Professional Documents
Culture Documents
Portal-Quick User Guide v4 en
Portal-Quick User Guide v4 en
Portal-Quick User Guide v4 en
Global Dashboards ....................................................................................... P 31 SIEM Management & Device Management .................................................. P 123
General Information
Services
INDEX
Digital Risk Protection 1/2
•
•
•
•
•
•
•
INDEX
Digital Risk Protection 2/2
•
•
•
•
•
•
•
•
•
INDEX
Vulnerability Risk Management 1/2
Telefónica's Vulnerability Risk Management service offers a global vision of an organisation's weaknesses, helping to
identify security threats and possible attack methods, discovering all of an organisation's assets exposed on the
Internet and enabling rapid management of their correction. It helps to prioritize and focus on the correction of the
vulnerabilities found, monitor the status and propose a package of preventive and corrective measures and
recommendations to ensure an adequate level of security. It provides the following sections:
• GLOBAL FUNTIONS
• Dashboards: represented by a house shaped icon. It is the page you see by default when accessing the Service
Portal. It allows to view at a single glance all the vulnerabilities detected and to prioritize their correction by status,
severity or category and to see the evolution of their status and the level of support for the correction of
vulnerabilities.
• Documents: access to the repository of the organization files.
• Reports: access to the management of reports generated and possibility of creating new reports.
• MSSP FUNTIONS
• Assets: it gives access to the management of your organization's assets initially uploaded to the Service Portal,
and to those detected by the Vulnerability Analysis and Persistent Pentesting modules.
• Vulnerabilities: you can access the full information of the vulnerabilities detected in the projects.
INDEX
Vulnerability Risk Management 2/2
• SERVICE TOOLS
• Projects: you can access the complete information of your executed and planned projects.
• Resources: this dropdown menu provides access to the latest updates of the data feeds used in the
VRM service: CVE’s, CPE’s, Exploits, CWE’s and CAPEC’s
• Service Settings: this dropdown menu provides access to the Administrators to configure the specific
Service Settings
•
•
•
INDEX
Managed Detection & Response
With Managed Detection & Response service we focus on Advanced Threat Detection, Threat Intelligence,
Hunting and Digital Forensics & Incident Response. It provides the following sections:
• MSSP FUNCTIONS
• The Dashboards section shows the status in real time and contains information on the number of
incident-related cases generated. It contains the following widgets: Active incidents, Mitigated
incidents, Silent endpoints, Case evolution.
• The Alerts section shows the alerts collected in this service. By default, it shows the alerts collected
today but you can filter by multiple parameters including the alert timestamp.
• The Managed Devices section displays devices managed by the SOC in a manner equivalent to a
CMDB.
INDEX
SIEM Management
With SIEM Management service we focusing on Maximum protection thanks to the combination of state-of-
the-art advanced detection technologies based on Big Data and machine learning. In addition to the
automatic management and immediate notification of incidents from Telefónica's Security Operations Centres
(SOC). It provides the following sections:
• MSSP FUNCTIONS
• The Dashboards section shows the status in real time and contains information on the number of
incident-related cases generated. It contains the following dashboards: Security Monitoring,
Network Activity and User Behavior.
• The Alerts section shows the alerts collected in this service. By default, it shows the alerts collected
today but you can filter by multiple parameters including the alert timestamp.
• The Event Sources section displays the total number of events reported by a device (Firewall, IPS,
IDS, Proxy, etc.) on a specific date with daily periodicity in list format.
• Lists: custom data tables related to this service. For example, blacklists and whitelists.
INDEX
Device Management
With Device Management service you delegate the administration and supervision activities of your security
equipment (Firewall, IDS / IPS, antivirus, and so on) to the global Telefónica's SOCs network. With immediate
notification about the real status of your security and risk management. It provides the following sections:
• MSSP FUNCTIONS
• The Dashboards section shows the status in real time and contains information on the number of
incident-related cases generated. It contains the following dashboards: Security Monitoring,
Network Activity and User Behavior.
• The Alerts section shows the alerts collected in this service. By default, it shows the alerts collected
today but you can filter by multiple parameters including the alert timestamp.
• The Managed Devices section displays devices managed by the SOC in a manner equivalent to a
CMDB.
• Lists: custom data tables related to this service.
INDEX
Integrated Risk Management
Integrated Risk Management service helps organizations support their business strategy, improve their operational performance, reduce
operational risks and ensure regulatory compliance. IRM is the perfect complement to create a programme for the governance, risk management
and effective compliance of your organizations' information security.
It provides the following sections:
• Dashboards / Home: are defined with a set of Indicators and a set of Module access cards.
• Architecture: is the way in which we can describe a theoretical model that represents the reality of the organisation so that we can identify the
critical technological assets and how the risks that could materialise on them affect the services and business processes.
• Project: are entities that group tasks together and can be tracked in this section. These tasks can be, for example, implementation tasks of controls
that have been selected as treatment of risk scenarios, improvement actions suggested as a consequence of dissatisfaction of implemented
controls, etc.
• Measurement: is where the Dashboards are managed. Among them, it is worth distinguishing the Main Dashboards, which are the ones that make
up the Use Cases shown on the Home page.
• Document Manager: stores service documents, reports and any other additional information for the customer. It includes upload, download, edit
details, delete, search and other management options.
• Import: has import capabilities of various types of entities and even with the PILAR tool. The elements for the main functionalities can be imported
by means of excel files. With the option 'Download Template' we will obtain the excel file to be able to fill it in and import it later.
• Configuration: here you will find the options for defining the organizational and functional structures of the Organization. From here, we can also
manage the Users and their Roles and even view the access log of all users.
• Help: in this section you can find the documentation and specific user manuals.
NOTE: The classic navigation layout is maintained in this service.
For more information, please check the IRM Help section.
Login
• Only five consecutive failed login attempts are allowed. Once this
limit has been reached, the user will be blocked and redirected to
the password change page.
• When changing the password, the last ten passwords cannot be
used.
• Once authenticated, the portal displays the date, time and IP of
the last session, and the number of failed attempts since the last
session.
• The password must be changed 120 days after the last change.
• Remember that the password must:
• Have at least 8 characters.
• Be different from the last 10 passwords used.
• Not contain your login email.
• Contain, at least, one capital letter, one lower
case letter, one number and one special
character.
There is an automatic management of user inactivity. Users will be first blocked and later removed if they do not log in to the portal:
• Users that has not logged in for more than 83 days (7 days before blocking) will be notified by email that they will be blocked if they do not
log in within the next 7 days.
• Users that has not logged in for more than 90 days will be blocked automatically. They can be unblocked by a user with admin
permissions in the user admin section.
• Users that has not logged in for more than 150 days (60 days after they have been blocked) will be removed from the portal.
Access Configuration
• In 'My Data' section you can view your current status (None,
Latch, TOTP or Latch+OTP), followed by the access button to
‘Configure 2FA’.
• Then select 'Configure 2FA'.
• Only options that are greater than or equal to the minimum
required by your user according to the environments to which you
have access will be shown as selectable.
• By default, the minimum required level will be selected, or Latch if
2FA is not mandatory in any environment to which you have
access.
• "Latch + OTP" will show as an "OTP" check within the Latch
option. If the minimum required is TOTP, OTP will be shown
marked when the Latch option is accessed.
2 3
4
Security Services | Customer Web Portal
28
Quick User Guide – v4
ACCESS CONFIGURATION
How do I configure 2FA with Latch? INDEX
2 3
4
Security Services | Customer Web Portal
29
Quick User Guide – v4
ACCESS CONFIGURATION
How do I configure 2FA with Latch + OTP? INDEX
2 3
4
Security Services | Customer Web Portal
30
Quick User Guide – v4
INDEX
Global Dashboards
Tickets
This view displays a list of tickets that meet the conditions defined in a
filter. By default, the view shows current active tickets.
The functionalities available in this view are:
• Create a new ticket: this option allows the creation of a new
incident or request ticket.
• Export the list in CSV format.
• Filter by most of the ticket attributes.
• Check the detailed information of the ticket: by clicking on the
ticket ID or in the drop-down menu on the right-hand side of the
ticket table.
• Manage the ticket, one by one or selecting a group. Depending on
the status of the ticket: Comment, Update, Suspend, Reactivate,
Resolve, Close, Cancel, Clone.
This view shows the fields by which ticket searches can be filtered.
These are:
• ID: Ticket ID.
• Priority: Critical, High, Low, Medium or Undefined.
• Opening Date: Ticket Opening Date. All pre-selected.
• Resolution Date: Ticket Resolution Date.
• Service: Service to which the Ticket belongs.
• Client Ticket ID: related ticket ID in the client’s ticketing system.
• Location: Ticket Location.
• Type: All, Incident or Request. All pre-selected.
• Status: Unidentified, Open, Work in progress, Suspended,
Resolved, Closed or Cancel. The first four pre-selected
• Category: Ticket Category.
• Title: Ticket Tittle.
• Description: Ticket detail.
• Group: Assigned Group.
• Operator: Assigned Operator.
Clicking on the "Show advanced filters" button will display the rest of
the fields to filter by. These are:
• Updates: Update log.
• Product Type: for example, Analysis, Configuration, Reports or
Request. All pre-selected.
• Problem Type: provides more detail about the type of problem. All
pre-selected.
• Source Range IP: All, Private or Public.
• Detection Date: date on which the alert that opened the ticket
was detected
• Closing Date: date on which the status becomes closed.
• Ambit: client defined tags that define a business or system area
• Technology: Antivirus, Firewall, GNU, IDS-IPS, Linux, Proxy, ,
Radius, VPN, Windows or Windows Server.
• Complexity: Low, Medium or High.
These are the advanced CI filters and advanced view fields to fill in
when creating a new ticket:
Advanced CI filters
• Data Center Country
• Data Center Province
• Data Center Locality
• Data Center Street
• Data Center Building
Advanced views
• Affected User (by default it is filled in with current user
information)
• User Affected Name
• User Affected Email
• Tags: allow tagging the ticket to restrict access to it based on:
• Location
• Ambit
• Technology
• Complexity
Documents
The 'New folder' button creates a new folder within the current folder.
After clicking on it, a pop-up window appears where the following
fields must be filled in:
• Name: the name of the folder. It is mandatory.
• Periodicity: select a value from the list only if this folder is relevant
for daily or weekly reports.
• Technology, Ambit and Countries: select one or several values to
restrict access to the folder only to users whose profile contains at
least one of the selected values.
The 'New document' button allows you to upload a new file to the
current folder. After clicking it, a pop-up window shows the following
fields to be filled in:
• Document: select the document stored in the user's equipment to
be uploaded. Mandatory field.
• Title: the name that will appear in the list of documents. Mandatory
field.
• Data date: date of the information contained in the document.
• Technology, Ambit and Country: select one or more values to
restrict the access to the folder only to users whose profile contain
one of the values selected.
• Author, Status, Version and Type: additional descriptive
information about the file.
The VRM Documents section is located under the Global Tools menu:
I. It has a specific dropdown selector to allow access the
Document section of each client Unit.
Reports
In the second step of the creation wizard, the general configuration of the
report is configured. The parameters to which the report is to be applied
are configured. These are:
• Timeframe: Current day, Previous day, Previous 7 days,
Previous week, Previous 30 days, Current month, Previous
month, Custom Range (selecting start and end dates).
• Country: filter by country
• Ambit: filter by ambit
• Technology: filter by technology
• Priority: filter by priority
• Services: services available for the report.
In the third step of the creation wizard, you select the mode of
sending the report. The options are:
• Attached to the email: configuring the email that will
attach the report with the emails to which it is sent, the
subject (which can be completed with information related
to the report: Timeframe start, Timeframe end or Date of
execution) and the body of the message.
• As link in email: configuring the email which will include
the link to the report with the emails to which it is sent, the
subject (which can be completed with information related
to the report: Timeframe start, Timeframe end or Date of
execution) and the body of the message.
• Document Repository: the way to send the report is by
uploading it to the document repository, in the folder
indicated in the Path (separated by "/", this sign is the
root), and labelling the report by the values of the fields:
Country, Ambit and Technology.
The Unit field has also been included in the filters in order
to be able to consult only the reports of the unit or units
that are of interest.
Through the Reports section, located under the Global Tools The menu Reports allows to access the list of crated reports
menu you will be able create, review and edit four kinds of
The list contains the columns Type, Name, Projects, Session, Start
VRM reports: Date and End Date with the basic information of the reports. When
• Vulnerabilities Technical. The Technical report of Vulnerabilities clicking the column Name of the report the information of the same is
contains the information of a selected project: assets within the shown.
scope, time windows enabled for the performance of tests, detail of
the tests performed and detected vulnerabilities.
• Differential. The report Differential of Executions allows to view the
evolution of the status of vulnerabilities of the execution of tests
selected from a particular project. The statuses in the report are: old,
fixed, reopened and new.
• Customized Technical. The Customized report contains
information of vulnerabilities based on several filters: start date, end
date, asset, Resolution Group, vulnerability, status and severity. The
report will show those vulnerabilities resulting from the application of
all the filters, the assets in which they are and the projects to which
those vulnerabilities belong.
• Follow-Up. The Follow-Up report allows to know the current status
of the vulnerabilities by severity and status within the selected dates.
It also presents an analysis of vulnerabilities treatment.
When creating a new report, the drop list "Periodicity" is shown containing the
values:
• One-Shot
• Weekly
• Monthly
If the value Weekly or Monthly is selected, a date calendar will appear, giving to
the user the chance to select the date when the first report must be generated
automatically for the first time.
To revise the structure of a report, click Review. A new page will open to edit the structure through the following actions:
• Add new section of first level at the end of the existing ones, in case it is performed on the index of the report. In case a new
section is added to an already existing section, it will be of second level and it will also be added at the end of the already existing
sections.
• Add new paragraph at the end of the section.
• Exchange section/paragraph for the immediately preceding one.
• Exchange section/paragraph for the immediately subsequent one.
• Edit title of section. In case it is a paragraph, all the block can be edited as if it was a text editor. There are certain paragraphs with
the tag [non editable] which contain information of the project and cannot be edited.
• Remove section/paragraph.
Admin
You can only access the module if you have a profile with user and
profile management permissions.
You must go to the “All Services” section of the portal. Then go to the
"Configuration" section.
You will see an "Admin" entry in the main menu. By clicking on that
entry, you will access the management module.
Once there, you will be able to manage users, user profiles and view
the information of contracted services.
By selecting the Profiles tab, you will be able to see all the profiles
that are configured.
For each profile, the name and number of users who have this profile
assigned to it are displayed.
• Filters: If enabled for the client, you can activate filters (area,
technology, country...) and choose loaded values for those filters
that will be applied in data access. Only data labeled with these
values will be visible by users with that profile.
• Sections for each service, with the selection of modules that will
be visible and with what level of access, for each unit of the client
when applicable.
• When you select the users tab, the list of users who have access to this client appears.
• You can search for users whose email contains the search pattern you enter. The search allows regex and is not case-sensitive.
• For each user it is shown:
• User type (SOC, client), as an icon. Client administrators will only see client users, with the icon
• Email. When you click on it, we go to the user's detail.
• Name.
• Profile that user has applied. When you click on it, we go to the profile detail.
• Status: status of the user's account: Active, Pending Invitation or Blocked.
• Action Menu: to delete the user, upon confirmation. Unblock if Blocked. A user can't delete himself, so the icon won't appear.
• The user exists in the portal but does not have access to
this client: a "This user already exists" prompt will appear.
You can configure your access to client_name" and a
"Configure access" button that will take you to the next
step, where they appear:
• The user's data, as the user has recorded.
• Profile you want to assign. If you want to use the default
profile you have to select the blank option.
• To delete a user, simply click on the action menu the right of the
entry in the Users section. Then click in “Delete” action.
Confirmation will be requested and if so, that user's access (their
affiliation) to this customer will be removed.
The user will not be permanently removed from the portal until all
their affiliations are deleted.
• In the Users section, clicking on a user's name or email gives you
the details of the user.
• On the detail page there is an “Edit” button, which allows you to
activate the profile selector and assign it a different one. To
confirm the change, click “Resend invitation”.
• User data can only be added and modified by the user himself, in
his profile, accessible by clicking on “My data” section in the
header icon
• In the client information section, you can see all the information of the contracted services available on the portal:
• Administrative data: name, acronym, provision status, contracting status, tax id, country, time zone, language, sector and subsector,
mail domains, second factor configuration, notifications (to be used later for notifications of new versions or problems) and domains
through which the portal can be accessed.
• Authentication & access
• Domains from which you can access the portal
• Second factor configuration
• Single sing on settings
• Dashboards available
• Default profiles
• Tools
• Billing status
• Units
• Ticketing
• Reports
• Lists
• Filters
• Sections for each service
Below is a top with the five entities that have been observed
most frequently in the threats registered in the last month, both
with respect to the Affected Assets and to the Threats
themselves.
For those units associated with more than one customer, the
item can be unfolded to see the complete list.
The following graph shows a heat map with the geographic distribution of
the threats registered over the last month along the footprint of the
customer.
The last section shows graphs of the evolution of the threats detected and the threats
resolved for all the companies of the customer.
Graphs support a certain level of customization, allowing:
▪ Add/remove the companies you want by clicking on their name in the legend at the
bottom of the graph.
▪ Focus on a specific time range to see its evolution, simply selecting that range with the
mouse.
The Dashboard shows the overall threat status and a summary of the latest threats and reports delivered. In client context
and dashboard selector with the "One unit" option selected.
▪ Dashboard: shows the overall threat risk, as well as service activity metrics
based on the date range selected in the filter (by default, it shows
information from the service start date to the current date):
o Number of threats detected by type and associated risk.
o Number of threats by status.
It also displays the number of unread threats (see orange tooltip) giving the
possibility to access them directly by clicking on the number.
In the Threat Detail, users with Client-Adm role can request real-time
mitigation or takedown of a threat by simply clicking on “Request
Mitigation”.
Once the takedown has been requested, the “Mitigation” section will
be shown in the threat detail, which will be updated with the actions
that will be applied in the threat response process.
Under certain circumstances, you may want to highlight or mark one or more
threats to follow-up on them.
To do so, simply click on the gray circle to the left of the threat you want to mark:
Once done, the threat will be highlighted with a blue circle:
Likewise, any analyst of the Digital Risk Protection service can mark a specific threat at
any given time. In this case, the threat will be highlighted with the following circle:
In order to find out which user has marked the threat, you will just have to hover the
mouse over the circle and a tooltip will be shown with the user’s information.
From the “Statistics” section, you will be able to consult a series of graphs representing the threats managed, according to their evolution,
type and status.
From the Statistics section you can apply filters to visualize personalized
graphs according to different parameters:
• Date range:
• Last week: graphs show the information from the last
seven days.
• Last month: graphs show the information from the last
month.
• Last year: graphs show the information from the last year.
• Custom: it allows selecting the time range of the graph
information.
• Family: graphs show the information of the family or families to which
the threat belongs: Business Disruption, Reputation and Brand, Online
Fraud.
• Type: graphs show the information of threats according to the selected
types. The Family must be selected previously.
• Status: graphs show the information of threats according to the
selected status.
Once selected the filtering criteria, click on “Filter”. To remove the applied
filters, you should click on the “Clear” button.
Through the Entities section, you will be able to consult the list of all
the entities extracted from the registered threats. These can be
categorized as Affected Asset (customer’s assets), Threat (related to
the threat itself) and Source (source where the threat was observed).
• Filters: you can apply filters on the listed entities under different
parameters:
• Entity
• Detected on
• Category
• Threat Type
• Entity Type
• You can export a csv file with the list of entities, according to the
selected filter, by clicking on this button.
Through the “Newsletters” section, within the “News” menu, you will
be able to consult the list of all newsletters delivered by the service.
• Filters: you can apply filters on the listed news according to
different parameters:
• Published at
• Newsletter
• Type
• Query
• Category
• Sector
• Export (CSV): you can export a CSV file with the list of news,
according to the selected filters.
The “Exports” section allows you to query and export, more completely and efficiently, the confidential resources active from the Credential
Theft threats that are of Botnet origin.
Each option will open a new view where you will be able to create the corresponding searches or consult the list of your previous searches.
In the “New credential search” view, you can select among a series of filters that limit the information to be searched.
From the list of searches, you can Open or directly Download any of them, among other options.
If you choose to Export the search, you will have the option to export the list of active credentials in CSV format.
From the “My Profile" section, located at the top of the portal, you can edit
the configuration of the notifications by email offered by the service.
Firstly, you can enable or disable the notification of threats by type,
indicating from what risk level you want to be notified and whether or not you
want the notification to include a report with the full detail of the threat and
the evidences in pdf format.
Finally, you can select which types of reports you want to receive
notifications when they are published. This option also includes the reception
of newsletters.
There are specifics charts and cards available only for Units
using priority schemas Risk or VMI.
• When a project is accessed, the information appears in several tabs: General Information, Assets, Windows, Executions and
Vulnerabilities. A horizontal bar is shown on the tab you are.
• General Information: It includes the number of assets within the project scope and the number of detected vulnerabilities.
• Below this information there is the number of vulnerabilities pending revision, broken into these status: Potential, Open and Non
Certified and there is also the number of vulnerabilities revised, broken into these status: Discarded, Assumed, Corrected and
Certified. In addition, there is a graph indicating the level of severity of the vulnerabilities pending revision and of the revised
vulnerabilities.
It includes the blocks of information Project Details, Test Details, Recommendations and Personal valuation of the auditor. The block Detail of project contains these
fields:
• Client name.
• Name of the project.
• Identifier of the project.
• Start date, End date in the format dd/mm/yyyy hh:mm.
• Type of project: Vulnerability Alert, Vulnerabilities Assessment, Persistent Pentesting, Black Box or White Box.
• Mode of execution: Manual or Automatic.
• Restrictions of the project.
• Source IP Addresses from which the tests were executed.
• Associate active-level vulnerabilities: Being enabled creates a single vulnerability per asset, regardless of details such as ports, url's, multiple IP's, CPE.
o This option can only be enabled by SOC Administrators and System Administrators profiles.
• Synchronize CVSS of active vulnerabilities: by default, it will be with the option "No" for all the projects of the client; if this option is activated it will have 2 effects:
1. Retroactive effect: the Active vulnerabilities of the project that have a base CVSS value different from that of the VRM dictionary of vulnerabilities, will
update the value of their base CVSS, except for the vulnerabilities whose value was modified manually.
2. Effect of subsequent operation: Every time a vulnerability in the dictionary changes the value of the base CVSS, the CVSS base is updated in the active
vulnerabilities of the project, with the exception of those where the value was modified manually.
o This option can only be enabled by SOC Administrators and System Administrators profiles.
The other blocks are filled in by the auditor if deemed necessary.
• It contains a list of all the assets with the Project scope. By clicking the column Name of the asset the information of the same is
accessed. For more information, please check the section on Assets.
• List of time Windows authorized for the performance of tests and of the assets to be tested. By clicking the column Start of the window the
information of the same is shown.
List specifying when the tests are executed, within the Windows authorized, and the IP addresses from which they are executed. The Start
column of the execution provides information on the same when clicked.
The user has the possibility to filter project executions for different fields such as domain, dates, status of implementation and the last
executions grouped by domain.
In the case of Persistent Pentesting and Vulnerability Analysis projects, the status of the execution is shown in the Ends on column of the
Executions tab.
• Ends on column can have one of the following values:
• Running, if the scan is being executed
• Paused. For example, if the scan is out of the Execution window
• Stopped, if the scan has been manually stopped by CyberSOC team.
• Error. Click on execution in order to review the error.
The following three actions are available to users:Pause, Start and Stop.
These actions will be available depending on the status of the execution:
• If the execution is running, Pause and Stop will be showed.
• If the execution is paused, Start and Stop will be showed.
• If the execution is stopped, no options will be showed because it is a final status.
In the case of Persistent Pentesting projects, the progress of the current status of the execution is shown in the Progress column.
Accessing the execution details will show its full information. To do so, click on the
start date of the execution you want to see.
Unlike the progress bar from the list, the one shown in this view (in the Execution
Data section) indicates the number of tasks completed from the total.
In this view you can see the result of the assets and vulnerabilities analyzed in the
execution, when clicking on these hyperlinks, the views of the list of vulnerabilities
and / or assets of the project are displayed, the lists are filtered by the execution
The summary of the vulnerabilities shows the total of validated vulnerabilities with
respect to the total of detected vulnerabilities in the analysis, this value is dynamic
according to those validated at the moment of accessing the view.
• New vulnerabilities: validated XXX / YYYY detected in the analysis
• XXX validated: [Total vulnerabilities detected in the analysis] -
[vulnerabilities detected in the analysis in the edition state] -
[vulnerabilities detected in the analysis in false positive state]
• When clicking on this hyperlink, it is redirected to the list of
vulnerabilities filtered by the execution; the total of vulnerabilities
shown is associated with the role and profile of the user, so that the
list for a client role will not contain the vulnerabilities in edition or the
false positives.
The view of the vulnerabilities can be narrowed down by various fields using the basic filter, which are the most used options (Client, Asset, IP Address,
Vulnerability, Risk Level and/or Status) or using the advanced filter which can be viewed by clicking on the Show advanced filter button from the list.
The list contains the following columns which can be sorted in ascending or descending order with the basic information of the vulnerability:
• Identifier of the vulnerability with the nomenclature CUSTOMER_CODE-PROJECT_CODE-TYPE-AUTONUMERICAL_VALUE.
• Detected Vulnerability.
• Project to which the vulnerability belongs.
• Asset affected by the vulnerability.
• Status of the vulnerability. See section 4.2.3 Status of the Vulnerability.
• Type and Category of the vulnerability, which can be AP, CO, VE, RE, corresponding to Application, Configuration, Version and Recommendation,
respectively.
• Date of creation in the format dd/mm/yyyy hh:mm.
• Severity of the vulnerability.
• CVSS-V2 Severity levels are divided into Low (green), Medium (yellow), and High (red), corresponding to scores 0.. 0-3.9, 4. 0-6. 9
and 7.. 0-10. 0 respectively.
• CVSS-V3 Severity levels are divided into Null (green), Low (yellow), Medium (orange), High (red), and Critical (magenta),
corresponding to scores 0.0, 0.1-3.9, 4. 0-6. 9, 7. 0-8.9 and 9.0-10 respectively.
When accessing a vulnerability, the information is displayed in several tabs. A horizontal bar is shown on the section you are.
• General Information: Information of the vulnerability with its description, affected assets (with a link to the project information and to the
information of the asset itself), status of the vulnerability, impact of the vulnerability in confidentiality areas, integrity and availability, CVSS
detail, evidence and comments.
• Impact: List with all the impacts of the detected vulnerability.
• Attack patterns: List with all the types of attack which could exploit the vulnerability. It includes the description, prerequisites, resources
and attack methods.
• Mitigations: Description of the mitigation action to fix the vulnerability, in which phase it shall be implemented and the mitigation strategy
to which the measure belongs.
• References: List of external references of a particular vulnerability.
• Certifications: This section includes the certification for the correction of vulnerabilities.
• History: This tab saves all the changes made to the vulnerability, specifying the type of changes made, old and new value, author of the
change and date in which it was performed.
In order to edit several vulnerabilities, you must first select the vulnerabilities using the checkboxes and click the Edit button in the top menu.
You can edit the following fields:
• Resolution Group.
• Status, considering the lifecycle of the vulnerabilities. Only those vulnerabilities whose status is compatible with the new status will be
changed. You can view the workflow in the section Methodology of the Service Portal or in the section 4.2.3 Status of the Vulnerability.
• Scheduled Date, considering the status of the vulnerabilities. You can change the scheduled date to all the selected vulnerabilities.
• Comment. Add a comment to the selected vulnerabilities.
• Environmental Score Metrics. You can change the values of the metrics:
• Collateral Damage Potential.
• Target Distribution.
• Confidentiality Requirement.
• Integrity Requirement.
• Availability Requirement.
After tapping on the Update checked vulnerabilities button, the changes will be made.
• The menu Assets, under MSSP Functions, allows to access the list
of assets created in the Service Portal.
• The list contains the columns Name, Type, Operating system and
Resolution Group, and with the basic information of the asset. By
clicking on the column Name the information of the same is shown.
This information includes (among others), the tabs General
Information, Project, with a list with the projects and executions
where the asset is included, History, with the main changes applied to
the asset, and Vulnerabilities, with a paginated list of the
vulnerabilities that affect this asset. The list shows Ocurrence ID,
Project name, Vulnerability and Date.
• In addition, the list includes the column Actions with the options Edit
(only available for administrator and operator roles) and Delete (only
available for administrator role).
• On the left column of the list appears a checkbox for each asset
which allows to edit, download or delete the selected assets.
To create an asset click New. Fields marked with a red asterisk are mandatory. The
fields to be filled in are:
• Client: choose through the pull down menu the customer on which the asset will be
created.
• Resolution Group: select through a pull down menu, the Resolution Group which
will manage the asset and the vulnerabilities of the same Resolution Group.
• Type: select through a pull down menu the type of asset you will create: Host, Web
Application or Other. (For more information please check the section on Assets).
• Name of the asset.
If the Asset to be created is a Host-type asset, fill in the fields previously described and
fill in the field CPE and the blocks of information IP Addresses, Aliases and SW
Packages.
If you wish to create a Web Application-type asset, fill in the fields previously described
and fill in the blocks of information SW Packages, URLs and Hosts.
Once the information of the asset is provided, click Create Asset. If you do not wish to
create the asset click Cancel.
When you are simultaneously editing a field in several actives, checkboxes of those fields that will be modified are automatically marked.
To complete the edition, click the Update checked assets button.
To export the information of the assets, choose the assets you want to download by using the checkboxes and click the “CSV” button. A
downloadable file will be created in CSV format. For the files that are too complex to be generated online, a download link will be sent to your
email registered in the Service Portal.
• CPE Feed > Click Resources > CPE Feed to access the CPE
feed list which is frequently updated.
• CVE Feed > Click Resources > CVE Feed to access the CVE
feed list which is frequently updated.
• CWE Feed > Click Resources > CWE Feed to access the
CWE feed list.
• CAPEC Feed > Click Resources > CAPEC Feed to access the
CAPEC feed list.
• EXPLOITS Feed > Click Resources > EXPLOITS Feed to
access the Exploits feed list which is frequently updated.
The Units option from the Service Settings dropdown menu will
only be visible for administrator users.
You can configure some specific Unit settings using this option:
• Resolution Groups
• You can view the list of all the vulnerability alerts you configured
in the menu Service Settings > Alerts. This list is paginated,
making the view more streamlined.
• Mitigated incidents:
• Mitigated incidents:
• Total: number of incidents that are mitigated, with the
variation from the previous week.
• Last 7 days: current number of mitigated incidents last
7 days, with the variation from one week before.
• Silent endpoints:
• Total: number of silent endpoints, with the variation from
the previous week.
• Critical: number of critical silent endpoints, with the
variation from the previous week.
• Incidents: Pie chart representing the number of incidents
split by Resolution type, Priority and MITRE classification.
• Critical Silent Endpoints: Pie chart and Evolution chart
representing the number of critical silent endpoints alerts
opened in filter period.
• Cases evolution: Graph of timelines that represents the
number of cases, classified by status and priority.
• Top 5 Ambits: bar chart with top 5 ambits with more events
related to alerts.
• Top 5 Technologies: chart with top 5 technologies ordered by
number of events.
• Events in Incidents per Technology: event number of Security
Monitoring incidents split by technology, not in whitelists.
• Events per Technology: event volumetry evolution. Top 10
technologies in the period, comparing each value to the average
of three previous periods.
• Top 5 External IP Network Activities: top 5 External IPs by number of events with external source IP whose alert was opened within the
requested time frame.
• Top 5 Internal Talkers: top 5 device host names by number of events with internal source IP whose alert opening date is within the
requested time frame.
• Top 5 Country External Network Activities: top 5 countries by number of events with external source IP with an alert whose opening
date is within the requested time frame.
• Top 5 Devices with more User Alerts: bar chart with the top 5
hostnames with alerts related to user.
• Top 5 Users with more Alerts: bar char with the top 5 users
related to alerts.
• User Events in Alerts per Technology: temporal bar chart
representing the number of events in alerts with non-empty user
field, distributed by technologies, during the time frame selected.
Additionally, the average of the three previous periods is
represented.
This view displays a list of alerts that meet specific conditions from various
filters. By default, shows alerts received today.
The functionalities available in this view are:
• Export the list in CSV format.
• Search by Ticket ID, Severity, Timestamp, Description, Service,
Source, Destination, Location, Type, Status, Ambit, Technology. When
deploying advanced filters, we find new parameters such as Host
address, Attack location and Extensions.
• Check the detailed information of the alert: by clicking in the drop-down
menu on the right-hand side of the alert table.
• The information presented in the detail is as follows:
• General info
• Source
• Destination
• Event sources
• Extensions
• Events related to alerts
Shows the list of event sources, with the total number of events
reported by a device (Firewall, IPS, IDS, Proxy, etc.) on a
specific date with daily periodicity in list format. The
functionalities available in this view are:
• Import the list of sources in CSV format.
• Export the list of sources in CSV format.
• Search by text in the list fields: Country, Ambit, Vendor,
Product, Technology, Hostname, IP Address, Source, Criticity,
Integrated, Total Events.
• Search by Reported date.
• Check the list of tickets related to the Hostname: click on the
Hostname ID.
• Check the list of tickets related to the IP: click on the IP of the
source.
• Check the detailed information of the source: by clicking in
the drop-down menu in the right-hand side of the source
table.