access button to
‘Configure 2FA’.
• Then select 'Configure 2FA'.
• Only options that are greater than or equal to the minimum
required by your user according to the environments to which you
have access will be shown as selectable.
• By default, the minimum required level will be selected, or Latch if
2FA is not mandatory in any environment to which you have
access.
• "Latch + OTP" will show as an "OTP" check within the Latch
option. If the minimum required is TOTP, OTP will be shown
marked when the Latch option is accessed.

27
How do I configure 2FA with TOTP? INDEX
1. In 'My Data' section select 'Configure 2FA'.

2. Scan QR or insert code in TOTP App.
1
3. Generate a TOTP and insert it in 'Configure 2FA' section.
4. If the TOTP matches, the 2FA with TOTP will have been
configured.
2 3
4
28
How do I configure 2FA with Latch? INDEX

2. Generate a new code clicking on “Add new service” in Latch App.
1
3. Place the code in Access Configuration, select OTP 'Off' and 'Pair
with Latch'.
4. The 2FA with Latch will have been configured.
2 3
4
29
How do I configure 2FA with Latch + OTP? INDEX

2. Generate a new code clicking on “Add new service” in Latch App.
1
3. Place the code in Access Configuration, select OTP 'On' and 'Pair
with Latch'.
4. The 2FA with Latch + OTP will have been configured.
2 3
4
30
INDEX
Global Dashboards

GLOBAL DASHBOARDS
Security Status (1/2) INDEX
This dashboard is accessible at any time by clicking on the Telefónica logo

in the top left corner, in the client or in the Security Status link itself. It
includes the most relevant KPIs. It shows the security status in real time
and contains information on the number of tickets related to incidents
generated and vulnerabilities reported. All the information is restricted by
filters, if no filter has been defined, the values will correspond to those
defined in the user profile.
It contains the following KPIs:
• Active Critical Incidents: the current number of tickets whose type is
'incident', priority is 'critical' and whose state is 'assigned', 'in progress'
or 'suspended’.
• Pending Tickets > 7 days: current number of tickets pending since
more than 7 days.
• Tickets: number of tickets whose opening date is within the time range
selected.
• Incidents: number of tickets whose type is ‘incident’ and whose
opening date is within the selected time range.
• Vulnerabilities: number of tickets whose service is Vulnerabilities
Assessment and whose opening date is within the selected time range.
• Tickets Evolution: temporal line chart with three indicators
representing: the number of open tickets, resolved tickets and
accumulated tickets.

32
GLOBAL DASHBOARDS
Security Status (2/2) INDEX
• Incidents by Priority: bar chart with total number of incidents

(tickets of type Incident), classified by priority.
• Incidents Evolution: temporal line chart representing the number
of incidents. Additionally, the media and deviation.
• Incidents by Country: tickets whose type is incident and whose
opening date is within the selected time range grouped by
location.
• Alerts by Attacker Country: map of the alerts number split by
country according the source IP in the time frame selected.

33
INDEX
Tickets

TICKETS
Ticket’s View INDEX
This view displays a list of tickets that meet the conditions defined in a
filter. By default, the view shows current active tickets.
The functionalities available in this view are:
• Create a new ticket: this option allows the creation of a new
incident or request ticket.
• Export the list in CSV format.
• Filter by most of the ticket attributes.
• Check the detailed information of the ticket: by clicking on the
ticket ID or in the drop-down menu on the right-hand side of the
ticket table.
• Manage the ticket, one by one or selecting a group. Depending on
the status of the ticket: Comment, Update, Suspend, Reactivate,
Resolve, Close, Cancel, Clone.

35
TICKETS
Ticket’s Filters (1/2) INDEX
This view shows the fields by which ticket searches can be filtered.
These are:
• ID: Ticket ID.
• Priority: Critical, High, Low, Medium or Undefined.
• Opening Date: Ticket Opening Date. All pre-selected.
• Resolution Date: Ticket Resolution Date.
• Service: Service to which the Ticket belongs.
• Client Ticket ID: related ticket ID in the client’s ticketing system.
• Location: Ticket Location.
• Type: All, Incident or Request. All pre-selected.
• Status: Unidentified, Open, Work in progress, Suspended,
Resolved, Closed or Cancel. The first four pre-selected
• Category: Ticket Category.
• Title: Ticket Tittle.
• Description: Ticket detail.
• Group: Assigned Group.
• Operator: Assigned Operator.

36
TICKETS
Ticket’s Filters (2/2) INDEX
Clicking on the "Show advanced filters" button will display the rest of
the fields to filter by. These are:
• Updates: Update log.
• Product Type: for example, Analysis, Configuration, Reports or
Request. All pre-selected.
• Problem Type: provides more detail about the type of problem. All
pre-selected.
• Source Range IP: All, Private or Public.
• Detection Date: date on which the alert that opened the ticket
was detected
• Closing Date: date on which the status becomes closed.
• Ambit: client defined tags that define a business or system area
• Technology: Antivirus, Firewall, GNU, IDS-IPS, Linux, Proxy, ,
Radius, VPN, Windows or Windows Server.
• Complexity: Low, Medium or High.

37
TICKETS
New Ticket (1/2) INDEX
These are the fields to fill in when creating a new ticket:

CI Name: (Optional) Name of the affected device, selected from “Managed
Devices”
Severity
• Priority: Low, High, Medium or Critical.
• Business Impact: N/A, Degradation or Service impacted.
Categorization
• Type: Request or Incident.
• Service: list of services available.
• Product Type: Service Product Type.
• Problem Type: Product Problem Type.
Description
• Title: descriptive Title of the Ticket.
• Client Ticket ID: related Client Ticket ID.
• Deliverable: type of deliverable to be generated. N/A, Email Notification, Executive
Report or Technical Report.
• Description: Ticket detail.
Attachments: The possibility to add or remove attachments that provide
more information to the ticket is provided.

38
TICKETS
New Ticket (2/2) INDEX
These are the advanced CI filters and advanced view fields to fill in
when creating a new ticket:
Advanced CI filters
• Data Center Country
• Data Center Province
• Data Center Locality
• Data Center Street
• Data Center Building
Advanced views
• Affected User (by default it is filled in with current user
information)
• User Affected Name
• User Affected Email
• Tags: allow tagging the ticket to restrict access to it based on:
• Location
• Ambit
• Technology
• Complexity

39
INDEX
Documents

DOCUMENTS
Introduction INDEX
The document repository stores service documents, reports and any

other additional information for the customer. It includes upload,
download, edit details, delete, search and other management options.
The folder browser is located on the left side of the screen. By
selecting a folder, the user can access its contents, which are
displayed on the right-hand side of the screen.
A folder can be opened either in the browser on the left or in the
content view on the right.

41
DOCUMENTS
New folder INDEX
The 'New folder' button creates a new folder within the current folder.
After clicking on it, a pop-up window appears where the following
fields must be filled in:
• Name: the name of the folder. It is mandatory.
• Periodicity: select a value from the list only if this folder is relevant
for daily or weekly reports.
• Technology, Ambit and Countries: select one or several values to
restrict access to the folder only to users whose profile contains at
least one of the selected values.

42
DOCUMENTS
New document INDEX
The 'New document' button allows you to upload a new file to the
current folder. After clicking it, a pop-up window shows the following
fields to be filled in:
• Document: select the document stored in the user's equipment to
be uploaded. Mandatory field.
• Title: the name that will appear in the list of documents. Mandatory
field.
• Data date: date of the information contained in the document.
• Technology, Ambit and Country: select one or more values to
restrict the access to the folder only to users whose profile contain
one of the values selected.
• Author, Status, Version and Type: additional descriptive
information about the file.

43
DOCUMENTS
Download document INDEX
There are three different ways to download one or more documents:

1. Click on the name of the document, select the type of document
in the pop-up window if there are more than one, and then click 1 2 3.1
on Download.
2. Click on the file type icon of the one you want to download.
3. Download several documents at the same time, previously
selecting the ones you want to download:
1. check the documents in the boxes on the right.
3.2
2. click on the Download button.

44
DOCUMENTS
Other functionalities INDEX
1. Send document by email:

I. this functionality is available by clicking on the mail
envelope icon.
II. The document can be sent to one or more email 1
addresses.
III. The Subject (by default the name of the document), the 3
Body of the message and the addresses to which the e-
mail is sent must be entered.
2. Delete folders and files: to delete a folder or a file, click on the
cross icon of the document.
3. Move files: to move a file, click and drag a file into the folder
browser on the left and drop it into the new destination folder. 2

45
DOCUMENTS
Vulnerability Risk Management INDEX
The VRM Documents section is located under the Global Tools menu:
I. It has a specific dropdown selector to allow access the
Document section of each client Unit.

46
INDEX
Reports

REPORTS
Template List INDEX
Displays the paginated list of available templates for

generating reports.
The information on the templates shown in the list is:
• Name: name that identifies the template.
• Created by: user who created the template.
• Last modified: date of last modification of the template.
Clicking on the clock icon takes you to the list of scheduled reports.

48
REPORTS
Scheduled Reports INDEX
Displays the paginated list of scheduled reports of a template type.

The information on the scheduled reports shown in the list is:
• Name: name that identifies the scheduled report.
• Cron: reporting periodicity using Quartz syntax
.
• Timeframe: range of dates or period over which the report is to be
generated
• Created by: user who created the scheduled report.
• Active: flag indicating whether or not the scheduled report is
active or inactive.
The functionalities associated with each scheduled report are:
• Edit: accesses the detail of the report scheduled for modification.
• Delete: the programmed report is deleted
• Test: to receive an example of a report at the indicated e-mail
address
• Run now: a report is created which will be sent via the selected
sending mode.

49
REPORTS
New Scheduled Report (1/3) INDEX
The new report is given a name.

In the first step of the creation wizard, the report schedule is
configured.
Can be scheduled on an hourly, daily, weekly, monthly, yearly
or on-demand.
When the “Apply" button is clicked, a Cron expression is
generated.

50
REPORTS
In the second step of the creation wizard, the general configuration of the
report is configured. The parameters to which the report is to be applied
are configured. These are:
• Timeframe: Current day, Previous day, Previous 7 days,
Previous week, Previous 30 days, Current month, Previous
month, Custom Range (selecting start and end dates).
• Country: filter by country
• Ambit: filter by ambit
• Technology: filter by technology
• Priority: filter by priority
• Services: services available for the report.

51
REPORTS
In the third step of the creation wizard, you select the mode of
sending the report. The options are:
• Attached to the email: configuring the email that will
attach the report with the emails to which it is sent, the
subject (which can be completed with information related
to the report: Timeframe start, Timeframe end or Date of
execution) and the body of the message.
• As link in email: configuring the email which will include
the link to the report with the emails to which it is sent, the
subject (which can be completed with information related
to the report: Timeframe start, Timeframe end or Date of
execution) and the body of the message.
• Document Repository: the way to send the report is by
uploading it to the document repository, in the folder
indicated in the Path (separated by "/", this sign is the
root), and labelling the report by the values of the fields:
Country, Ambit and Technology.

52
DIGITAL RISK PROTECTION - REPORTS
Where can I find out about analyst investigations and other service reports at the INDEX
client level?
From this section you can access all the reports that have
been published for the different companies in the
customer.
The Unit field has also been included in the filters in order
to be able to consult only the reports of the unit or units
that are of interest.

53
DIGITAL RISK PROTECTION - REPORTS
Where can I find out about analyst investigations and other service reports at the INDEX
unit level?
Through the Reports section, you will be able to consult the
list of all the reports, investigations and informative notes
generated by the service, available to be downloaded.
• Export(CSV): from this option you can export in csv format
the list of report available in the Portal.
• Filters: you can apply filters in the reports delivered under
different parameters:
• Date
• Status
• Reference
• Read / Unread
• Type
• Or even search for a specific term in any parameter of
the report.

54
VULNERABILITY RISK MANAGEMENT - REPORTS
What kind of reports can I create? INDEX
Through the Reports section, located under the Global Tools The menu Reports allows to access the list of crated reports
menu you will be able create, review and edit four kinds of
The list contains the columns Type, Name, Projects, Session, Start
VRM reports: Date and End Date with the basic information of the reports. When
• Vulnerabilities Technical. The Technical report of Vulnerabilities clicking the column Name of the report the information of the same is
contains the information of a selected project: assets within the shown.
scope, time windows enabled for the performance of tests, detail of
the tests performed and detected vulnerabilities.
• Differential. The report Differential of Executions allows to view the
evolution of the status of vulnerabilities of the execution of tests
selected from a particular project. The statuses in the report are: old,
fixed, reopened and new.
• Customized Technical. The Customized report contains
information of vulnerabilities based on several filters: start date, end
date, asset, Resolution Group, vulnerability, status and severity. The
report will show those vulnerabilities resulting from the application of
all the filters, the assets in which they are and the projects to which
those vulnerabilities belong.
• Follow-Up. The Follow-Up report allows to know the current status
of the vulnerabilities by severity and status within the selected dates.
It also presents an analysis of vulnerabilities treatment.

55
Creating a new VRM report INDEX
Click New to create a report. The fields marked with a red

asterisk are mandatory. You must then tap on the Continue
button, and indicate the characteristics of the report in the new
window, which vary according to
the Type of report selected:
• If Differential report is selected, choose the project and
project executions you want to include in the report.
• If Vulnerabilities Technical is selected, choose the
Project which vulnerabilities you want to include in the
report.
• If Customized Technical is selected, you can filter the
vulnerabilities you want to include in the report based on
date range, projects, Resolution Groups, vulnerabilities,
status and severities. You can also filter the vulnerabilities
by either affected assets or those resulting from the
general and customized asset´s fields.
• If you selected a Follow-Up report, select the start date
and end date of the events for which you want to create a
report.

56
VRM report periodicity INDEX
When creating a new report, the drop list "Periodicity" is shown containing the
values:
• One-Shot
• Weekly
• Monthly
If the value Weekly or Monthly is selected, a date calendar will appear, giving to
the user the chance to select the date when the first report must be generated
automatically for the first time.

57
VRM report structure INDEX
To revise the structure of a report, click Review. A new page will open to edit the structure through the following actions:
• Add new section of first level at the end of the existing ones, in case it is performed on the index of the report. In case a new
section is added to an already existing section, it will be of second level and it will also be added at the end of the already existing
sections.
• Add new paragraph at the end of the section.
• Exchange section/paragraph for the immediately preceding one.
• Exchange section/paragraph for the immediately subsequent one.
• Edit title of section. In case it is a paragraph, all the block can be edited as if it was a text editor. There are certain paragraphs with
the tag [non editable] which contain information of the project and cannot be edited.
• Remove section/paragraph.

58
INDEX
Admin

ADMINISTRATION MODULE
How do I access the administration module? INDEX
You can only access the module if you have a profile with user and
profile management permissions.
You must go to the “All Services” section of the portal. Then go to the
"Configuration" section.
You will see an "Admin" entry in the main menu. By clicking on that
entry, you will access the management module.
Once there, you will be able to manage users, user profiles and view
the information of contracted services.

60
PROFILES
What profiles are there? (1/2) INDEX
By selecting the Profiles tab, you will be able to see all the profiles
that are configured.
For each profile, the name and number of users who have this profile
assigned to it are displayed.

61
PROFILES
What profiles are there? (2/2) INDEX
• When a new client is created, two default profiles are created:

• Default client profile, which is the one that will
be assigned to all users of the client if they are
not explicitly assigned one, identified with the
tag
• Default SOC profile, which is the one SOC
operators will have by default
• The client only sees users and client profiles. SOC profiles are
only accessible to the SOC.
• Migration from the previous model will create as many profiles as
necessary to reflect equivalent access levels for existing users.

62
PROFILES
How do I create a new profile? (1/2)
INDEX
• On the Profiles tab, click the "New client profile“ button.

• A profile edit form will open, where you'll need to give it a unique name and define all the access permissions that that profile will have,
distributed in several sections:
• General info
• Profile name
• Initial page you will enter if you don't enter a specific url in your browser
• Default profile: if we want that profile to be the default profile (the mark on the current default profile will be removed)
• OB: if we want that profile to be the OB default profile (the mark on the current OB default profile will be removed)
• Dashboards
• which main dashboards will be visible
• Permissions
• General Info: access to Manage Client Information in Read or Write mode. Editable only to SOC Profiles.
• Role over Client Profiles - Admin: manages Profiles in the following ways: None, Restricted Profiles (with a list to select them) or All. If
admin is restricted, a series of profiles are selected that will be the only profiles that you can assign to the users you create, and you
can only modify permissions for users who have one of those profiles by assigning another profile. You won't be able to modify those
profiles.

63
PROFILES
How do I create a new profile? (2/2) INDEX
• Tools. Access to common tools

• Documents: what type of access you have to the document
manager, for folders associated with each service and
"common" for which they are not associated with any.
• Reports: access to the report scheduling module, to manage
templates (not currently applied) and to generate reports,
either manually, periodically or both.
• Lists: access to list management (modification or also
creation) and which lists are accessible.
• Units: the units that the user can access and the type of
access to the Unit’s services.
• Filters: If enabled for the client, you can activate filters (area,
technology, country...) and choose loaded values for those filters
that will be applied in data access. Only data labeled with these
values will be visible by users with that profile.
• Sections for each service, with the selection of modules that will
be visible and with what level of access, for each unit of the client
when applicable.

64
USERS
What information can I find?
INDEX
• When you select the users tab, the list of users who have access to this client appears.
• You can search for users whose email contains the search pattern you enter. The search allows regex and is not case-sensitive.
• For each user it is shown:
• User type (SOC, client), as an icon. Client administrators will only see client users, with the icon
• Email. When you click on it, we go to the user's detail.
• Name.
• Profile that user has applied. When you click on it, we go to the profile detail.
• Status: status of the user's account: Active, Pending Invitation or Blocked.
• Action Menu: to delete the user, upon confirmation. Unblock if Blocked. A user can't delete himself, so the icon won't appear.

65
USERS
How do I register a new user? (1/2) INDEX
In the Users section there is a "New client user" button. Clicking on it

opens a form to register a new user.
The form asks for the user's email to be filled in. Three cases can
occur when filling in:
• The user is new to the portal: an "invite" button and two new fields
that need to be filled in will appear to activate it:
• Language, which will be used in the user invitation email to
register on the portal
• Profile to be assigned to you. It can be left empty, so that the
user always uses the profile that is defined by default
• Clicking on "Invite" registers the user, pending completion of
registration by following the instructions in the invitation
email.

66
USERS
How do I register a new user? (2/2) INDEX
• The user exists in the portal but does not have access to
this client: a "This user already exists" prompt will appear.
You can configure your access to client_name" and a
"Configure access" button that will take you to the next
step, where they appear:
• The user's data, as the user has recorded.
• Profile you want to assign. If you want to use the default
profile you have to select the blank option.
• Clicking on "configure access" completes the registration

process.
• The user already has access to this client. A "This user

already exists and has access to client_name" will be
displayed, and the save button will change to "view user
details". Clicking will take you to the detail of that user

67
USERS
How do I modify or delete an existing user? INDEX
• To delete a user, simply click on the action menu the right of the
entry in the Users section. Then click in “Delete” action.
Confirmation will be requested and if so, that user's access (their
affiliation) to this customer will be removed.
The user will not be permanently removed from the portal until all
their affiliations are deleted.
• In the Users section, clicking on a user's name or email gives you
the details of the user.
• On the detail page there is an “Edit” button, which allows you to
activate the profile selector and assign it a different one. To
confirm the change, click “Resend invitation”.
• User data can only be added and modified by the user himself, in
his profile, accessible by clicking on “My data” section in the
header icon

68
CLIENT
What information can I find? INDEX
• In the client information section, you can see all the information of the contracted services available on the portal:
• Administrative data: name, acronym, provision status, contracting status, tax id, country, time zone, language, sector and subsector,
mail domains, second factor configuration, notifications (to be used later for notifications of new versions or problems) and domains
through which the portal can be accessed.
• Authentication & access
• Domains from which you can access the portal
• Second factor configuration
• Single sing on settings
• Dashboards available
• Default profiles
• Tools
• Billing status
• Units
• Ticketing
• Reports
• Lists
• Filters
• Sections for each service

69
INDEX
Digital Risk Protection

DIGITAL RISK PROTECTION
Client view (1/2) INDEX
First, a unified view of the organization's aggregate risk is

presented, along with the total number of threats registered
over the last month (time range that can be customized),
distributed by status and unit. In client context and dashboard
selector with the "All units" option selected.
If the customer has more than 4 units, you would have to scroll
horizontally to see their graphs.
Below is a top with the five entities that have been observed
most frequently in the threats registered in the last month, both
with respect to the Affected Assets and to the Threats
themselves.
For those units associated with more than one customer, the
item can be unfolded to see the complete list.

71
The following graph shows a heat map with the geographic distribution of
the threats registered over the last month along the footprint of the
customer.
The last section shows graphs of the evolution of the threats detected and the threats
resolved for all the companies of the customer.
Graphs support a certain level of customization, allowing:
▪ Add/remove the companies you want by clicking on their name in the legend at the
bottom of the graph.
▪ Focus on a specific time range to see its evolution, simply selecting that range with the
mouse.

72
Unit view INDEX
The Dashboard shows the overall threat status and a summary of the latest threats and reports delivered. In client context
and dashboard selector with the "One unit" option selected.
▪ Latest threats: list of the last six threats updated:

o Date of detection.
o Threat´s risk level.
o Threat´s brief description.
o Threat type.
o Threat status.
▪ Dashboard: shows the overall threat risk, as well as service activity metrics
based on the date range selected in the filter (by default, it shows
information from the service start date to the current date):
o Number of threats detected by type and associated risk.
o Number of threats by status.
It also displays the number of unread threats (see orange tooltip) giving the
possibility to access them directly by clicking on the number.
▪ Latest investigations: list of the last six delivered reports:

o Report delivery date.
o Report Name.
o Report Type.
o Repot Status.

73
Threats INDEX
In this section you can consult the registered threats, as well as

access their detailed information.
• Risk level: threat’s risk level. The risk of each threat depends on
the risk value set by the Analyst who analyzed the threat.
• Detected on: date when the threat has been analyzed.
• Closed at: date when the threat was removed.
• Name: brief description of the threat.
• Type: threat type.
• Reference: unique identifier of the threat:
• Status: threat status. The different available status are: Notified,
Analysis, Mitigation, Monitoring, Discarded or Resolved.
From the Threat list you can apply filters according to different
parameters and perform advanced searches on threats.
To export your threats in CSV format, click on “Export (CSV)”.
Indeed, the Administrator can export the list of source credentials
"Botnet". To make an export in CSV format, you must click on
"Credentials (CSV)“.

74
Threat Detail 1/2 INDEX
The detail of a threat is comprised of two sections: Threat and Mitigation

(as long as the response applies to the specific type of threat.).
Firstly, the Threat section is shown, with the full detail of the threat divided
into several blocks:
• General info: threat type, detection date, source publication date, last
update date, closed at date, risk level associated with the threat, threat
status, affected locations, threat description.
• Specific threat information: with the specific details of the threat in
question.
• Evidences: evidences associated with the threat will also be shown.
These can be a URL, picture or file.
• Entities: the entities (brand, domain, IP, email, VIP, app, CPE, location,
alias, hashtag, facility, tech) referred to the customer’s assets affected
by the threat or to the own threat information will be shown.
• Confidential resource (only for an administrator user): the
confidential information related to the threat will be attached (if it
applies), to be downloaded in the 15 days that follow its publication (in
which moment it will be removed).

75
Threat Detail 2/2 INDEX
The Mitigation section will be visible as long as the mitigation action

on the threat has been taken.
In it, a list of the resources associated with the threat on which the
takedown is being performed can be found. Each of them on a
separate tab, which will contain the following information:
• Browser blocking: status of the browser blocking of the malicious
resource.
• Network blocking: status of the network blocking of the malicious
resource.
• History: analysis, response and closing dates for the response
case, as well as the associated duration.
• Comments: a log of all actions taken by the response team to
perform the final removal of the malicious resource.

76
Export my Threats INDEX
To export your threats in CSV format, click on «Export (CSV)”»:

Once this is done, a “csv” file will be generated containing the
threat list according to the selected filter.
reference_string name type validated_at published_internet_at status description weighted_risk

xxx-D-6519 Menciones a tu compañía en fuentes de especial monitorización: @anonimous difunde en Twitter un… offensive_content 2018-01-23 04:42:06 UTC 2018-01-21 12:39:58 UTC Monitoring Se ha detectado una publicación ofensiva en Twitter del perfil anonimous… 3
xxx-D-6518 Vulnerabilidad en Cisco Unified Customer Voice Portal (CVE-2018-0086) (CVSS Score indefinido) vuln 2018-01-23 02:28:53 UTC 2018-01-20 21:14:47 UTC Notified CVE-2018-0086 Una vulnerabilidad en el servidor de aplicaciones de… 4
xxx-D-6517 Exposición de información. Posible información confidencial. GitHub data_leak 2018-01-22 21:28:02 UTC 2018-01-20 05:13:45 UTC Resolved Se ha detectado una posible fuga de información que afecta a la compañía… 4
xxx-D-6516 Vulnerabilidades en Cisco (CVE-2017-12307 y CVE-2017-12308) (CVSS Score Indefinidos) vuln 2018-01-22 19:23:24 UTC 2018-01-19 13:40:48 UTC Notified CVE-2017-12307 Una vulnerabilidad en el framework del software podrá permitir que... 4
xxx-D-6515 Concentración de los trabajadores de xxx el 24 de enero a las 10:00 en la Puerta del Sol de Madrid hacktivism 2018-01-22 09:26:28 UTC 2018-01-18 16:38:58 UTC Monitoring Se ha detectado una publicación en la red social Twitter en el perfil de… 3.0
xxx-D-6514 Alta de dominio: marcacliente.it domain 2018-01-21 12:39:58 UTC 2018-01-18 19:48:25 UTC Mitigating Se ha detectado el registro del siguiente dominio posiblemente fraudulento… 2
xxx-D-6512 Manifestación el jueves 25 de enero a las 17 horas en xxx hacktivism 2018-01-21 03:26:00 UTC 2018-01-20 05:13:45 UTC Notified Se ha detectado una publicación en la red social Twitter por parte del perfil… 3.0

77
Takedown of a Threat (only for an administrator user) INDEX
In the Threat Detail, users with Client-Adm role can request real-time
mitigation or takedown of a threat by simply clicking on “Request
Mitigation”.
Once the takedown has been requested, the “Mitigation” section will
be shown in the threat detail, which will be updated with the actions
that will be applied in the threat response process.

78
Mark or highlight specific Threats for a special follow-up INDEX
Under certain circumstances, you may want to highlight or mark one or more
threats to follow-up on them.
To do so, simply click on the gray circle to the left of the threat you want to mark:
Once done, the threat will be highlighted with a blue circle:
Likewise, any analyst of the Digital Risk Protection service can mark a specific threat at
any given time. In this case, the threat will be highlighted with the following circle:
In order to find out which user has marked the threat, you will just have to hover the
mouse over the circle and a tooltip will be shown with the user’s information.

79
Add and display comments INDEX
Through the Portal you will be able to have a direct communication

with the analysts of the service, adding comments and or specific
notes about a specific threat.
Likewise, the analysts of the service will be able to add comments
on the threats, which will be available on the Portal for your
reference, in addition to being notified to your email.

80
Statistics INDEX
The Statistics section of the Customer view displays aggregated

statistics for the entire customer.
The filters also include a Customers field to limit the statistics to the
customer or customers that are of interest.

81
Statistics INDEX
From the “Statistics” section, you will be able to consult a series of graphs representing the threats managed, according to their evolution,
type and status.
Chart of threat evolution over time
Threat distribution by type Threat distribution by status

82
Statistics INDEX
From the Statistics section you can apply filters to visualize personalized
graphs according to different parameters:
• Date range:
• Last week: graphs show the information from the last
seven days.
• Last month: graphs show the information from the last
month.
• Last year: graphs show the information from the last year.
• Custom: it allows selecting the time range of the graph
information.
• Family: graphs show the information of the family or families to which
the threat belongs: Business Disruption, Reputation and Brand, Online
Fraud.
• Type: graphs show the information of threats according to the selected
types. The Family must be selected previously.
• Status: graphs show the information of threats according to the
selected status.
Once selected the filtering criteria, click on “Filter”. To remove the applied
filters, you should click on the “Clear” button.

83
Entities INDEX
Through the Entities section, you will be able to consult the list of all
the entities extracted from the registered threats. These can be
categorized as Affected Asset (customer’s assets), Threat (related to
the threat itself) and Source (source where the threat was observed).
• Filters: you can apply filters on the listed entities under different
parameters:
• Entity
• Detected on
• Category
• Threat Type
• Entity Type
• You can export a csv file with the list of entities, according to the
selected filter, by clicking on this button.

84
Newsletters INDEX
Through the “Newsletters” section, within the “News” menu, you will
be able to consult the list of all newsletters delivered by the service.
• Filters: you can apply filters on the listed news according to
different parameters:
• Published at
• Newsletter
• Type
• Query
• Category
• Sector
• Export (CSV): you can export a CSV file with the list of news,
according to the selected filters.

85
Newsletters - STIX objects INDEX
STIX objects are cyber threat information identified in the news

reported by the service, modeled according to a series of objects
(Threat Actor, Attack Pattern, Campaign, Course of Action, Identity,
Indicator, Intrusion Set, Malware, Tool, Vulnerability) in STIX format.
• Filters: you can apply filters on the listed STIX objects according
to different parameters:
• Newsletter
• News
• Type
• Query
• Date
• Export (CSV): you can export a CSV file with the list of available
STIX objects, according to the applied filters.

86
Exports INDEX
The “Exports” section allows you to query and export, more completely and efficiently, the confidential resources active from the Credential
Theft threats that are of Botnet origin.
Each option will open a new view where you will be able to create the corresponding searches or consult the list of your previous searches.
In the “New credential search” view, you can select among a series of filters that limit the information to be searched.
From the list of searches, you can Open or directly Download any of them, among other options.
If you choose to Export the search, you will have the option to export the list of active credentials in CSV format.

87
Notifications INDEX
From the “My Profile" section, located at the top of the portal, you can edit
the configuration of the notifications by email offered by the service.
Firstly, you can enable or disable the notification of threats by type,
indicating from what risk level you want to be notified and whether or not you
want the notification to include a report with the full detail of the threat and
the evidences in pdf format.
In addition, you can further filter the reception of threat notifications

according to the type of asset that is affected (for the moment, only
Brands). It is important to mention that they have to be previously
provisioned in the portal. Contact your Local Analyst if they are not.
Finally, you can select which types of reports you want to receive
notifications when they are published. This option also includes the reception
of newsletters.
Once you have edited the information, click on "Save".

88
INDEX
Vulnerability Risk Management

VULNERABILITY RISK MANAGEMENT
Client view INDEX
First, a unified view of the organization's aggregate data is

presented, using cards (for main figures) and charts for Top
5 units (or “All units” if the client has less than five units).
The Client Dashboard is shown in client context and with
the "All units" option selected.
There are specifics charts and cards for clients using

priority schemas Risk or VMI.
Every dashboard element has a descriptive context help

available pressing their info icon

90
Unit view INDEX
When one specific client Unit is chosen in the Units selector,

then the related Unit cards and chars are displayed.
There are two different Unit Dashboards:

• Assets Dashboard: it displays asset related charts and
cards
• Vulnerability Dashboard: it displays vulnerability related
charts and cards
There are specifics charts and cards available only for Units
using priority schemas Risk or VMI.
Every dashboard element has a descriptive context help

available pressing their info icon

91
Projects - List of Projects INDEX
• Displays a table with the projects in progress. The List

mode is the default view to see the projects. You can
change the view to the Calendar mode by clicking the
button . This section describes both views.
• By tapping on the "Filter" text, you can access a drop-down

with different options to filter the data displayed. This filter
changes slightly depending on whether the table is being
viewed in List or Calendar mode.
• The view in the List mode contains the columns

Identifier, Name, Starts Date, End date, Type, and Mode
with the basic information of projects. By clicking on the
column Name of the project the information of the same is
provided.
• Besides, the list contains the column Actions with the

option Download to download all the evidence of the
project’s vulnerabilities in ZIP format.

92
Projects - Consulting Project Information 1/2 INDEX
• When a project is accessed, the information appears in several tabs: General Information, Assets, Windows, Executions and
Vulnerabilities. A horizontal bar is shown on the tab you are.
• General Information: It includes the number of assets within the project scope and the number of detected vulnerabilities.
• Below this information there is the number of vulnerabilities pending revision, broken into these status: Potential, Open and Non
Certified and there is also the number of vulnerabilities revised, broken into these status: Discarded, Assumed, Corrected and
Certified. In addition, there is a graph indicating the level of severity of the vulnerabilities pending revision and of the revised
vulnerabilities.

93
Projects - Consulting Project Information 2/2 INDEX
It includes the blocks of information Project Details, Test Details, Recommendations and Personal valuation of the auditor. The block Detail of project contains these
fields:
• Client name.
• Name of the project.
• Identifier of the project.
• Start date, End date in the format dd/mm/yyyy hh:mm.
• Type of project: Vulnerability Alert, Vulnerabilities Assessment, Persistent Pentesting, Black Box or White Box.
• Mode of execution: Manual or Automatic.
• Restrictions of the project.
• Source IP Addresses from which the tests were executed.
• Associate active-level vulnerabilities: Being enabled creates a single vulnerability per asset, regardless of details such as ports, url's, multiple IP's, CPE.
o This option can only be enabled by SOC Administrators and System Administrators profiles.
• Synchronize CVSS of active vulnerabilities: by default, it will be with the option "No" for all the projects of the client; if this option is activated it will have 2 effects:
1. Retroactive effect: the Active vulnerabilities of the project that have a base CVSS value different from that of the VRM dictionary of vulnerabilities, will
update the value of their base CVSS, except for the vulnerabilities whose value was modified manually.
2. Effect of subsequent operation: Every time a vulnerability in the dictionary changes the value of the base CVSS, the CVSS base is updated in the active
vulnerabilities of the project, with the exception of those where the value was modified manually.
o This option can only be enabled by SOC Administrators and System Administrators profiles.
The other blocks are filled in by the auditor if deemed necessary.

94
Projects - Assets INDEX
• It contains a list of all the assets with the Project scope. By clicking the column Name of the asset the information of the same is
accessed. For more information, please check the section on Assets.

95
Projects - Windows INDEX
• List of time Windows authorized for the performance of tests and of the assets to be tested. By clicking the column Start of the window the
information of the same is shown.

96
Projects - Executions - 1/3 INDEX
List specifying when the tests are executed, within the Windows authorized, and the IP addresses from which they are executed. The Start
column of the execution provides information on the same when clicked.
The user has the possibility to filter project executions for different fields such as domain, dates, status of implementation and the last
executions grouped by domain.

97
In the case of Persistent Pentesting and Vulnerability Analysis projects, the status of the execution is shown in the Ends on column of the
Executions tab.
• Ends on column can have one of the following values:
• Running, if the scan is being executed
• Paused. For example, if the scan is out of the Execution window
• Stopped, if the scan has been manually stopped by CyberSOC team.
• Error. Click on execution in order to review the error.
The following three actions are available to users:Pause, Start and Stop.
These actions will be available depending on the status of the execution:
• If the execution is running, Pause and Stop will be showed.
• If the execution is paused, Start and Stop will be showed.
• If the execution is stopped, no options will be showed because it is a final status.
In the case of Persistent Pentesting projects, the progress of the current status of the execution is shown in the Progress column.

98
Accessing the execution details will show its full information. To do so, click on the
start date of the execution you want to see.
Unlike the progress bar from the list, the one shown in this view (in the Execution
Data section) indicates the number of tasks completed from the total.
In this view you can see the result of the assets and vulnerabilities analyzed in the
execution, when clicking on these hyperlinks, the views of the list of vulnerabilities
and / or assets of the project are displayed, the lists are filtered by the execution
The summary of the vulnerabilities shows the total of validated vulnerabilities with
respect to the total of detected vulnerabilities in the analysis, this value is dynamic
according to those validated at the moment of accessing the view.
• New vulnerabilities: validated XXX / YYYY detected in the analysis
• XXX validated: [Total vulnerabilities detected in the analysis] -
[vulnerabilities detected in the analysis in the edition state] -
[vulnerabilities detected in the analysis in false positive state]
• When clicking on this hyperlink, it is redirected to the list of
vulnerabilities filtered by the execution; the total of vulnerabilities
shown is associated with the role and profile of the user, so that the
list for a client role will not contain the vulnerabilities in edition or the
false positives.

99
Projects - Vulnerabilities INDEX
It contains the list of vulnerabilities detected in the tests.

100
Projects - Calendar INDEX
The view of projects in calendar mode consists of two parts:

1. Information of projects and vulnerabilities. Based on the dates
selected, it shows the number of projects executed and in progress,
as well as the vulnerabilities detected in all the projects. A filter is
applied by default to show the information of the last year. The date
of the filter is configurable.
2. Calendar of projects. It shows, through Gantt charts, the start and
end date of a project, the time Windows authorized for the execution
of tests and the performance of tests in the project. The list of
vulnerabilities of a project is accessed by clicking the line of duration
of the project. These diagrams show the information available by
weeks.
At the bottom of the calendar are controls to move around it. These
controls include the possibility of going up or down between the different
projects being executed, accessing the current week, temporarily moving
in the diagram, as well as having zoom controls for different views.

101
Vulnerabilities – 1/2 INDEX
A vulnerability links in a unique way an asset of the

organization to a definition of the vulnerability in the
dictionary. There is a flow of status which reflects the
current status of each vulnerability and determines the
actions to be performed on the same.
You can see the vulnerabilities in Classic (default) or
Grouped mode using the buttons at the top right of the
table.
In addition to seeing the events, you can view their
detailed information, export them and download the
evidence. Using the menu Vulnerabilities >
Vulnerabilities, you can access a paginated list with all
the vulnerabilities from all your projects. This list may
include 12, 50 or 100 records.

102
Vulnerabilities – 2/2 INDEX
The view of the vulnerabilities can be narrowed down by various fields using the basic filter, which are the most used options (Client, Asset, IP Address,
Vulnerability, Risk Level and/or Status) or using the advanced filter which can be viewed by clicking on the Show advanced filter button from the list.
The list contains the following columns which can be sorted in ascending or descending order with the basic information of the vulnerability:
• Identifier of the vulnerability with the nomenclature CUSTOMER_CODE-PROJECT_CODE-TYPE-AUTONUMERICAL_VALUE.
• Detected Vulnerability.
• Project to which the vulnerability belongs.
• Asset affected by the vulnerability.
• Status of the vulnerability. See section 4.2.3 Status of the Vulnerability.
• Type and Category of the vulnerability, which can be AP, CO, VE, RE, corresponding to Application, Configuration, Version and Recommendation,
respectively.
• Date of creation in the format dd/mm/yyyy hh:mm.
• Severity of the vulnerability.
• CVSS-V2 Severity levels are divided into Low (green), Medium (yellow), and High (red), corresponding to scores 0.. 0-3.9, 4. 0-6. 9
and 7.. 0-10. 0 respectively.
• CVSS-V3 Severity levels are divided into Null (green), Low (yellow), Medium (orange), High (red), and Critical (magenta),
corresponding to scores 0.0, 0.1-3.9, 4. 0-6. 9, 7. 0-8.9 and 9.0-10 respectively.

103
Vulnerability information INDEX
When accessing a vulnerability, the information is displayed in several tabs. A horizontal bar is shown on the section you are.
• General Information: Information of the vulnerability with its description, affected assets (with a link to the project information and to the
information of the asset itself), status of the vulnerability, impact of the vulnerability in confidentiality areas, integrity and availability, CVSS
detail, evidence and comments.
• Impact: List with all the impacts of the detected vulnerability.
• Attack patterns: List with all the types of attack which could exploit the vulnerability. It includes the description, prerequisites, resources
and attack methods.
• Mitigations: Description of the mitigation action to fix the vulnerability, in which phase it shall be implemented and the mitigation strategy
to which the measure belongs.
• References: List of external references of a particular vulnerability.
• Certifications: This section includes the certification for the correction of vulnerabilities.
• History: This tab saves all the changes made to the vulnerability, specifying the type of changes made, old and new value, author of the
change and date in which it was performed.

104
Edit vulnerability information (only for an administrator user) INDEX
In order to edit several vulnerabilities, you must first select the vulnerabilities using the checkboxes and click the Edit button in the top menu.
You can edit the following fields:
• Resolution Group.
• Status, considering the lifecycle of the vulnerabilities. Only those vulnerabilities whose status is compatible with the new status will be
changed. You can view the workflow in the section Methodology of the Service Portal or in the section 4.2.3 Status of the Vulnerability.
• Scheduled Date, considering the status of the vulnerabilities. You can change the scheduled date to all the selected vulnerabilities.
• Comment. Add a comment to the selected vulnerabilities.
• Environmental Score Metrics. You can change the values of the metrics:
• Collateral Damage Potential.
• Target Distribution.
• Confidentiality Requirement.
• Integrity Requirement.
• Availability Requirement.
After tapping on the Update checked vulnerabilities button, the changes will be made.

105
List of Assets INDEX
• The menu Assets, under MSSP Functions, allows to access the list
of assets created in the Service Portal.
• The list contains the columns Name, Type, Operating system and
Resolution Group, and with the basic information of the asset. By
clicking on the column Name the information of the same is shown.
This information includes (among others), the tabs General
Information, Project, with a list with the projects and executions
where the asset is included, History, with the main changes applied to
the asset, and Vulnerabilities, with a paginated list of the
vulnerabilities that affect this asset. The list shows Ocurrence ID,
Project name, Vulnerability and Date.
• In addition, the list includes the column Actions with the options Edit
(only available for administrator and operator roles) and Delete (only
available for administrator role).
• On the left column of the list appears a checkbox for each asset
which allows to edit, download or delete the selected assets.

106
Create Asset (only for an administrator user) INDEX
To create an asset click New. Fields marked with a red asterisk are mandatory. The
fields to be filled in are:
• Client: choose through the pull down menu the customer on which the asset will be
created.
• Resolution Group: select through a pull down menu, the Resolution Group which
will manage the asset and the vulnerabilities of the same Resolution Group.
• Type: select through a pull down menu the type of asset you will create: Host, Web
Application or Other. (For more information please check the section on Assets).
• Name of the asset.
If the Asset to be created is a Host-type asset, fill in the fields previously described and
fill in the field CPE and the blocks of information IP Addresses, Aliases and SW
Packages.
If you wish to create a Web Application-type asset, fill in the fields previously described
and fill in the blocks of information SW Packages, URLs and Hosts.
Once the information of the asset is provided, click Create Asset. If you do not wish to
create the asset click Cancel.

107
Edit Information of Asset (only for an administrator user) INDEX
The asset information can be edited in two ways:

• Access the list of assets and click Edit, within the column Actions, on the asset you wish to edit.
• From the list of assets, access the asset information by clicking the field Name. When the page with the assert information opens, click
Edit.
You can change general information in the asset edition page.
Once the information is edited, end the process by clicking Update Asset. If you do not wish to modify the asset data click Cancel. In both
cases you will be redirected to the list of asset.
In order to edit several assets, you must first select the assets using the checkboxes and click the Edit button in the top menu.
When you are simultaneously editing a field in several actives, checkboxes of those fields that will be modified are automatically marked.
To complete the edition, click the Update checked assets button.

108
Export Assets INDEX
To export the information of the assets, choose the assets you want to download by using the checkboxes and click the “CSV” button. A
downloadable file will be created in CSV format. For the files that are too complex to be generated online, a download link will be sent to your
email registered in the Service Portal.

109
Assets - Customized Fields INDEX
Custom fields allow you to catalogue assets in a personalized

and adaptable way for your organization. For example, you can
catalogue your assets based on business units or groups of
assets that allow greater control and strategic asset
management. With these fields you can perform quick asset
identification through filters and further multi-edition.

110
Resources - Feeds INDEX
Shows all the information about feeds to correctly manage the

Vulnerabilities Portal. This includes the CPE, CVE, CWE, CAPEC
and Exploits Feeds:
• CPE Feed > Click Resources > CPE Feed to access the CPE
feed list which is frequently updated.
• CVE Feed > Click Resources > CVE Feed to access the CVE
feed list which is frequently updated.
• CWE Feed > Click Resources > CWE Feed to access the
CWE feed list.
• CAPEC Feed > Click Resources > CAPEC Feed to access the
CAPEC feed list.
• EXPLOITS Feed > Click Resources > EXPLOITS Feed to
access the Exploits feed list which is frequently updated.

111
Service Settings – Users 1/2 INDEX
From the Service Setings menu of the VRM Service

Portal it is possible to access unique user and client
configurations of the service.
For users you have the following information available:
General Information, Resolution Groups, Configuration
Alters (with Alerts module), Notifications and Viewing:
General Information: The name, email, phone number,

language, time zone, profile, whether or not you send
notifications and alerts in addition to the permission given
on the Service Portal.

112
Service Settings – Users 2/2 INDEX
• Resolution Groups Configuration: This tab contains a list of the

Resolution Groups that the user belongs. By default, users are not
assigned to any Resolution Group and can view all vulnerabilities and
assets in the organization. To assign a specific Resolution Group it is
necessary to edit the user's profile.
• Configured Alerts: On this tab the user can review the Vulnerability Alerts
he has been subscribed (only with Alerts module active).
• Notifications configuration: On this tab the user can customize the
notifications he wants to receive when changes are made to the portal.
• Visualization Section: The user can indicate the version of CVSS to be
shown in the VRM portal for the default navigation, by default the value is
CVSS-V2.
• Options are CVSS-V2 & CVSS-V3
• Included in the general and individual vulnerability views is a
switch type button that allows you to change between the
versions (CVSS-V2 and CVSS-V3) at any time without having
to go to the profile, by default the button will be set to the
option indicated by the user in his display profile.

113
Service Settings - Client Units (only for an administrator user) INDEX
The Units option from the Service Settings dropdown menu will
only be visible for administrator users.
You can configure some specific Unit settings using this option:
• Resolution Groups
• Customized Assets Data

114
Service Settings - Client Units – Resolution Groups INDEX
Edit Resolution Group of the client unit

• Resolution Groups help limit the visibility of assets and vulnerabilities in the organization to the user groups responsible for managing them.
• To define the Resolution Groups of the organization that will be assignable to assets and vulnerabilities, it can be done in two ways::
• Access the client list and click on Edit, in the Actions column, on the client to be edited.
• From the client unit list, access the client information by clicking on the field client unit name. Once the page with the customer
information is opened, click on Edit.
• Once you have edited the Resolution Groups, finish by clicking on the Update Client button. If the customer's Resolution Groups are not to
be changed, click Cancel. In both cases the user will be redirected to the list of clients to which he belongs

115
Service Settings - Client Units – Customized assets data INDEX
Customized assets data

• There are two ways to define the custom fields of the organization's assets.
• Access the client unit list and click on Edit, in the Actions column, on the client unit you want to create the custom fields.
• From the client unit list, access the client unit information by clicking on the Name field.
• In both cases, a window with the Asset Customization tab will be shown. In this case, it is necessary to press on it, followed by the Create
button.
• Next, enter the name of the new custom field. If this field is to have a list of values defined, click Add Value and enter the name of the value.
• Finally, after editing the custom fields, click on Create Attribute. If the custom field is not to be created, press Cancel. In both cases, the user
will be redirected to the list of customized fields of the assets

116
Service Settings - Vulnerability Alerts INDEX
• The Alerts option from the Service Settings dropdown menu

will only be visible if there is a configured Vulnerabilities Alert.
• You can view the list of all the vulnerability alerts you configured
in the menu Service Settings > Alerts. This list is paginated,
making the view more streamlined.
• To create an alert, click New. An initial block pops up at the top

with the main Alert features, and you can also configure the
CVSS information blocks. The blocks of CVSS Information,
Resolution Groups, Assets, Products, Languages and Conditions
are displayed. Fields shall be configured in such a way that when
they coincide with the release of a new vulnerability, it is notified
to your email.

117
INDEX
Managed Detection & Response

MANAGED DETECTION & RESPONSE
This dashboard is accessed clicking on the ‘Managed Detection &

Response’ service in the left-hand drop-down menu. It includes KPIs
related to MDR events, alerts and incidents. All chart information is
restricted by filters. If no filter has been defined, the values will
correspond to those defined in the user's profile.
• Active incidents:
• Total: number of incidents that are unsolved, with the
variation from the previous week.
• > 7 days: current number of incidents pending for more than
7 days, with the variation from one week before.
• Critical: number of critical priority incidents, with the

119
• Mitigated incidents:
• Total: number of incidents that are mitigated, with the

• Last 7 days: current number of mitigated incidents last
• Silent endpoints:
• Total: number of silent endpoints, with the variation from

the previous week.
• Critical: number of critical silent endpoints, with the
• Incidents by Unit: Pie chart representing the number of incidents split by
Resolution type, Priority and Status classification.
• Incidents Evolution: Evolution chart representing the number of silent
endpoints, divided by silent time for Unit, Priority and MITRE classification.
• Critical Silent endpoints: Pie chart and Evolution chart representing the
number of critical silent endpoints alerts opened in filter period.
• Cases evolution: Graph of timelines that represents the number of cases
split by Open and Closed, classified by unit and priority.

120
Unit view (1/2) INDEX
This dashboard is accessed clicking on the ‘Managed Detection &

Response’ service in the left-hand drop-down menu. In Client
dashboard select the Unit in the dropdown. The Unit dashboard
includes KPIs related to MDR events, alerts and incidents. All chart
information is restricted by filters. If no filter has been defined, the
values will correspond to those defined in the user's profile.
• Active incidents:
• Total: number of incidents that are unsolved, with the
• > 7 days: current number of incidents pending for more than
• Critical: number of critical priority incidents, with the

121
Unit view (2/2) INDEX
• Mitigated incidents:
• Total: number of incidents that are mitigated, with the
• Last 7 days: current number of mitigated incidents last
• Silent endpoints:
• Total: number of silent endpoints, with the variation from
the previous week.
• Critical: number of critical silent endpoints, with the
• Incidents: Pie chart representing the number of incidents
split by Resolution type, Priority and MITRE classification.
• Critical Silent Endpoints: Pie chart and Evolution chart
representing the number of critical silent endpoints alerts
opened in filter period.
• Cases evolution: Graph of timelines that represents the
number of cases, classified by status and priority.

122
INDEX
SIEM Management & Device Management

SIEM MANAGEMENT & DEVICE MANAGEMENT
Security Monitoring (1/2) INDEX
This dashboard is the default view when you click on ‘SIEM

Management’ service in the left-hand drop-down menu. It includes
KPIs related to events, alerts and incidents discovered by the SIEM. It
shows general security information in real time and contains
information on the number of incident-related tickets generated. All
information is restricted by filters. If no filter has been defined, the
values will correspond to those defined in the user's profile.
• Event Conversion Funnel: Funnel with the number of events,
alerts, Security Monitoring incidents and external incidents from
Risk Monitoring.
• Data Source Faults: total number of incidents in data sources.
• Incidents by Priority: pie chart with total number of incidents
classified by priority.
• Incident Evolution: area graphic with the temporal evolution of
the total amount of security monitoring incidents vs. number of risk
monitoring incidents with ‘Whitelist’.

124
Security Monitoring (2/2) INDEX
• Top 5 Ambits: bar chart with top 5 ambits with more events
related to alerts.
• Top 5 Technologies: chart with top 5 technologies ordered by
number of events.
• Events in Incidents per Technology: event number of Security
Monitoring incidents split by technology, not in whitelists.
• Events per Technology: event volumetry evolution. Top 10
technologies in the period, comparing each value to the average
of three previous periods.

125
Network Activity (1/2) INDEX
This dashboard appears clicking on the 'Network' option of the ‘SIEM

Management’ dashboards. It includes the KPIs related to network
events, alerts and incidents related to ‘SIEM Management’ service. It
shows the network risk status in real time and contains information on
the number of incident-related tickets generated. All information is
restricted by filters. If no filter has been defined, the values will
correspond to those defined in the user's profile.
• External Source IP Incidents: total number and list of Incidents
(ticket type 'incident’), service ‘SIEM Management’, product type
'Incident Notification', with external source IP.
• Internal Source IP Incidents: total number and list of Incidents
(ticket type 'incident'), service ‘SIEM Management', with private
source IP.

126
Network Activity (2/2) INDEX
• Top 5 External IP Network Activities: top 5 External IPs by number of events with external source IP whose alert was opened within the
requested time frame.
• Top 5 Internal Talkers: top 5 device host names by number of events with internal source IP whose alert opening date is within the
requested time frame.
• Top 5 Country External Network Activities: top 5 countries by number of events with external source IP with an alert whose opening
date is within the requested time frame.

127
User Behavior (1/2) INDEX
This dashboard appears clicking on the 'User Behavior' option of the

‘SIEM Management’ dashboard. It includes the KPIs related to user
events, alerts and incidents detected in the ‘SIEM Management’
service. All information is restricted by filters. If no filter has been
defined, the values will correspond to those defined in the user's
profile.
• Top 5 Users in Incidents: list of the top 5 users by incidents
(alerts with some event related to user).
• Top 5 Users with more Alerts without Incident: bar char with
the top 5 users only in alerts that has not generated an incident
(ticket with type incident).

128
User Behavior (2/2) INDEX
• Top 5 Devices with more User Alerts: bar chart with the top 5
hostnames with alerts related to user.
• Top 5 Users with more Alerts: bar char with the top 5 users
related to alerts.
• User Events in Alerts per Technology: temporal bar chart
representing the number of events in alerts with non-empty user
field, distributed by technologies, during the time frame selected.
Additionally, the average of the three previous periods is
represented.

129
Alert's view INDEX
This view displays a list of alerts that meet specific conditions from various
filters. By default, shows alerts received today.
The functionalities available in this view are:
• Export the list in CSV format.
• Search by Ticket ID, Severity, Timestamp, Description, Service,
Source, Destination, Location, Type, Status, Ambit, Technology. When
deploying advanced filters, we find new parameters such as Host
address, Attack location and Extensions.
• Check the detailed information of the alert: by clicking in the drop-down
menu on the right-hand side of the alert table.
• The information presented in the detail is as follows:
• General info
• Source
• Destination
• Event sources
• Extensions
• Events related to alerts

130
SIEM MANAGEMENT
Event source's view INDEX
Shows the list of event sources, with the total number of events
reported by a device (Firewall, IPS, IDS, Proxy, etc.) on a
specific date with daily periodicity in list format. The
functionalities available in this view are:
• Import the list of sources in CSV format.
• Export the list of sources in CSV format.
• Search by text in the list fields: Country, Ambit, Vendor,
Product, Technology, Hostname, IP Address, Source, Criticity,
Integrated, Total Events.
• Search by Reported date.
• Check the list of tickets related to the Hostname: click on the
Hostname ID.
• Check the list of tickets related to the IP: click on the IP of the
source.
• Check the detailed information of the source: by clicking in
the drop-down menu in the right-hand side of the source
table.

131
DEVICE MANAGEMENT
Managed Device's view INDEX
Displays devices managed by the SOC in a manner

equivalent to a CMDB.
Only the tickets whose "Asset name" field appears in the list
of Managed Devices will be displayed.
• Import the list of devices in CSV format.
• Export the list of devices in CSV format.
• Search by text in the list fields: Hostname, Category, IP,
Technology Provider, Firmware Version, Serial Number,
Maintenance End Date, Physical Location and Client
Contact.
• Check the detailed information of the device: by clicking
on the arrow icon in the right-hand side of the device
table.
• Edit the detailed information of the device: by clicking on
the pencil icon in the right-hand side of the device table.

132

Portal-Quick User Guide v4 en

Uploaded by

Copyright:

Available Formats

You might also like

Portal-Quick User Guide v4 en

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Portal-Quick User Guide v4 en

Uploaded by

Copyright:

Available Formats

Security Services

Customer Web Portal

Quick User Guide

April 2022 cybersecurity.telefonica.com

General Information ………......................…………………………………......... P 03 Tickets ............................................................................................................ P 34

Services ….........................................................………...…………….....……. P 06 Ticket’s View ............................................................................. P 35

Digital Risk Protection …...................………………………..…... P 08 Ticket’s Filters ........................................................................... P 36

Vulnerability Risk Management …...................………………..... P 10 New Ticket ................................................................................ P 38

Managed Detection & Response ……...................……………... P 12 Documents ..................................................................................................... P 40

SIEM Management …………………………................………..... P 13 Reports .......................................................................................................... P 47

Device Management ………………………….................……….. P 14 Admin ............................................................................................................. P 59

Integrated Risk Management …………………..................…….. P 15 Digital Risk Protection .................................................................................. P 70

Login …………..……………………………………………………....................... P 16 Vulnerability Risk Management ...................................................................... P 89

Access Configuration ..................................................................................... P 25 Managed Detection & Response ................................................................ P 118

Security Services | Customer Web Portal

Security Services | Customer Web Portal

Security Services | Customer Web Portal

The Security Services Portal supports the following browsers:

Security Services | Customer Web Portal

Security Services | Customer Web Portal

• Digital Risk Protection: protects your business, brand and reputation

Security Services | Customer Web Portal

Security Services | Customer Web Portal

Security Services | Customer Web Portal

Security Services | Customer Web Portal

Security Services | Customer Web Portal

Security Services | Customer Web Portal

Security Services | Customer Web Portal

Security Services | Customer Web Portal

Security Services | Customer Web Portal

Security Services | Customer Web Portal

1. Access the Portal through the URL:

• If you do not remember your password:

Security Services | Customer Web Portal

Security Services | Customer Web Portal

In the case of a forgotten password, by clicking on 'Forgotten your

Security Services | Customer Web Portal

• 2FA (Second Factor Authentication) is a method of authentication

Security Services | Customer Web Portal

• In 'My Data' section the User has TOTP in Access Configuration.

Security Services | Customer Web Portal

• In 'My Data' section the User has Latch in Access Configuration.

Security Services | Customer Web Portal

• In 'My Data' section the User has Latch + OTP in Access

Security Services | Customer Web Portal

Security Services | Customer Web Portal

Security Services | Customer Web Portal

• A user with an Administrator profile can configure the type of 2FA

Security Services | Customer Web Portal

Security Services | Customer Web Portal

1. In 'My Data' section select 'Configure 2FA'.

1. In 'My Data' section select 'Configure 2FA'.

1. In 'My Data' section select 'Configure 2FA'.

Security Services | Customer Web Portal

This dashboard is accessible at any time by clicking on the Telefónica logo

Security Services | Customer Web Portal

• Incidents by Priority: bar chart with total number of incidents