Using Playbooks to Auto-Assign Assets to Groups

Detailed steps on how to use playbooks to auto-assign assets to groups in RiskSense.

To demonstrate Playbook functionality, let us walk through one example of how the RiskSense Playbook Rules can be leveraged to automate the process of dispositioning new hosts and web apps to specific groups. To set the stage, we will make the following assumptions:

  • This example will assume the role of a RiskSense user with the Host Group Assignment Control privilege and who is tasked with maintaining asset-to-group correlation to ensure accurate and useful group-based reporting.
  • The user has decided to organize their RiskSense Groups based on location device types and has created five groups: Linux Servers, Windows Servers, Windows Workstations, Virtual Machines, Mobile Devices
  • The customer environment undergoes vulnerability scanning on a weekly basis, and scan results are ingested to RiskSense assessments on that same weekly cadence.
  • The weekly scans capture new hosts and web applications on a regular basis as new assets are brought online within the user’s environment.

As described in the RiskSense Default Group article, assets that appear within a scan uploaded to the platform for the first time will be placed into the Default Group. The recommendation is to then add the newly discovered assets to their appropriate group(s) and remove them from the Default Group. The fewer assets that belong to the Default Group at the conclusion of the weekly assessment, the easier it will be to identify assets scanned for the first time under subsequent assessments.

At the conclusion of each weekly ingestion of scan results, the user can identify new assets by navigating to the Manage > Hosts or Manage > Applications list views and leveraging Active Filter categories such as Assessment, Discovered On, or Group. Here is an example set of filters for identifying network hosts that appeared in RiskSense for the first time as part of an Assessment named June 2021 Week 2 Scans:

Filter Category

is / is not

Operator

Value

Group

is

Exactly

Default Group

Assessment

is

Exactly

June 2021 Week 2 Scans

With the filtered list of new assets now visible within the Hosts view, the process for migrating those hosts out of the Default Group and into the appropriate user-defined target group is as simple as selecting all the returned results, clicking the More toolbar menu item, and using the Add to Group and Remove From Group actions:

Playbook Auto Assign - More Menu with Add to and Remove from Group

Now that we have reviewed the process for manual asset dispositioning, let us look at how to automate the procedure. For this example, the user is tasked with assigning all Windows systems within the 10.11.12.* IP range that do not contain the “.server” string within their host names to the Windows Workstations Group.

RiskSense Playbook automation rules make use of filters saved on the Hosts, Applications, Host Findings, or Application Findings list views, so the first order of business would be to apply and save a set of filters that represent the new assets to be auto assigned to the Windows Workstations group:

Filter Category

is / is not

Operator

Value

Group

Is

One Of

Default Group

Operating System

Is

Like

Windows

IP Address

Is

Wildcard

10.11.12.*

Host Name

Is not

Wildcard

*.server*

The filter set can then be captured via the Save option within the Active Filters dialog:

Playbook Auto Assign - Example Filter

Playbook Auto Assign - Save Applied Filter Window

Now that the user has a saved filter that can be used to quickly identify new assets (i.e., assets placed into the Default Group) that should be assigned to a specific group, they are now ready to automate that process by navigating to the Automate > Playbooks view and selecting the New Playbook toolbar menu option.

The new Playbook can be given a name and description, and then scheduled to run on a daily, weekly, or monthly basis. Because this scenario involves a weekly cadence of scan data ingestion, it may be useful to schedule the playbook to run a few hours after each weekly assessment has been uploaded. Please note that the Playbook scheduler makes use of UTC, not local time.

After naming, scheduling, and saving, the user can then populate the playbook with rules.

Selecting the check box next to the newly created playbook and using the New Rule toolbar option will bring up the New Rule dialog, where the user can specify the set of filters saved under the previous step:

Playbook Auto Assign - Select Filter Template

After selecting the saved filter, the user would then click the Action icon and select the Add to Group option from the drop-down list:

Playbook Auto Assign - Add to Group Action

Although the Add to Group rule is now ready to be named and saved, a second rule should also be configured to keep the Default Group clean and tidy. Rules within a single Playbook run sequentially, so the second rule will assume that the first rule used to add assets to the Windows Workstations group will have already run. In this scenario, the second rule can make use of the same saved filter as the first, as the first rule simply results in the assets in question now being members of both Default Group and Windows Workstations Group. The second rule would then use the Remove from Group drop-down action to unassign the assets from the Default Group.

After naming and saving the Remove from Group rule, the last order of business would be to select the check-box next to the Playbook and use the Enable option within the More toolbar menu.

The result of this weekly set of automated tasks is that every new Windows asset fingerprinted by scans of the 10.11.12.0/24 IP range which do not contain the “.server” string within their host names will be moved out of the Default Group and into the Windows Workstations Group.

A single Playbook can contain up to 50 individual rules, so feel free to configure saved filters and rules to auto-disposition assets amongst all your RiskSense groups.