Automated Workflows: Overview

Summary: How to create and maintain a workflow that automatically maps any finding that matches a specific filters

This article describes a feature currently under development. If you want to try out this feature, contact support about joining the Early Adopter program for Automated Workflows.

To create a workflow, you ordinarily select specific findings to associate to a workflow from the Host Findings or Application Findings pages. The Ivanti Neurons platform also allows you to associate a workflow to filters. As the system ingests new findings, it will automatically map any findings that match that the filters to a workflow.

Using this feature, you can automatically assign findings to workflows that meet specific criteria. For example, say you know that your scanner will identify a particular vulnerability on your assets that your team considers a false positive. As you scan only some of your assets at one time, the system will continue to populate these false positives as open findings for the next several weeks. You would rather close them with an automated workflow.

The system will also map existing findings to an automated workflow. Consequently, automated workflows can target either newly ingested findings or existing findings.

Overview

Automated workflows have the same properties as corresponding manual workflows of the same types. To understand how an automated workflow operates, you need three additional pieces of information:

• Filters: The filters determine which findings that the system will automatically map to the workflow.
• Scope Override Authorization: All automated workflows have a Scope Override Authorization of "Automated". Only the system can add or remove findings from the workflow.
• Automation Stop Date: The system will continue to map findings until the automation stop date unless the workflow meets some additional criteria (see Stopping and Restarting Automation below).

You can create a Risk Acceptance or False Positive automated workflow. Once you request the workflow, the system will start to map the findings to the workflow. The system will update the workflow after ingestion of new matching findings.

The system also regularly schedules workflow automation jobs every 24 hours. If an existing finding changes state and now matches the workflow filters, the system will add the finding to the workflow within the next 24 hours.

Creating an Automated Workflow

In this example, assume that you want to do a Risk Acceptance of Info findings on a small group of assets called "Test Environment".

Go to the Host Findings page. Apply the appropriate filters to identify all Info findings in the group Test Environment. De-select (uncheck) any selected findings.

Then go to the Workflow menu and select Create an Automated Workflow from Filter.

In the first step, choose to create a Risk Acceptance workflow. You should review the total number of findings that currently match the filters on the left. Once you create the workflow, you (and any other user) will have no way to change the workflow filters.

In step 2, provide a Name, Reason, and Description for this workflow.

In step 3, choose the expiration date and the automation stop date for the workflow. The automation stop date can be up to 180 days in the future or match the expiration date, whichever comes first.

In the last step, you can review your workflow request before submitting. You must enter the number of findings associated with the filters (the findings impacted) before you can submit.

Updating an Automated Workflow

While the workflow remains in a Requested or Reworked state, you can modify any of its properties other than the filters or the workflow type.

To update an automated workflow, go to the Workflows page. Select Update from the options menu on the workflow card to update it.

On the first page, you can review the workflow type, the number of findings currently associated with the workflow, and the filters.

To update workflow properties such as the name, description, or attachments, go to step 2.

On step 3, you can change the expiration date or the automation stop date.

On step 4, review your changes. To submit, enter the number of findings associated with the workflow (shown at the upper left) in the yellow box at the bottom.

Stopping and Restarting Automation

Automation stops if the workflow is rejected or expires. Automation also stops if the count of mapped findings reaches 100,000.

Updating a Requested or Reworked workflow: To stop automation, you can update a workflow and change the automation stop date to the current date. No more automation jobs will be scheduled.

Updating the automation stop date for a workflow in the Approved state: For an approved workflow, the Workflows page explicitly lets you modify the automation stop date. You can find this option on the workflow card.

The dialogue will only allow you to change the automation stop date.

Using the same menu options, you can restart automation by setting the automation stop date in the future.

Resolving Issues with Creating an Automated Workflow

The system may prevent you from creating an automated workflow for a couple of reasons.

• Your filters matches more than 100,000 findings. Close the dialogue to modify your filters.
• You already have a workflow of the same type with the same filters. No two workflows of the same type can have the same filters unless one of them is in the Expired or Rejected state. The error message will tell you the name of the conflicting workflow. If you must create a workflow with duplicate filters, reject the existing workflow.

FAQ

Is it possible to remove findings from an automated workflow?

The system can only add findings to a workflow. Once this mapping happens, the findings remain in the workflow regardless of whether they continue to match the workflow filters.

Can workflows of different types share the same filters?

Yes.