diff --git a/src/content/docs/vulnerability-management/advanced/data-structure.mdx b/src/content/docs/vulnerability-management/advanced/data-structure.mdx new file mode 100644 index 00000000000..a7d62286083 --- /dev/null +++ b/src/content/docs/vulnerability-management/advanced/data-structure.mdx @@ -0,0 +1,969 @@ +--- +title: Security data structure (NRQL reference) +metaDescription: Learn about the data structure and event types used to store vulnerability data in New Relic. +freshnessValidatedDate: never +--- + +Security RX stores vulnerability data as events in New Relic's database (NRDB), making it queryable using NRQL. This reference guide explains the event types, attributes, and data structure you can use to build custom queries, dashboards, and alerts. + +## Event types + +Security RX uses the following event types to store vulnerability and security data: + +### NrAiIncident + +Stores vulnerability findings and their current status. + +**Primary use:** Query vulnerabilities affecting your entities + +**Key attributes:** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ Attribute + + Type + + Description + + Example +
+ `title` + + String + + Vulnerability title + + "CVE-2024-12345: SQL Injection in library-name" +
+ `priority` + + String + + Computed priority rank + + "CRITICAL", "HIGH", "MEDIUM", "LOW" +
+ `state` + + String + + Current vulnerability state + + "OPEN", "CLOSED" +
+ `acknowledged` + + Boolean + + Whether vulnerability has been reviewed + + `true`, `false` +
+ `conditionName` + + String + + Detection source/condition + + "Security RX - Vulnerability Detection" +
+ `entity.guid` + + String + + Entity GUID affected by vulnerability + + "ABC123..." +
+ `entity.name` + + String + + Entity name + + "my-application" +
+ `entityType` + + String + + Type of affected entity + + "APPLICATION", "HOST" +
+**Query example:** +```sql +FROM NrAiIncident +SELECT count(*) +WHERE conditionName LIKE '%Security RX%' +FACET priority, state +``` + +### Vulnerability (Custom Event) + +Stores detailed vulnerability metadata including CVE information, severity scores, and remediation guidance. + +**Primary use:** Deep dive into vulnerability details and metadata + +**Key attributes:** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ Attribute + + Type + + Description + + Example +
+ `cveId` + + String + + CVE identifier + + "CVE-2024-12345" +
+ `severity` + + String + + CVSS-based severity + + "CRITICAL", "HIGH", "MEDIUM", "LOW" +
+ `cvssScore` + + Number + + CVSS numeric score + + 9.8 +
+ `epssScore` + + Number + + EPSS exploit probability + + 0.95 +
+ `epssPercentile` + + Number + + EPSS percentile ranking + + 98.5 +
+ `activeRansomware` + + Boolean + + Used in known ransomware campaigns + + `true`, `false` +
+ `affectedPackage` + + String + + Vulnerable library/package name + + "log4j-core" +
+ `affectedVersion` + + String + + Vulnerable package version + + "2.14.0" +
+ `fixedVersion` + + String + + Version with fix + + "2.17.1" +
+ `entityGuid` + + String + + Affected entity GUID + + "ABC123..." +
+ `source` + + String + + Detection source + + "APM_AGENT", "SNYK", "AWS_SECURITY_HUB" +
+**Query example:** +```sql +FROM Vulnerability +SELECT count(*) +WHERE severity = 'CRITICAL' +AND activeRansomware = true +FACET affectedPackage +``` + +### NrAiIncidentTimeline + +Tracks status changes and lifecycle events for vulnerabilities. + +**Primary use:** Audit vulnerability status history and track remediation progress + +**Key attributes:** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ Attribute + + Type + + Description + + Example +
+ `incidentId` + + String + + Related incident/vulnerability ID + + "INC-123" +
+ `timestamp` + + Timestamp + + When status changed + + Unix timestamp +
+ `event` + + String + + Type of change + + "STATUS_CHANGED", "DETECTED", "RESOLVED" +
+ `previousState` + + String + + State before change + + "AFFECTED" +
+ `newState` + + String + + State after change + + "IGNORED" +
+ `changedBy` + + String + + User who made change + + "user@example.com" +
+ `reason` + + String + + Reason for status change + + "False positive - not using vulnerable code path" +
+**Query example:** +```sql +FROM NrAiIncidentTimeline +SELECT timestamp, event, previousState, newState, changedBy +WHERE event = 'STATUS_CHANGED' +SINCE 7 days ago +``` + +## Common attributes across event types + +These attributes appear across multiple event types: + +### Entity identification + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ Attribute + + Description +
+ `entity.guid` + + Unique identifier for the affected entity +
+ `entity.name` + + Human-readable entity name +
+ `entity.type` + + Entity type (APPLICATION, HOST, SERVICE) +
+ `accountId` + + New Relic account ID +
+### Timestamps + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ Attribute + + Description +
+ `timestamp` + + When the event occurred +
+ `detectedAt` + + When vulnerability was first detected +
+ `updatedAt` + + Last update timestamp +
+ `resolvedAt` + + When vulnerability was marked resolved +
+### Source tracking + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ Attribute + + Description +
+ `source` + + Data source (APM_AGENT, INFRASTRUCTURE, SNYK, etc.) +
+ `sourceId` + + Unique ID from source system +
+ `integrationName` + + Integration that provided data +
+## Data relationships + +Understanding how event types relate to each other: + +``` +Entity (Application/Host) + ↓ has many +NrAiIncident (Active vulnerabilities) + ↓ references +Vulnerability (CVE details) + ↓ has many +NrAiIncidentTimeline (Status history) +``` + +## Query patterns + +### Join entity data with vulnerabilities + +```sql +FROM NrAiIncident +SELECT entity.name, count(*) as 'Vulnerability Count' +WHERE conditionName LIKE '%Security RX%' +AND state = 'OPEN' +FACET entity.name +SINCE 1 day ago +``` + +### Calculate exposure windows + +```sql +FROM Vulnerability +SELECT entity.name, + cveId, + (max(timestamp) - min(timestamp)) / 86400 as 'Days Exposed' +WHERE severity IN ('CRITICAL', 'HIGH') +FACET entity.name, cveId +SINCE 30 days ago +``` + +### Track remediation velocity + +```sql +FROM NrAiIncidentTimeline +SELECT count(*) as 'Vulnerabilities Resolved' +WHERE event = 'STATUS_CHANGED' +AND newState = 'CLOSED' +FACET weekOf(timestamp) +SINCE 90 days ago +``` + +## Attribute types and formats + +### Severity values + +``` +CRITICAL - CVSS 9.0-10.0 +HIGH - CVSS 7.0-8.9 +MEDIUM - CVSS 4.0-6.9 +LOW - CVSS 0.1-3.9 +INFO - CVSS 0.0 +``` + +### State values + +``` +OPEN - Vulnerability currently active +CLOSED - Vulnerability resolved or fixed +AFFECTED - Entity is confirmed affected +IGNORED - Marked as not applicable +NO_LONGER_DETECTED - No longer seen in scans +``` + +### Source values + +``` +APM_AGENT - Detected by New Relic APM agent +INFRASTRUCTURE - Detected by Infrastructure agent +SNYK - Imported from Snyk +AWS_SECURITY_HUB - Imported from AWS Security Hub +DEPENDABOT - Imported from GitHub Dependabot +FOSSA - Imported from FOSSA +TRIVY - Imported from Trivy +SECURITY_DATA_API - Sent via API +``` + +## Querying tips + +### Filter by priority + +Vulnerabilities are prioritized based on CVSS, EPSS, and ransomware data: + +```sql +FROM Vulnerability +WHERE priority IN ('CRITICAL', 'HIGH') +AND state = 'OPEN' +``` + +### Filter by entity type + +Separate application from infrastructure vulnerabilities: + +```sql +-- Application vulnerabilities +FROM Vulnerability +WHERE entityType = 'APPLICATION' + +-- Infrastructure vulnerabilities +FROM Vulnerability +WHERE entityType = 'HOST' +``` + +### Filter by detection source + +Query vulnerabilities from specific integrations: + +```sql +FROM Vulnerability +WHERE source = 'SNYK' +FACET severity +``` + +### Time-based filtering + +Find recently detected vulnerabilities: + +```sql +FROM Vulnerability +WHERE detectedAt > ago(7 days) +FACET cveId, severity +``` + +## Building custom dashboards + +Use these event types and attributes to create custom dashboards: + +1. **Executive dashboard** - High-level metrics using `NrAiIncident` +2. **Remediation tracking** - Status changes using `NrAiIncidentTimeline` +3. **CVE intelligence** - Deep vulnerability analysis using `Vulnerability` +4. **Entity security posture** - Per-entity views combining all event types + +For query examples, see [Security data query examples](/docs/vulnerability-management/advanced/query-examples). + +## What's next? + + + + Ready-to-use NRQL queries for common security scenarios + + + + Create NRQL-based alerts for vulnerabilities + + + + Change vulnerability status and track remediation + + diff --git a/src/content/docs/vulnerability-management/change-vulnerability-status.mdx b/src/content/docs/vulnerability-management/advanced/manage-vulnerability-status.mdx similarity index 89% rename from src/content/docs/vulnerability-management/change-vulnerability-status.mdx rename to src/content/docs/vulnerability-management/advanced/manage-vulnerability-status.mdx index b256f934087..0701e57b9c9 100644 --- a/src/content/docs/vulnerability-management/change-vulnerability-status.mdx +++ b/src/content/docs/vulnerability-management/advanced/manage-vulnerability-status.mdx @@ -1,6 +1,9 @@ --- -title: Change vulnerability status -metaDescription: Use Security RX to overcome blindspots and assign remediation to developers as a security team. +title: Manage vulnerability status +metaDescription: Change vulnerability status to Ignored, Affected, or Fixed to track remediation progress in Security RX. +redirects: + - /docs/vulnerability-management/change-vulnerability-status + - /docs/vulnerability-management/change-vulnerability-status/ freshnessValidatedDate: never --- @@ -165,3 +168,23 @@ To find ignored vulnerabilities to see if you want to track them again, follow t /> */} + +## What's next? + + + + Get notified when vulnerability status changes occur + + + + Track status changes and remediation metrics with NRQL + + + + Learn how to prioritize which vulnerabilities to address first + + + + Monitor application vulnerability status organization-wide + + diff --git a/src/content/docs/vulnerability-management/advanced/query-examples.mdx b/src/content/docs/vulnerability-management/advanced/query-examples.mdx new file mode 100644 index 00000000000..6c3c2437822 --- /dev/null +++ b/src/content/docs/vulnerability-management/advanced/query-examples.mdx @@ -0,0 +1,483 @@ +--- +title: Security data query examples +metaDescription: Ready-to-use NRQL queries for analyzing vulnerability data in Security RX. +freshnessValidatedDate: never +--- + +This guide provides ready-to-use NRQL queries for common security monitoring and analysis scenarios. Copy these queries into the query builder or add them to custom dashboards to gain deeper insights into your vulnerability data. + +For information about the underlying data structure, see [Security data structure reference](/docs/vulnerability-management/advanced/data-structure). + +## Executive reporting + +### Total open vulnerabilities by severity + +Get a high-level view of your vulnerability exposure: + +```sql +FROM Vulnerability +SELECT count(*) as 'Total Vulnerabilities' +WHERE state = 'OPEN' +FACET severity +SINCE 1 day ago +``` + +### Critical and high severity trends + +Track how critical vulnerabilities change over time: + +```sql +FROM Vulnerability +SELECT count(*) as 'Critical & High Vulnerabilities' +WHERE severity IN ('CRITICAL', 'HIGH') +AND state = 'OPEN' +TIMESERIES AUTO +SINCE 30 days ago +``` + +### Vulnerabilities by entity + +Identify which applications or hosts have the most vulnerabilities: + +```sql +FROM Vulnerability +SELECT count(*) as 'Vulnerability Count' +WHERE state = 'OPEN' +FACET entity.name +LIMIT 20 +SINCE 1 day ago +``` + +### Vulnerability distribution across portfolio + +Understand the spread of vulnerabilities: + +```sql +FROM Vulnerability +SELECT percentage(count(*), WHERE severity = 'CRITICAL') as 'Critical %', + percentage(count(*), WHERE severity = 'HIGH') as 'High %', + percentage(count(*), WHERE severity = 'MEDIUM') as 'Medium %', + percentage(count(*), WHERE severity = 'LOW') as 'Low %' +WHERE state = 'OPEN' +SINCE 1 day ago +``` + +## Prioritization and risk assessment + +### High-priority vulnerabilities + +Find vulnerabilities with high exploit probability: + +```sql +FROM Vulnerability +SELECT cveId, affectedPackage, affectedVersion, cvssScore, epssPercentile +WHERE epssPercentile > 90 +AND state = 'OPEN' +ORDER BY epssPercentile DESC +LIMIT 50 +SINCE 7 days ago +``` + +### Active ransomware vulnerabilities + +Identify vulnerabilities used in ransomware campaigns: + +```sql +FROM Vulnerability +SELECT cveId, affectedPackage, cvssScore, entity.name +WHERE activeRansomware = true +AND state = 'OPEN' +FACET cveId, entity.name +SINCE 30 days ago +``` + +### Newly detected critical vulnerabilities + +Monitor for new critical findings: + +```sql +FROM Vulnerability +SELECT cveId, affectedPackage, affectedVersion, entity.name, detectedAt +WHERE severity = 'CRITICAL' +AND state = 'OPEN' +AND detectedAt > ago(24 hours) +ORDER BY detectedAt DESC +``` + +### Vulnerabilities requiring immediate attention + +Combine multiple risk factors: + +```sql +FROM Vulnerability +SELECT cveId, entity.name, affectedPackage, cvssScore, epssPercentile +WHERE ( + (severity = 'CRITICAL' AND epssPercentile > 85) OR + (activeRansomware = true) OR + (epssPercentile > 95) +) +AND state = 'OPEN' +FACET cveId, entity.name +SINCE 7 days ago +``` + +## Exposure and remediation tracking + +### Average vulnerability exposure time + +Calculate mean time to remediate (MTTR): + +```sql +FROM Vulnerability +SELECT average((resolvedAt - detectedAt) / 86400) as 'Avg Days to Resolve' +WHERE state = 'CLOSED' +FACET severity +SINCE 90 days ago +``` + +### Longest-running open vulnerabilities + +Find vulnerabilities that have been open for extended periods: + +```sql +FROM Vulnerability +SELECT cveId, entity.name, affectedPackage, detectedAt, + (max(timestamp) - detectedAt) / 86400 as 'Days Open' +WHERE state = 'OPEN' +FACET cveId, entity.name +ORDER BY 'Days Open' DESC +LIMIT 20 +SINCE 90 days ago +``` + +### Remediation velocity + +Track how quickly you're resolving vulnerabilities: + +```sql +FROM NrAiIncidentTimeline +SELECT count(*) as 'Vulnerabilities Resolved' +WHERE event = 'STATUS_CHANGED' +AND newState = 'CLOSED' +FACET weekOf(timestamp) +SINCE 90 days ago +TIMESERIES 1 week +``` + +### Vulnerabilities by age bucket + +Group vulnerabilities by how long they've been open: + +```sql +FROM Vulnerability +SELECT count(*) as 'Count' +WHERE state = 'OPEN' +FACET cases( + WHERE (now() - detectedAt) / 86400 <= 7 as '0-7 days', + WHERE (now() - detectedAt) / 86400 <= 30 as '8-30 days', + WHERE (now() - detectedAt) / 86400 <= 90 as '31-90 days', + WHERE (now() - detectedAt) / 86400 > 90 as '> 90 days' +) +SINCE 180 days ago +``` + +## Package and library analysis + +### Most vulnerable libraries + +Identify libraries introducing the most vulnerabilities: + +```sql +FROM Vulnerability +SELECT count(*) as 'Vulnerability Count' +WHERE state = 'OPEN' +FACET affectedPackage +ORDER BY count(*) DESC +LIMIT 10 +SINCE 30 days ago +``` + +### Libraries requiring upgrades + +Find packages with available fixes: + +```sql +FROM Vulnerability +SELECT affectedPackage, affectedVersion, fixedVersion, count(*) as 'Vulnerable Entities' +WHERE state = 'OPEN' +AND fixedVersion IS NOT NULL +FACET affectedPackage, affectedVersion, fixedVersion +ORDER BY count(*) DESC +LIMIT 20 +SINCE 7 days ago +``` + +### Vulnerability detection by source + +Understand which integrations are finding vulnerabilities: + +```sql +FROM Vulnerability +SELECT count(*) as 'Detections' +FACET source +SINCE 30 days ago +``` + +### Java dependencies analysis + +Focus on Java-specific vulnerabilities: + +```sql +FROM Vulnerability +SELECT count(*) as 'Vulnerabilities' +WHERE affectedPackage LIKE '%.jar' +OR affectedPackage LIKE '%maven%' +FACET affectedPackage, severity +SINCE 30 days ago +``` + +## Entity-specific queries + +### Application vulnerability summary + +Get vulnerability counts for a specific application: + +```sql +FROM Vulnerability +SELECT count(*) as 'Total', + filter(count(*), WHERE severity = 'CRITICAL') as 'Critical', + filter(count(*), WHERE severity = 'HIGH') as 'High', + filter(count(*), WHERE severity = 'MEDIUM') as 'Medium', + filter(count(*), WHERE severity = 'LOW') as 'Low' +WHERE entity.name = 'YOUR_APP_NAME' +AND state = 'OPEN' +SINCE 1 day ago +``` + +### Host vulnerability breakdown + +Analyze vulnerabilities for infrastructure hosts: + +```sql +FROM Vulnerability +SELECT count(*) as 'Vulnerabilities' +WHERE entityType = 'HOST' +AND state = 'OPEN' +FACET entity.name, severity +LIMIT 50 +SINCE 7 days ago +``` + +### Entities with no recent scans + +Identify entities that may not be reporting vulnerability data: + +```sql +FROM Vulnerability +SELECT entity.name, max(timestamp) as 'Last Scan' +FACET entity.name +HAVING max(timestamp) < ago(7 days) +SINCE 30 days ago +``` + +## Status and workflow tracking + +### Ignored vulnerabilities requiring review + +Find ignored vulnerabilities approaching their review date: + +```sql +FROM NrAiIncidentTimeline +SELECT incidentId, entity.name, reason, timestamp as 'Ignored At' +WHERE event = 'STATUS_CHANGED' +AND newState = 'IGNORED' +AND timestamp < ago(60 days) +FACET incidentId, entity.name +SINCE 90 days ago +``` + +### Status change audit trail + +Track who is making status changes: + +```sql +FROM NrAiIncidentTimeline +SELECT timestamp, entity.name, previousState, newState, changedBy, reason +WHERE event = 'STATUS_CHANGED' +ORDER BY timestamp DESC +LIMIT 100 +SINCE 30 days ago +``` + +### False positive rate + +Calculate how many vulnerabilities are marked as ignored vs affected: + +```sql +FROM NrAiIncidentTimeline +SELECT filter(count(*), WHERE newState = 'IGNORED') as 'Ignored', + filter(count(*), WHERE newState = 'AFFECTED') as 'Affected', + percentage(filter(count(*), WHERE newState = 'IGNORED'), count(*)) as 'Ignore Rate %' +WHERE event = 'STATUS_CHANGED' +SINCE 90 days ago +``` + +## Compliance and reporting + +### Vulnerabilities older than 30 days (SLA tracking) + +Monitor vulnerabilities exceeding your remediation SLA: + +```sql +FROM Vulnerability +SELECT count(*) as 'Overdue Vulnerabilities', + entity.name, + severity +WHERE state = 'OPEN' +AND detectedAt < ago(30 days) +FACET entity.name, severity +SINCE 180 days ago +``` + +### Critical vulnerability response time + +Track how quickly critical vulnerabilities are addressed: + +```sql +FROM Vulnerability +SELECT percentile((resolvedAt - detectedAt) / 86400, 50, 75, 90, 95) as 'Days to Resolve' +WHERE severity = 'CRITICAL' +AND state = 'CLOSED' +SINCE 90 days ago +``` + +### Monthly vulnerability metrics + +Generate monthly reports: + +```sql +FROM Vulnerability +SELECT count(*) as 'Total Detected', + uniqueCount(entity.guid) as 'Affected Entities', + filter(count(*), WHERE severity IN ('CRITICAL', 'HIGH')) as 'High Risk' +FACET monthOf(detectedAt) +SINCE 180 days ago +TIMESERIES 1 month +``` + +## Advanced analysis + +### Vulnerability blast radius + +Identify vulnerabilities affecting many entities: + +```sql +FROM Vulnerability +SELECT cveId, count(entity.guid) as 'Affected Entities', max(cvssScore) as 'CVSS' +WHERE state = 'OPEN' +FACET cveId +HAVING count(entity.guid) > 5 +ORDER BY count(entity.guid) DESC +LIMIT 20 +SINCE 30 days ago +``` + +### Security hygiene score + +Calculate a custom security score: + +```sql +FROM Vulnerability +SELECT 100 - ( + filter(count(*), WHERE severity = 'CRITICAL') * 10 + + filter(count(*), WHERE severity = 'HIGH') * 5 + + filter(count(*), WHERE severity = 'MEDIUM') * 2 + + filter(count(*), WHERE severity = 'LOW') * 0.5 +) as 'Security Score' +WHERE state = 'OPEN' +FACET entity.name +SINCE 1 day ago +``` + +### Vulnerability trends by type + +Compare application vs infrastructure vulnerabilities: + +```sql +FROM Vulnerability +SELECT count(*) as 'Vulnerabilities' +WHERE state = 'OPEN' +FACET entityType +TIMESERIES AUTO +SINCE 30 days ago +``` + +## Using these queries + +### In the query builder + +1. Go to **[one.newrelic.com > All capabilities](https://one.newrelic.com/all-capabilities) > Query your data** +2. Copy and paste any query from this page +3. Click **Run** to see results +4. Adjust time ranges and filters as needed + +### In custom dashboards + +1. Create a new dashboard or edit an existing one +2. Add a widget and select **Query builder** +3. Paste the query and configure visualization +4. Save the widget to your dashboard + +### In alerts + +1. Go to **Alerts > Create a condition** +2. Select **NRQL query** as the condition type +3. Use queries that return counts or thresholds +4. Configure alert thresholds and notification channels + +For more information on alerting, see [Set up vulnerability alerts](/docs/vulnerability-management/advanced/set-up-alerts). + +## Tips for customizing queries + +### Replace placeholders + +- `'YOUR_APP_NAME'` - Replace with your actual application name +- `'YOUR_ENTITY_GUID'` - Replace with your entity's GUID +- Time ranges (e.g., `SINCE 30 days ago`) - Adjust to your needs + +### Combine with other data + +Join vulnerability data with APM or Infrastructure metrics: + +```sql +FROM Vulnerability, Transaction +SELECT count(Vulnerability.cveId), average(Transaction.duration) +WHERE Vulnerability.entity.guid = Transaction.appId +AND Vulnerability.state = 'OPEN' +FACET Vulnerability.entity.name +SINCE 1 day ago +``` + +### Export results + +All query results can be: +- Downloaded as CSV +- Added to dashboards +- Exported via API +- Shared with your team + +## What's next? + + + + Learn about event types and attributes in detail + + + + Create alerts based on these queries + + + + Learn more about NRQL syntax + + diff --git a/src/content/docs/vulnerability-management/set-up-alerts.mdx b/src/content/docs/vulnerability-management/advanced/set-up-alerts.mdx similarity index 72% rename from src/content/docs/vulnerability-management/set-up-alerts.mdx rename to src/content/docs/vulnerability-management/advanced/set-up-alerts.mdx index 32da527040b..5105c0de842 100644 --- a/src/content/docs/vulnerability-management/set-up-alerts.mdx +++ b/src/content/docs/vulnerability-management/advanced/set-up-alerts.mdx @@ -1,6 +1,9 @@ --- title: Set up vulnerability alerts metaDescription: Set up alerts through Slack or a Webhook to receive notifications when vulnerabilities of a set severity appear. +redirects: + - /docs/vulnerability-management/set-up-alerts + - /docs/vulnerability-management/set-up-alerts/ freshnessValidatedDate: never --- @@ -52,3 +55,23 @@ On Security RX page, select **Manage security notifications** 2. Under **Webhook settings**, select a destination or create one by clicking . Learn more about creating a webhook destination [here](/docs/alerts-applied-intelligence/notifications/notification-integrations/#webhook). 3. Under **Webhook settings**, create a channel name. 4. Under **Notification rules**, configure rules to receive notifications for vulnerabilities of different severity levels. + +## What's next? + + + + Change vulnerability status based on alerts received + + + + Build custom NRQL alerts for specific vulnerability patterns + + + + Learn how alert severity aligns with vulnerability priority + + + + Monitor application vulnerabilities with your new alerts + + diff --git a/src/content/docs/vulnerability-management/security-workflow.mdx b/src/content/docs/vulnerability-management/applications/manage-organization-vulnerabilities.mdx similarity index 72% rename from src/content/docs/vulnerability-management/security-workflow.mdx rename to src/content/docs/vulnerability-management/applications/manage-organization-vulnerabilities.mdx index c03175fad82..d046c00a258 100644 --- a/src/content/docs/vulnerability-management/security-workflow.mdx +++ b/src/content/docs/vulnerability-management/applications/manage-organization-vulnerabilities.mdx @@ -1,6 +1,9 @@ --- -title: Manage application vulnerabilities as a DevSecOps, Platform, or Security team -metaDescription: Use Security RX to overcome blindspots and assign remediation to developers as a security team. +title: Manage application vulnerabilities as a DevSecOps, Platform, or Security team +metaDescription: Monitor and remediate application vulnerabilities across your entire organization with Security RX. +redirects: + - /docs/vulnerability-management/security-workflow + - /docs/vulnerability-management/security-workflow/ freshnessValidatedDate: never --- @@ -9,7 +12,7 @@ This document covers how to: * Calculate the vulnerability surface area of your software systems * Understand how runtime architecture of each application affects business risk, vulnerability and severity -If this workflow doesn't sound like you, check out our document on [managing vulnerabilities as a developer](/docs/vulnerability-management/dev-workflow). +If this workflow doesn't sound like you, check out our document on [monitoring vulnerabilities for a specific application](/docs/vulnerability-management/applications/monitor-entity-security). ## View the vulnerability surface area of your systems [#vulnerability-area] @@ -38,7 +41,7 @@ Dig deeper into the security of your system by auditing the vulnerability of all > From the Security RX - Applications summary page, select **Entities** to review the vulnerability status of all your applications. This view shows all your applications and code repositories, and allows you to prioritize vulnerability remediation based on weighted vulnerabilities scores and severity profiles. - Clicking into an entity opens up a scoped entity view of Security RX. Learn more about our scoped entity view in our document on [managing vulnerabilities as a developer](/docs/vulnerability-management/dev-workflow). + Clicking into an entity opens up a scoped entity view of Security RX. Learn more about our scoped entity view in our document on [monitoring entity-level security](/docs/vulnerability-management/applications/monitor-entity-security). @@ -66,3 +69,23 @@ Dig deeper into the security of your system by auditing the vulnerability of all Find the vulnerability you need to remediate, click it, review its direct impact of services, and take the recommended remediation steps. + +## What's next? + + + + Drill down into specific applications to see entity-level vulnerability details + + + + Change status to Ignored, Affected, or Fixed for remediation tracking + + + + Get notified when new critical vulnerabilities are detected + + + + Build custom dashboards and reports with NRQL + + diff --git a/src/content/docs/vulnerability-management/dev-workflow.mdx b/src/content/docs/vulnerability-management/applications/monitor-entity-security.mdx similarity index 62% rename from src/content/docs/vulnerability-management/dev-workflow.mdx rename to src/content/docs/vulnerability-management/applications/monitor-entity-security.mdx index 42b114d1975..ef884786cf1 100644 --- a/src/content/docs/vulnerability-management/dev-workflow.mdx +++ b/src/content/docs/vulnerability-management/applications/monitor-entity-security.mdx @@ -1,6 +1,9 @@ --- -title: Manage security vulnerabilities in your application -metaDescription: Use Security RX to maintain a healthy application and remediate vulnerabilities as a developer. +title: Monitor application security (entity view) +metaDescription: Monitor and remediate vulnerabilities in a specific application with Security RX entity-scoped views. +redirects: + - /docs/vulnerability-management/dev-workflow + - /docs/vulnerability-management/dev-workflow/ freshnessValidatedDate: never --- @@ -8,16 +11,15 @@ This document covers how to: * Maintain a single or a few healthy applications/services * Identify the vulnerabilities with the highest risk in your software stack -* Surface tasks from your security team in your daily workflow so it's easy to deliver more secure software with less toil. +* Surface tasks from your security team in your daily workflow so it's easy to deliver more secure software with less toil -If this workflow doesn't sound like you, check out our document on [managing vulnerabilities as a security team](/docs/vulnerability-management/security-workflow). +If this workflow doesn't sound like you, check out our document on [managing vulnerabilities across all applications](/docs/vulnerability-management/applications/manage-organization-vulnerabilities). ## Maintain the vulnerability health of your application - Once vulnerability data starts flowing into New Relic, you can access your data through various scoped views. -To monitor the health of specific applications or services, use our entity scoped view by navigating to **[one.newrelic.com > All capabilities](https://one.newrelic.com/all-capabilities) > APM & services > (select an entity) > Security RX > Overview**. For a larger scope, refer to [managing vulnerabilities as a security team](/docs/vulnerability-management/security-workflow). +To monitor the health of specific applications or services, use our entity scoped view by navigating to **[one.newrelic.com > All capabilities](https://one.newrelic.com/all-capabilities) > APM & services > (select an entity) > Security RX > Overview**. For a larger scope, refer to [managing vulnerabilities organization-wide](/docs/vulnerability-management/applications/manage-organization-vulnerabilities). + + View vulnerability surface area across all applications + + + + Learn how vulnerabilities are ranked by risk + + + Mark vulnerabilities as Ignored, Affected, or Fixed + + + Get notified when vulnerabilities are detected in your applications + + diff --git a/src/content/docs/vulnerability-management/applications/overview.mdx b/src/content/docs/vulnerability-management/applications/overview.mdx new file mode 100644 index 00000000000..e222ef8941f --- /dev/null +++ b/src/content/docs/vulnerability-management/applications/overview.mdx @@ -0,0 +1,190 @@ +--- +title: Security RX for Applications +metaDescription: Monitor and remediate vulnerabilities in your applications with Security RX. +freshnessValidatedDate: never +--- + +Security RX for Applications helps you identify, prioritize, and remediate vulnerabilities in your application dependencies. Whether you're monitoring a single service or managing security across your entire application portfolio, Security RX provides the visibility and context you need to secure your software supply chain. + +## What you can do + +With Security RX for Applications, you can: + +* **Detect vulnerabilities** in application dependencies automatically through APM agents +* **Prioritize remediation** based on CVSS severity, exploit probability (EPSS), and active ransomware campaigns +* **Track vulnerability exposure** across your application portfolio +* **Monitor specific applications** with entity-scoped views for developers +* **Manage organization-wide security** with comprehensive dashboards for security teams +* **Import vulnerabilities** from third-party tools like Snyk, Dependabot, and FOSSA + +## How to get started + +Before using Security RX for Applications, make sure you have: + +1. **[Set up prerequisites and user roles](/docs/vulnerability-management/getting-started/prerequisites)** - Ensure you have the required permissions +2. **[Configured an integration](/docs/vulnerability-management/getting-started/integrations/overview)** - Install an APM agent or set up a third-party integration +3. **[Understand prioritization](/docs/vulnerability-management/getting-started/prioritization)** - Learn how vulnerabilities are ranked + +## Choose your workflow + +Security RX provides two complementary views for managing application vulnerabilities: + +### Organization view: Manage all applications + +Best for security teams, DevSecOps, and platform engineers who need to: +- Calculate the vulnerability surface area across all applications +- Identify which applications pose the highest risk +- Understand how vulnerabilities affect multiple services +- Track security hygiene metrics organization-wide + +**→ [Manage organization-wide application vulnerabilities](/docs/vulnerability-management/applications/manage-organization-vulnerabilities)** + +### Entity view: Monitor specific applications + +Best for developers and engineers who need to: +- Monitor vulnerabilities in services they own +- Prioritize fixes for a specific application +- Track vulnerability exposure windows for their code +- Integrate security tasks into their daily workflow + +**→ [Monitor entity-level application security](/docs/vulnerability-management/applications/monitor-entity-security)** + +## Supported languages and frameworks + +Security RX detects vulnerabilities in applications instrumented with New Relic APM agents: + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ Language + + Minimum Version + + Detection Coverage +
+ Java + + All supported versions + + JAR files +
+ Node.js + + All supported versions + + npm packages +
+ Ruby + + All supported versions + + Gems +
+ Python + + 8.0 or higher + + Packages +
+ Go + + 3.20 or higher + + Modules +
+ PHP + + 10.17 or higher + + Composer packages +
+ +For complete agent requirements and version details, see [APM agent integrations](/docs/vulnerability-management/getting-started/integrations/overview#apm-agents). + +## Data sources + +Security RX for Applications collects vulnerability data from: + +* **APM agents** - Automatic detection of vulnerabilities in loaded libraries +* **Third-party integrations** - Import findings from Snyk, Dependabot, FOSSA, and other security tools +* **Security data API** - Send custom vulnerability data directly to New Relic + +Learn more about [configuring integrations](/docs/vulnerability-management/getting-started/integrations/overview). + +## What's next? + + + + View vulnerability surface area across all applications + + + + Track vulnerabilities in a specific application + + + + Get notified when new vulnerabilities are detected + + + + Change status to Ignored, Affected, or Fixed + + diff --git a/src/content/docs/vulnerability-management/applications/prioritization.mdx b/src/content/docs/vulnerability-management/applications/prioritization.mdx new file mode 100644 index 00000000000..1a55a52b634 --- /dev/null +++ b/src/content/docs/vulnerability-management/applications/prioritization.mdx @@ -0,0 +1,202 @@ +--- +title: Understand application vulnerability prioritization +metaDescription: Learn how Security RX prioritizes application vulnerabilities based on CVSS, EPSS, and active ransomware data. +freshnessValidatedDate: never +--- + +This document covers: + +* Where to find priority ranks for application vulnerabilities in Security RX +* What data factors into the priority ranks of vulnerabilities +* How to use prioritization to remediate application security issues + +## Viewing priority rank in Security RX + +To view the priority rank of vulnerabilities in your applications, go to **[one.newrelic.com > All capabilities](https://one.newrelic.com/all-capabilities) > Security RX > Applications > All Vulnerabilities**. + +The priority ranking is based on all known data about a vulnerability. The **Reason to prioritize** column is a summary and weighting of key CVSS (Common Vulnerability Scoring System), EPSS (Exploit Prediction Scoring System) and known active ransomware data. + +## Data influencing priority rank + + + + **Severity** is based on the vulnerability's CVSS score. An open industry standard, CVSS uses a formula of several access and impact metrics to calculate the severity of the vulnerability. + + This table shows the tags we've assigned corresponding to CVSS scores. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ Severity + + CVSS range +
+ Critical + + 9.0 - 10.0 +
+ High + + 7.0 - 8.9 +
+ Medium + + 4.0 - 6.9 +
+ Low + + 0.1 - 3.9 +
+ Info / None + + 0.0 +
+ + + + **Active ransomware** are vulnerabilities that have been used in known ransomware campaigns (This data is sourced by New Relic from its official partner network). The severe impacts of ransomware incidents make these vulnerabilities a high priority. + + The Cybersecurity & Infrastructure Security Agency (CISA) [defines ransomware](https://www.cisa.gov/stopransomware/ransomware-101) as "an ever-evolving form of malware designed to encrypt files on a device, rendering any files and the systems that rely on them unusable. Malicious actors then demand ransom in exchange for decryption. Ransomware actors often target and threaten to sell or leak exfiltrated data or authentication information if the ransom is not paid." + + Explore CISA's page for [Known Exploited Vulnerabilities Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog) to learn more. + + + + **Exploit probability** scores are based on EPSS, which rates the probability that a vulnerability will be exploited in the wild. In these cases, there are known instances of threat actors taking advantage of the vulnerability. EPSS scores can look low out of context, but security experts recommend giving higher priority to all vulnerabilities with an exploit probability above the 85th percentile. This indicates a significant risk that that vulnerability will be exploited. + + Explore FIRST's page for [The EPSS Model](https://www.first.org/epss/model) to learn more. + + This table shows the tags we've assigned to each level of exploit probability. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ Exploit probability + + EPSS percentile +
+ Exploit extremely probable + + > 95% +
+ Exploit very probable + + > 90% +
+ Exploit probable + + > 85% +
+ + + +### Example of ranking logic + +A vulnerability that's "high" severity with an EPSS of "exploit probable" might rank higher than a vulnerability with a "critical" severity with an EPSS level that's lower than an 85th percentile probability of exploitation. + +## Using prioritization in your workflow + +When remediating application vulnerabilities: + +1. **Focus on high-priority vulnerabilities first** - Start with vulnerabilities that have multiple risk factors (high CVSS + high EPSS + active ransomware) +2. **Consider your application context** - A high-priority vulnerability in a public-facing application requires more urgent attention than the same vulnerability in an internal tool +3. **Track exposure windows** - Monitor how long vulnerabilities remain unpatched in your applications +4. **Set up alerts** - Configure notifications for new high-priority vulnerabilities in your critical applications + +## What's next? + +Now that you understand how application vulnerabilities are prioritized: + + + + Track vulnerabilities in specific applications + + + + View vulnerability surface area across all applications + + + + Change status to Ignored, Affected, or Fixed + + + + Get notified when high-priority vulnerabilities are detected + + diff --git a/src/content/docs/vulnerability-management/cloud/engineer-workflow.mdx b/src/content/docs/vulnerability-management/cloud/engineer-workflow.mdx new file mode 100644 index 00000000000..eb7e54d3554 --- /dev/null +++ b/src/content/docs/vulnerability-management/cloud/engineer-workflow.mdx @@ -0,0 +1,200 @@ +--- +title: Manage misconfigurations in your cloud environment +metaDescription: Use Security RX Cloud to discover, prioritize, and remediate cloud misconfigurations as an engineer. +freshnessValidatedDate: never +--- + +As an engineer, you want to maintain healthy applications and infrastructure while understanding the security risks in your cloud environment. Security RX Cloud helps you discover, prioritize, and remediate cloud misconfigurations without leaving your development workflow. + +This document covers how to: + +* Improve your cloud security posture in real-time +* Reduce context switching with automatic synchronization of AWS Security Hub findings +* Prioritize the most critical misconfigurations based on intelligent risk scoring +* Access detailed remediation guidance for multiple workflows (Console, CLI, Infrastructure as Code) + +If this workflow doesn't sound like you, check out our document on [managing vulnerabilities as a security team](/docs/vulnerability-management/cloud/security-workflow). + +## Prerequisites + +Before you begin, ensure you have: + +* [Security RX Cloud integration set up](/docs/vulnerability-management/cloud/setup) with your AWS account +* AWS Security Hub enabled in your monitored regions +* Access to Security RX in your New Relic account + + + New to Security RX Cloud? Start with our [setup guide](/docs/vulnerability-management/cloud/setup) to connect your AWS account and enable auto-discovery. + + +## Get started with Security RX Cloud [#get-started] + +Security RX Cloud provides a comprehensive view of your cloud security posture, allowing you to identify and remediate misconfigurations in real-time. By integrating with AWS Security Hub, you can automatically synchronize findings and reduce context switching between multiple security tools. + +### Access Security RX Cloud + +Navigate to **[one.newrelic.com > All capabilities](https://one.newrelic.com/all-capabilities) > Security RX** and select the **Cloud** tab to view your cloud security overview. + +For entity-specific security insights, you can also access Security RX through individual services: +**[one.newrelic.com > All capabilities](https://one.newrelic.com/all-capabilities) > APM & services > (select an entity) > Security RX > Overview** + +Dashboard for the security entity overview page + +
+ + **[one.newrelic.com > All capabilities](https://one.newrelic.com/all-capabilities) > APM & services > (select an entity) > Security > Overview** + +
+ +## Understand your cloud security overview [#overview] + +The **Cloud** tab provides a comprehensive dashboard that helps you contextualize findings, identify top risk areas, and understand trends across your cloud environment. + +Screenshot of the Security RX Cloud overview dashboard showing misconfiguration statistics, exposure window, and security insights + +
+ The Security RX Cloud overview dashboard provides comprehensive visibility into your cloud security posture. +
+ +### Problems the overview solves + +* **Overwhelming misconfiguration volume**: Large numbers of findings make it difficult to understand trends and prioritize efforts +* **Lack of visibility**: No clear starting point for remediation efforts +* **Stakeholder reporting**: Need for executive-level insights into security posture + +### Key overview features + +The cloud overview page displays: + +* **New misconfigurations**: Recently detected security findings requiring attention +* **Top critical regions**: Geographic areas with the highest concentration of security issues +* **Top resource types**: Which AWS services (S3, EC2, RDS, etc.) have the most security findings +* **Risk breakdown by category**: Misconfigurations organized by security impact type +* **Risk by account**: Multi-account view showing which AWS accounts need the most attention +* **Critical VPC analysis**: Virtual private cloud environments with security concerns + +### Interpreting misconfiguration data + +The overview helps you: + +* **Assess exposure over time**: Track whether your security posture is improving or degrading +* **View by category**: Understand whether you're dealing with compliance issues, active threats, or configuration drift +* **Distinguish standards vs threats**: Differentiate between compliance violations and active security threats +* **Breakdown by dimensions**: Filter by issue type, resource type, region, or cloud account for focused analysis + + +## Prioritize and search cloud misconfigurations [#prioritize-search] + +After understanding your overall security posture, dive deeper into specific misconfigurations using the detailed views. + +### Problems this workflow solves + +* **Remediation overwhelm**: Not knowing where to start when facing hundreds of misconfigurations +* **Context switching**: Having to jump between multiple tools to understand and fix issues +* **Inefficient triage**: Spending time on low-impact issues instead of critical security risks + +### Access misconfiguration details + +Navigate to the **Misconfigurations** section within Security RX Cloud to view all detected security findings: + +1. Go to **[one.newrelic.com > All capabilities](https://one.newrelic.com/all-capabilities) > Security RX > Cloud** +2. Select the **Misconfigurations** tab for a detailed list view + +Screenshot of the Security RX misconfigurations list showing detailed view of security findings with priority, severity, and affected resources + +
+ The Misconfigurations tab provides a detailed list view of all security findings with filtering and sorting capabilities. +
+ +### Filter and sort misconfigurations + +Use the filtering and sorting capabilities to focus on what matters most: + +* **Sort by risk level**: Focus on critical and high-severity findings first +* **Filter by resource type**: View misconfigurations for specific services (S3, EC2, RDS, etc.) +* **Sort by detection time**: See the most recently discovered issues +* **Filter by region**: Focus on specific AWS regions +* **Filter by account**: Multi-account environments can filter by specific AWS accounts + +Dashboard for the entity specific vulnerability library + +
+ + **[one.newrelic.com > All capabilities](https://one.newrelic.com/all-capabilities) > Security RX > Cloud > Misconfigurations** + +
+ +### Resource-level analysis + +Use the **Resources** tab to understand security issues from a resource perspective: + +* **Contextualize severity profiles**: See how many critical, high, medium, and low findings each resource has +* **Prioritize remediation efforts**: Focus on resources with multiple high-severity findings +* **Understand blast radius**: See which resources are most critical to your infrastructure + +## Triage and remediate individual misconfigurations [#triage-remediate] + +When you've identified a misconfiguration to address, click on it to access detailed information and remediation guidance. + +### Problems this workflow solves + +* **Difficulty assessing impact**: Hard to understand the true risk and affected area of a misconfiguration +* **Research overhead**: Time wasted looking up how to fix security issues +* **Context switching**: Having to leave New Relic to research and implement fixes + +### Understanding misconfiguration details + +Each misconfiguration detail page provides: + +* **Risk assessment**: Why this misconfiguration matters and its potential impact +* **Affected resources**: Complete list of resources with this security finding +* **Resource context**: Current configuration, team ownership, tags, and operational metrics +* **Remediation guidance**: Step-by-step instructions for multiple workflows + +### Access remediation instructions + +Security RX Cloud provides comprehensive, AI-generated remediation playbooks with multiple workflow options: + +* **Console**: Step-by-step instructions for fixing the issue in the AWS Management Console +* **CLI**: Copy-pasteable AWS CLI commands with explanations +* **CloudFormation**: Production-ready Infrastructure as Code snippets +* **Terraform**: Terraform code snippets for infrastructure automation +* **Verification**: Post-fix checklist to confirm the issue is resolved + +### Best practices for engineers + +* **Start with critical findings**: Focus on high-risk misconfigurations that could lead to data exposure +* **Use Infrastructure as Code fixes**: Prefer CloudFormation or Terraform remediation to prevent configuration drift +* **Verify fixes**: Always run the verification steps to ensure the misconfiguration is truly resolved +* **Update your templates**: Apply fixes to your infrastructure code templates to prevent recurrence + +## Integration with development workflow + +Security RX Cloud is designed to fit into your existing development and operational processes: + +* **CI/CD integration**: Use the remediation code snippets in your infrastructure pipelines +* **Incident response**: Quickly identify and fix security issues during incidents +* **Regular maintenance**: Use the overview dashboard for regular security hygiene reviews +* **Team collaboration**: Share misconfiguration details and remediation plans with team members + +Learn more about [understanding misconfiguration prioritization](/docs/vulnerability-management/cloud/prioritization) and [detailed remediation workflows](/docs/vulnerability-management/cloud/remediation). + + + + diff --git a/src/content/docs/vulnerability-management/cloud/overview.mdx b/src/content/docs/vulnerability-management/cloud/overview.mdx new file mode 100644 index 00000000000..2884b429ad1 --- /dev/null +++ b/src/content/docs/vulnerability-management/cloud/overview.mdx @@ -0,0 +1,94 @@ +--- +title: Security RX for Cloud +metaDescription: Monitor and remediate cloud misconfigurations in your AWS environment with Security RX Cloud. +freshnessValidatedDate: never +--- + +Security RX Cloud provides a unified security and posture management solution to streamline the discovery, management, and remediation process for cloud security findings. By integrating with AWS Security Hub, you can automatically synchronize findings and reduce context switching between multiple security tools. + +Screenshot of the Security RX Cloud overview dashboard showing misconfiguration statistics, exposure window, and security insights + +
+ + **[one.newrelic.com > All capabilities](https://one.newrelic.com/all-capabilities) > Security RX > Cloud** + +
+ +With Security RX Cloud, you get: + +* **Unified security view**: Aggregate findings from AWS Security Hub, including GuardDuty, Inspector, Config, and third-party CSPM tools +* **Intelligent prioritization**: Advanced risk scoring that considers severity, threat indicators, asset criticality, and public exposure +* **Contextual remediation**: Live configuration data alongside proposed fixes for clear understanding +* **Auto-discovery integration**: Automatic identification of all cloud resources with security enrichment + +## Why Security RX Cloud? + +Cloud environments often generate hundreds or thousands of security findings, making it impossible to address everything at once. Security RX Cloud solves critical challenges: + +* **Reduce alert fatigue**: Focus on the most critical security issues first with intelligent prioritization +* **Eliminate context switching**: View security findings alongside resource configuration in one platform +* **Accelerate remediation**: Access detailed remediation guidance for Console, CLI, and Infrastructure as Code workflows +* **Improve security posture**: Track trends and understand your cloud security over time + +## How Security RX Cloud works + +Security RX Cloud leverages New Relic's core platform capabilities: + +1. **Connect your AWS account**: Set up polling integration with AWS Security Hub +2. **Enable auto-discovery**: Automatically identify all cloud resources (EC2, S3, RDS, etc.) +3. **Security enrichment**: Enhance entities with security findings from AWS Security Hub +4. **Prioritize and remediate**: Use intelligent risk scoring to focus on critical issues + +## View security insights + + + + For engineers + For security teams + + + + +As an engineer, you want to: + +* Maintain healthy cloud infrastructure +* Identify the most urgent misconfigurations in your cloud environment +* Understand the risk each misconfiguration poses +* Access remediation guidance that fits your workflow (Console, CLI, or IaC) + +To dive deeper into these use cases, see [Manage cloud misconfigurations as an engineer](/docs/vulnerability-management/cloud/engineer-workflow/). + + +As a member of a security team, you want to: + +* Calculate the security surface area of your cloud environment +* Understand how cloud architecture affects business risk +* Track security posture trends over time +* Allocate remediation resources strategically + +To dive deeper into these use cases, see [Manage cloud security as a security team](/docs/vulnerability-management/cloud/security-workflow). + + + + +## What's next? + +Ready to start using Security RX Cloud? Follow these steps: + + + + Connect your AWS account and enable auto-discovery + + + + Learn how misconfigurations are ranked by risk scoring + + + + Access detailed remediation guidance for fixing security issues + + diff --git a/src/content/docs/vulnerability-management/cloud/prioritization.mdx b/src/content/docs/vulnerability-management/cloud/prioritization.mdx new file mode 100644 index 00000000000..07756e6a20d --- /dev/null +++ b/src/content/docs/vulnerability-management/cloud/prioritization.mdx @@ -0,0 +1,155 @@ +--- +title: Understand cloud misconfiguration prioritization +metaDescription: Learn how Security RX Cloud intelligently prioritizes cloud misconfigurations using advanced risk scoring algorithms. +freshnessValidatedDate: never +--- + +Security RX Cloud uses intelligent prioritization to help you focus on the most critical security issues first. Our advanced risk scoring algorithm goes beyond basic severity ratings to provide contextual, actionable prioritization that considers multiple risk factors. + +## Why prioritization matters + +Cloud environments often generate hundreds or thousands of security findings, making it impossible to address everything at once. Without intelligent prioritization, teams often: + +* **Focus on the wrong issues**: Spend time on low-impact findings while critical risks go unaddressed +* **Experience alert fatigue**: Become overwhelmed by the volume of security notifications +* **Lack clear direction**: Struggle to know where to start remediation efforts +* **Miss contextual risk**: Ignore how different findings combine to create larger security exposures + +## Security RX Cloud's risk scoring approach + +Our risk scoring engine automatically calculates priority scores by analyzing multiple risk factors to determine the true risk of each finding. This comprehensive approach ensures you focus on the issues that pose the highest actual risk to your organization. + +### Ground truth severity correction [#ground-truth-severity] + +**Problem solved**: AWS Security Hub sometimes labels critical security issues as "INFORMATIONAL," leading to dangerous misconfigurations being ignored. + +**How it works**: Security RX Cloud programmatically corrects misleading severity ratings by cross-referencing findings with official AWS security documentation. If AWS documentation classifies a finding as Critical, we ensure it's scored as Critical in our system, regardless of what the API reports. + +**Example**: An S3 bucket with public read access might be marked as "INFORMATIONAL" by AWS Security Hub, but our system correctly identifies this as "CRITICAL" based on the actual security impact. + +### Active threat detection [#active-threat] + +**Problem solved**: Not all security findings represent the same level of immediate danger. Some indicate active threats that require urgent attention. + +**How it works**: Security RX Cloud automatically adds significant priority bonuses to findings that indicate confirmed threats or active malicious activity, particularly those from AWS GuardDuty. + +**Threat indicators that receive priority bonuses**: +* **MaliciousIPCaller**: Communication with known malicious IP addresses +* **C&CActivity**: Command and control server communication +* **Trojan**: Trojan horse activity detected +* **CryptoCurrency**: Unauthorized cryptocurrency mining activity +* **Backdoor**: Backdoor installation or communication + +### Asset type impact weighting [#asset-impact] + +**Problem solved**: A misconfiguration on a critical infrastructure component poses more risk than the same issue on a development resource. + +**How it works**: Our scoring engine considers the inherent criticality of different AWS resource types and applies higher priority weighting to high-impact assets. + +**High-priority resource types**: +* **AWS::IAM::Role**: Identity and access management roles that control permissions +* **AWS::KMS::Key**: Encryption keys that protect sensitive data +* **AWS::RDS::Instance**: Database instances containing business data +* **AWS::Lambda::Function**: Serverless functions with potentially broad access +* **AWS::EC2::SecurityGroup**: Network security controls + +**Lower-priority resource types**: +* Development and test resources +* Log storage buckets +* Non-critical compute instances + +### Public exposure analysis [#public-exposure] + +**Problem solved**: Resources exposed to the public internet face significantly higher risk than internal-only resources. + +**How it works**: Security RX Cloud analyzes each finding to determine if the affected resource is accessible from the public internet. If public exposure is detected, we add substantial bonus points to the risk score. + +**Public exposure factors**: +* **Internet-facing load balancers**: Resources accessible through public load balancers +* **Public IP addresses**: Instances with direct internet connectivity +* **Open security groups**: Security groups allowing access from 0.0.0.0/0 +* **Public S3 buckets**: Storage buckets with public read or write permissions +* **Public database instances**: Databases accessible from the internet + +## How findings are prioritized [#prioritization-logic] + +### Risk score calculation + +Each misconfiguration receives a comprehensive risk score based on: + +1. **Base severity**: Starting point from the original finding severity +2. **Ground truth correction**: Adjustment based on actual documented impact +3. **Threat indicator bonus**: Additional points for confirmed threats +4. **Asset criticality multiplier**: Weight based on resource importance +5. **Public exposure bonus**: Additional risk for internet-accessible resources +6. **Business context**: Optional weighting based on business criticality tags + +### Priority ranking system + +Security RX Cloud converts risk scores into clear priority rankings: + +* **Critical**: Immediate attention required, highest business risk +* **High**: Address within defined SLA timeframes +* **Medium**: Important but not urgent, schedule for upcoming sprints +* **Low**: Address during regular maintenance cycles + +### Contextual factors + +Beyond automated scoring, Security RX Cloud considers additional context: + +* **Resource tags**: Business criticality, environment type (prod/dev/test), team ownership +* **Compliance frameworks**: Whether findings relate to specific compliance requirements +* **Historical patterns**: Whether this type of finding has been exploited before +* **Interconnected risks**: How findings combine to create larger attack surfaces + +## Types of supported findings [#finding-types] + +Security RX Cloud processes and prioritizes various types of cloud security findings: + +### Configuration-based findings +* **Access control misconfigurations**: Overly permissive IAM policies, public resources +* **Encryption gaps**: Unencrypted data stores, weak encryption configurations +* **Network security issues**: Open security groups, unprotected network resources +* **Logging deficiencies**: Missing audit logs, insufficient monitoring + +### Threat-based findings +* **Malicious activity**: Active threats detected by GuardDuty +* **Suspicious behavior**: Unusual access patterns or resource usage +* **Compromise indicators**: Signs of potential security breaches +* **Attack attempts**: Failed intrusion attempts or reconnaissance activity + +### Compliance-related findings +* **Standards violations**: CIS Benchmark failures, industry standard deviations +* **Regulatory requirements**: SOC 2, PCI DSS, HIPAA compliance gaps +* **Best practice deviations**: AWS Well-Architected Framework violations + +## Using prioritization in your workflow [#workflow-integration] + +### For engineers +* **Focus on critical findings first**: Address high-risk issues before lower-priority items +* **Understand context**: Use the risk explanation to understand why an issue is prioritized +* **Batch similar fixes**: Group related misconfigurations for efficient remediation +* **Verify impact**: Use the public exposure and asset criticality information to validate fixes + +### For security teams +* **Strategic resource allocation**: Direct team efforts toward highest-impact issues +* **SLA management**: Set different response timeframes based on priority levels +* **Risk communication**: Use priority levels to communicate urgency to stakeholders +* **Trend analysis**: Monitor whether high-priority findings are increasing or decreasing + +### Best practices for prioritization +* **Trust the algorithm**: Security RX Cloud's multi-factor approach is more accurate than single-dimension prioritization +* **Consider business context**: Add business criticality tags to resources for better prioritization +* **Regular review**: Periodically review prioritization to ensure it aligns with your risk tolerance +* **Team training**: Educate teams on why certain findings are prioritized higher than others + +## Customizing prioritization [#customization] + +While Security RX Cloud's default prioritization works well for most organizations, you can enhance it by: + +* **Resource tagging**: Add business criticality and environment tags to improve context +* **Team ownership**: Associate resources with responsible teams for better assignment +* **Compliance mapping**: Tag resources with relevant compliance frameworks +* **Business impact classification**: Identify business-critical applications and data stores + +Learn more about [remediation workflows](/docs/vulnerability-management/cloud/remediation) and how to [set up cloud security integration](/docs/vulnerability-management/cloud/setup) to get the most value from intelligent prioritization. \ No newline at end of file diff --git a/src/content/docs/vulnerability-management/cloud/remediation.mdx b/src/content/docs/vulnerability-management/cloud/remediation.mdx new file mode 100644 index 00000000000..c7c0ef3a13e --- /dev/null +++ b/src/content/docs/vulnerability-management/cloud/remediation.mdx @@ -0,0 +1,231 @@ +--- +title: Remediate cloud misconfigurations +metaDescription: Learn how to use Security RX Cloud's AI-generated remediation playbooks to fix cloud security issues across multiple workflows. +freshnessValidatedDate: never +--- + +Security RX Cloud provides comprehensive, AI-generated remediation playbooks that guide you through fixing cloud misconfigurations using your preferred workflow. Instead of researching fixes across multiple sources, you get step-by-step instructions tailored to your tools and processes. + +## Problems remediation playbooks solve + +Traditional cloud security tools often leave you with incomplete information when it comes to actually fixing issues: + +* **Research overhead**: Time wasted looking up how to fix security misconfigurations across AWS documentation and security guides +* **Context switching**: Having to leave your security dashboard to research and implement fixes +* **Workflow mismatch**: Remediation guidance that doesn't match your team's preferred tools and processes +* **Verification uncertainty**: Not knowing how to confirm that a fix was properly implemented +* **Incomplete fixes**: Partial solutions that don't address the root cause of security issues + +## How Security RX Cloud remediation works + +Security RX Cloud's remediation system provides complete, AI-generated playbooks that include: + +### Multiple workflow options +Every misconfiguration includes remediation instructions for different workflows, so you can choose the approach that fits your team's processes. + +### Production-ready code +All code snippets are production-ready and follow security best practices, reducing the risk of introducing new issues while fixing existing ones. + +### Verification steps +Each remediation playbook includes steps to verify that the fix was properly implemented and the security issue is resolved. + +## Remediation workflow options [#workflow-options] + +Security RX Cloud provides remediation instructions for four different workflows, allowing you to choose the approach that best fits your team's processes and tools. + +### Console-based remediation [#console-remediation] + +**Best for**: Quick fixes, one-off remediation, teams preferring graphical interfaces + +The Console workflow provides step-by-step, numbered instructions for fixing misconfigurations using the AWS Management Console. + +**What you get**: +* **Sequential steps**: Clear, numbered instructions that walk you through each click and selection +* **Visual guidance**: Screenshots and descriptions of what you'll see in the AWS console +* **Error handling**: Common issues you might encounter and how to resolve them +* **Verification steps**: How to confirm the fix was applied correctly + +Screenshot showing detailed S3 bucket security misconfiguration with step-by-step remediation instructions including CLI commands and verification steps + +
+ Example of detailed remediation guidance for an S3 bucket misconfiguration, showing multiple workflow options including Console, CLI, and verification steps. +
+ +**Example use cases**: +* Emergency fixes that need immediate implementation +* One-time configuration changes +* Teams new to infrastructure automation +* Development and testing environments + +### CLI-based remediation [#cli-remediation] + +**Best for**: Automation scripts, command-line-first teams, batch operations + +The CLI workflow provides exact, copy-pasteable AWS CLI commands with detailed explanations. + +**What you get**: +* **Copy-pasteable commands**: Ready-to-run AWS CLI commands with all necessary parameters +* **Command explanations**: Clear descriptions of what each command does and why it's necessary +* **Parameter details**: Explanation of command parameters and how to customize them for your environment +* **Error handling**: Common CLI errors and how to troubleshoot them + +**Example use cases**: +* Scripted remediation across multiple resources +* Integration with existing automation tools +* Bulk fixes across multiple AWS accounts +* Teams comfortable with command-line interfaces + +### CloudFormation remediation [#cloudformation-remediation] + +**Best for**: Infrastructure as Code workflows, preventing configuration drift, production environments + +The CloudFormation workflow provides production-ready Infrastructure as Code templates that fix misconfigurations at the source. + +**What you get**: +* **Complete templates**: Ready-to-deploy CloudFormation templates with proper resource definitions +* **Parameter configuration**: Customizable parameters for different environments and use cases +* **Resource relationships**: Proper dependencies and references between related resources +* **Best practices**: Templates follow AWS CloudFormation best practices and security guidelines + +**Example use cases**: +* Production environment fixes that need to be permanent +* Preventing configuration drift by codifying correct configurations +* Teams using Infrastructure as Code for deployment and management +* Fixes that need to be replicated across multiple environments + +### Terraform remediation [#terraform-remediation] + +**Best for**: Terraform-based infrastructure management, multi-cloud environments, DevOps workflows + +The Terraform workflow provides Terraform code snippets that integrate with your existing Terraform configurations. + +**What you get**: +* **Terraform resources**: Properly configured Terraform resource blocks with correct arguments +* **Variable usage**: Examples of how to parameterize configurations for different environments +* **Provider requirements**: Necessary provider configurations and version constraints +* **State management**: Guidance on importing existing resources if needed + +**Example use cases**: +* Teams already using Terraform for infrastructure management +* Multi-cloud environments where Terraform provides consistency +* DevOps workflows that require infrastructure changes to go through version control +* Organizations with Terraform-based CI/CD pipelines + +## Remediation process workflow [#remediation-process] + +### 1. Access misconfiguration details + +Navigate to the specific misconfiguration you want to remediate: + +1. Go to **[one.newrelic.com > All capabilities](https://one.newrelic.com/all-capabilities) > Security RX > Cloud** +2. Select **Misconfigurations** to view the detailed list +3. Click on the specific misconfiguration you want to fix + +### 2. Understand the issue + +Before implementing fixes, review the misconfiguration details: + +* **Risk assessment**: Why this misconfiguration matters and its potential impact +* **Affected resources**: Complete list of resources with this security finding +* **Business context**: How this issue relates to your applications and data +* **Compliance implications**: Whether this finding affects regulatory compliance + +### 3. Choose your remediation workflow + +Select the remediation tab that matches your preferred workflow: + +* **Console**: For immediate, interactive fixes +* **CLI**: For command-line-based remediation +* **CloudFormation**: For Infrastructure as Code fixes +* **Terraform**: For Terraform-managed infrastructure + +### 4. Implement the fix + +Follow the step-by-step instructions provided for your chosen workflow: + +* **Copy the provided code**: All code snippets are ready to use +* **Customize parameters**: Adjust any parameters for your specific environment +* **Execute the fix**: Implement the remediation following the provided steps +* **Handle errors**: Use the troubleshooting guidance if you encounter issues + +### 5. Verify the fix + +Every remediation playbook includes verification steps: + +* **Confirmation commands**: CLI commands or console checks to verify the fix +* **Expected results**: What you should see if the fix was implemented correctly +* **Troubleshooting**: What to do if verification fails +* **Monitoring**: How to ensure the fix remains in place over time + +## Advanced remediation scenarios [#advanced-scenarios] + +### Bulk remediation across resources + +When the same misconfiguration affects multiple resources: + +* **CLI approach**: Use AWS CLI with loops or scripts to apply fixes across multiple resources +* **Infrastructure as Code**: Update your templates to fix the issue across all affected resources +* **Automation integration**: Integrate remediation commands into your existing automation tools + +### Multi-account remediation + +For organizations with multiple AWS accounts: + +* **Cross-account roles**: Use the provided CLI commands with cross-account role assumptions +* **Account-specific parameters**: Customize the remediation for each account's specific configuration +* **Centralized deployment**: Use AWS Organizations or other centralized deployment tools + +### Environment-specific considerations + +Different environments may require different approaches: + +* **Production**: Prefer Infrastructure as Code approaches to ensure changes are tracked and reversible +* **Development**: Console or CLI approaches may be faster for non-critical environments +* **Testing**: Use remediation as an opportunity to test fixes before applying to production + +## Best practices for remediation [#best-practices] + +### Security considerations + +* **Test fixes first**: Apply fixes to development or testing environments before production +* **Backup configurations**: Take snapshots or backups before making changes +* **Understand impact**: Review how fixes might affect application functionality +* **Monitor after changes**: Watch for any unexpected behavior after implementing fixes + +### Process integration + +* **Change management**: Include security remediation in your change management processes +* **Documentation**: Document what was fixed and why for future reference +* **Team communication**: Notify relevant teams about security fixes that might affect their services +* **Continuous improvement**: Use remediation patterns to improve your security practices + +### Automation opportunities + +* **Script common fixes**: Automate frequently needed remediation tasks +* **CI/CD integration**: Include security fixes in your deployment pipelines +* **Monitoring automation**: Set up alerts to detect when misconfigurations reoccur +* **Policy as code**: Implement preventive controls to avoid future misconfigurations + +## Troubleshooting remediation issues [#troubleshooting] + +### Common remediation challenges + +* **Permission errors**: Ensure you have the necessary IAM permissions for the remediation actions +* **Resource dependencies**: Some fixes may require changes to related resources +* **Timing issues**: Some changes may take time to propagate across AWS services +* **Validation failures**: Resources may not immediately show as fixed due to polling delays + +### Getting help + +If you encounter issues with remediation: + +* **Check prerequisites**: Ensure you have the necessary permissions and access +* **Review error messages**: AWS error messages often provide specific guidance +* **Consult AWS documentation**: The remediation playbooks reference official AWS documentation +* **Contact support**: Reach out to New Relic support for platform-specific issues + +Learn more about [cloud misconfiguration prioritization](/docs/vulnerability-management/cloud/prioritization) to understand which issues to remediate first, and [setup guides](/docs/vulnerability-management/cloud/setup) for configuring Security RX Cloud integration. \ No newline at end of file diff --git a/src/content/docs/vulnerability-management/cloud/security-workflow.mdx b/src/content/docs/vulnerability-management/cloud/security-workflow.mdx new file mode 100644 index 00000000000..63f617db66a --- /dev/null +++ b/src/content/docs/vulnerability-management/cloud/security-workflow.mdx @@ -0,0 +1,187 @@ +--- +title: Manage misconfigurations in your cloud environment as a DevSecOps, Platform, or Security team +metaDescription: Use Security RX Cloud to gain visibility across your organization's cloud security posture and coordinate remediation efforts. +freshnessValidatedDate: never +--- + +As a member of a DevSecOps, platform, or security team, you need comprehensive visibility into your organization's cloud security posture and the ability to coordinate remediation efforts across multiple teams and accounts. Security RX Cloud provides the centralized view and collaboration tools you need to manage cloud security at scale. + +This document covers how to: + +* Gain organization-wide visibility into cloud security posture +* Understand and communicate security risk across stakeholders +* Coordinate remediation efforts with development and operations teams +* Track progress on security improvements over time +* Reduce context switching with automatic synchronization of AWS Security Hub findings + +If this workflow doesn't sound like you, check out our document on [managing vulnerabilities as an engineer](/docs/vulnerability-management/cloud/engineer-workflow). + +## Prerequisites + +Before you begin, ensure you have: + +* [Security RX Cloud integration set up](/docs/vulnerability-management/cloud/setup) across all monitored AWS accounts +* AWS Security Hub enabled in your organization's AWS accounts +* Appropriate permissions to view security data across accounts and regions +* Team access configured for Security RX in New Relic + + + For organization-wide visibility, ensure Security RX Cloud is configured for all AWS accounts in your organization. See our [setup guide](/docs/vulnerability-management/cloud/setup) for multi-account configuration. + + + +## Assess organization-wide cloud security posture [#assess-posture] + +Security RX Cloud provides comprehensive visibility into your organization's cloud security posture, allowing you to identify trends, prioritize remediation efforts, and communicate risk to stakeholders. + +### Problems this approach solves + +* **Fragmented security visibility**: No single view of security posture across multiple AWS accounts and regions +* **Stakeholder communication**: Difficulty explaining security risk and progress to executives and business teams +* **Resource allocation**: Uncertainty about where to focus security team efforts for maximum impact +* **Compliance reporting**: Manual effort required to generate security posture reports + +### Access the organization overview + +Navigate to **[one.newrelic.com > All capabilities](https://one.newrelic.com/all-capabilities) > Security RX > Cloud** to access your comprehensive cloud security dashboard. + +An image showing the summary Security RX overview page. + +
+ + **[one.newrelic.com > All capabilities](https://one.newrelic.com/all-capabilities) > Security RX > Cloud** + +
+ +### Key metrics for security leaders + +The cloud overview provides executive-level insights including: + +* **Total misconfiguration count**: Overall volume and trends over time +* **Risk distribution**: Breakdown of critical, high, medium, and low-risk findings +* **Account-level analysis**: Which AWS accounts pose the highest risk +* **Regional distribution**: Geographic concentration of security issues +* **Resource type analysis**: Which AWS services require the most attention +* **Compliance posture**: Standards-based findings vs. active threat indicators + +Screenshot showing the AWS Account view with detailed breakdown of misconfigurations across different AWS accounts and regions + +
+ The AWS Account view provides detailed insights into which accounts pose the highest security risk and their misconfiguration breakdown. +
+ +### Trending and historical analysis + +Use the time-based controls to understand: + +* **Security posture trajectory**: Whether your organization is improving or degrading over time +* **Remediation velocity**: How quickly teams are addressing security findings +* **New vs. resolved findings**: Balance between new discoveries and remediation efforts +* **Seasonal patterns**: Whether certain times correlate with more security issues + +## Coordinate remediation efforts across teams [#coordinate-remediation] + +Security teams need to coordinate remediation efforts across multiple development and operations teams while tracking progress and ensuring accountability. + +### Problems this workflow solves + +* **Remediation assignment**: Difficulty assigning security findings to the right teams and individuals +* **Progress tracking**: No visibility into whether assigned remediation work is being completed +* **Team collaboration**: Challenges coordinating between security, development, and operations teams +* **Escalation management**: Unclear processes for handling overdue or critical security findings + +### Team-based remediation management + + + + Use Security RX Cloud's entity-based approach to assign remediation work: + + * **Entity ownership mapping**: Associate cloud resources with responsible teams through tagging and metadata + * **Bulk assignment**: Assign multiple related misconfigurations to teams based on resource ownership + * **Workflow integration**: Connect assignments to your existing ticketing and project management systems + * **Notification automation**: Set up alerts when new critical findings are assigned to teams + + Navigate to the **Resources** view to see all cloud resources organized by ownership and security posture. + + Screenshot of the Security RX Resources dashboard showing cloud resources breakdown by misconfigurations and severity + +
+ The Resources view provides a comprehensive breakdown of cloud resources organized by security posture and ownership. +
+ + + + Monitor organization-wide remediation efforts through comprehensive tracking: + + * **Team dashboards**: See which teams have outstanding security work and their remediation velocity + * **SLA monitoring**: Track whether teams are meeting security remediation service level agreements + * **Escalation triggers**: Automatically escalate overdue critical findings to management + * **Progress reporting**: Generate reports showing security improvement trends across teams + + Use filtering to view progress by team, severity, or finding type for focused management. + + + + Facilitate collaboration between security and development teams: + + * **Shared context**: Provide teams with the same view of security findings and their business impact + * **Remediation guidance**: Share Security RX Cloud's detailed remediation instructions with development teams + * **Verification collaboration**: Work with teams to verify that fixes are properly implemented + * **Knowledge sharing**: Use remediation patterns to educate teams on secure configuration practices + + The individual finding detail pages provide all the context teams need to understand and fix security issues. + + + +## Advanced security team workflows [#advanced-workflows] + +### Risk-based prioritization for security leaders + +Security teams need to make strategic decisions about resource allocation and risk acceptance: + +* **Risk scoring validation**: Review and adjust Security RX Cloud's intelligent risk scoring based on organizational context +* **Compliance mapping**: Understand which findings relate to specific compliance frameworks (SOC 2, PCI DSS, etc.) +* **Business impact assessment**: Correlate security findings with business-critical applications and data +* **Risk acceptance documentation**: Track decisions about accepted risks and their justifications + +### Metrics and KPIs for security programs + +Use Security RX Cloud data to measure and improve your security program: + +* **Mean time to remediation (MTTR)**: Track how quickly your organization addresses security findings +* **Security debt**: Monitor the accumulation of unaddressed security findings over time +* **Team performance**: Compare remediation velocity across different teams and applications +* **Trend analysis**: Identify whether your security posture is improving over time + +### Integration with security tools and processes + +* **SIEM integration**: Export security findings to your Security Information and Event Management system +* **Ticketing integration**: Automatically create tickets in Jira, ServiceNow, or other systems +* **Compliance reporting**: Generate reports for auditors and compliance teams +* **Executive dashboards**: Create executive-level views of security posture and progress + +Learn more about [understanding misconfiguration prioritization](/docs/vulnerability-management/cloud/prioritization) and [detailed remediation workflows](/docs/vulnerability-management/cloud/remediation) to support your team coordination efforts. diff --git a/src/content/docs/vulnerability-management/cloud/setup.mdx b/src/content/docs/vulnerability-management/cloud/setup.mdx new file mode 100644 index 00000000000..3a6f8404e04 --- /dev/null +++ b/src/content/docs/vulnerability-management/cloud/setup.mdx @@ -0,0 +1,195 @@ +--- +title: Set up Security RX Cloud integration +metaDescription: Complete guide to integrating AWS Security Hub with Security RX Cloud for cloud misconfiguration management. +freshnessValidatedDate: never +--- + +Security RX Cloud provides a unified security and posture management solution to streamline the discovery, management, and remediation process for cloud security findings. This guide walks you through setting up the integration with AWS Security Hub. + +## Overview + +Security RX Cloud uses a **polling integration** with AWS Security Hub, which is different from the existing webhook-based integration. This polling method allows for more comprehensive data collection and better integration with New Relic's auto-discovery capabilities. + +## Prerequisites + +Before setting up Security RX Cloud, ensure you have: + +* A New Relic account with Security RX access and appropriate user permissions +* An AWS account with [AWS Security Hub enabled](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-settingup.html) +* Appropriate IAM permissions for the integration +* A New Relic [license key](/docs/accounts-partnerships/install-new-relic/account-setup/license-key) for the account you want to report data to + +## Connect your AWS account + +There are two setup paths depending on whether you're a new user or already have an existing AWS integration with New Relic. + +### For new users + +If you're connecting your AWS account to New Relic for the first time: + + + + ### Navigate to the integration setup + + 1. From the New Relic platform, navigate to **Infrastructure > AWS** + 2. Click **Add an AWS account** and follow the guided instructions + 3. For detailed guidance on the API polling integration, see our [AWS integration documentation](/docs/infrastructure/amazon-integrations/connect/set-up-aws-api-polling/) + + + + ### Choose Security Hub Configuration + + 1. During the setup process, you'll see integration options including **Security Hub Configuration** + 2. Select **Security Hub Configuration** to enable cloud security monitoring + + Screenshot showing the AWS integration setup page with Security Hub configurations option selected + +
+ Select Security Hub configurations during the AWS integration setup process. +
+ + 3. Choose your preferred setup method: + * **CloudFormation** (recommended for most users) + * **Manual integration** (for custom configurations) + * **Terraform** (for infrastructure as code workflows) + + + + ### Configure auto-discovery + + 1. When prompted, enable auto-discovery to automatically identify cloud resources + 2. Select the AWS regions you want to monitor + 3. Choose your polling frequency: + * **6 hours** (more frequent updates) + * **12 hours** (standard frequency) + 4. Save your configuration + + + + ### Complete the setup + + 1. Follow the remaining guided setup steps + 2. If using CloudFormation, launch the provided template in your AWS account + 3. Verify the integration is working by checking for incoming data + + + +### For existing AWS integration users + +If you already have an AWS account connected to New Relic: + + + + ### Access integration management + + 1. Navigate to **Infrastructure > AWS** + 2. Find your existing AWS account integration + 3. Click **Manage AWS Integration** + + + + ### Install Security Hub integration + + 1. Look for **AWS Security Hub** in the available integrations list + 2. If not already configured, you'll see an **Install** button + 3. Click **Install** to begin the setup process + + + + ### Configure Security Hub settings + + 1. Select your polling frequency (6 or 12 hours) + 2. Choose which AWS regions to monitor + 3. Save your configuration + + + + ### Install auto-discovery (optional but recommended) + + 1. Look for **AWS Auto Discovery** in the integration list + 2. If not already enabled, click **Install** + 3. Configure regional settings and scanning frequency + 4. Save the auto-discovery configuration + + + +## How auto-discovery works with SRX Cloud + +Security RX Cloud is built to leverage New Relic's core platform capabilities through auto-discovery: + +### Resource identification + +When you connect your AWS account and enable auto-discovery, our system: + +* Automatically identifies all your cloud resources (EC2 instances, S3 buckets, RDS databases, etc.) +* Brings them into New Relic as monitored entities +* Fetches live configuration data for these resources + +### Security enrichment + +Security RX Cloud then enhances these entities by: + +* Enriching them with security findings from AWS Security Hub +* Providing contextual information about misconfigurations +* Displaying current resource configuration alongside proposed remediation steps + +This integration makes it easy to see exactly what's wrong with a resource and how the proposed fix will correct it. + +## Integration with CSPM vendors + +### AWS Security Hub options + +Security RX Cloud integrates with AWS Security Hub, which can aggregate findings from multiple security tools: + +* **AWS native services**: GuardDuty, Inspector, Config, etc. +* **Third-party CSPM tools**: Any tool that publishes findings to Security Hub +* **Custom security findings**: Your own security tools that integrate with Security Hub + +### Understanding the golden path + +For optimal outcomes with Security RX Cloud: + +1. **Enable AWS Security Hub** as your central security findings aggregator +2. **Configure your preferred CSPM tools** to publish findings to Security Hub +3. **Use auto-discovery** to ensure all resources are monitored and contextualized +4. **Set appropriate polling frequency** based on your security requirements + +## Troubleshooting common setup issues + +### Integration not showing data + +If you don't see security findings after setup: + +* Verify AWS Security Hub is enabled in your monitored regions +* Check that your IAM permissions include Security Hub read access +* Confirm that security findings exist in AWS Security Hub +* Wait for the next polling cycle (up to 12 hours depending on your settings) + +### Auto-discovery not finding resources + +If resources aren't being discovered: + +* Verify auto-discovery is enabled for the correct regions +* Check IAM permissions for EC2, S3, RDS, and other service read access +* Ensure resources exist in the monitored regions +* Wait for the next discovery scan + +### Performance considerations + +* Choose polling frequency based on your security response requirements +* Monitor usage to ensure you're within your New Relic data limits +* Consider regional scope to focus on your most critical environments + +## Next steps + +After completing the integration setup: + +* Review the [cloud misconfiguration prioritization guide](/docs/vulnerability-management/cloud/prioritization) to understand how findings are scored +* Learn about [remediation workflows](/docs/vulnerability-management/cloud/remediation) for fixing misconfigurations +* Choose your workflow based on your role: + * [Workflow for engineers](/docs/vulnerability-management/cloud/engineer-workflow) + * [Workflow for security teams](/docs/vulnerability-management/cloud/security-workflow) \ No newline at end of file diff --git a/src/content/docs/vulnerability-management/integrations/aws.mdx b/src/content/docs/vulnerability-management/getting-started/integrations/aws.mdx similarity index 100% rename from src/content/docs/vulnerability-management/integrations/aws.mdx rename to src/content/docs/vulnerability-management/getting-started/integrations/aws.mdx diff --git a/src/content/docs/vulnerability-management/integrations/fossa.mdx b/src/content/docs/vulnerability-management/getting-started/integrations/fossa.mdx similarity index 100% rename from src/content/docs/vulnerability-management/integrations/fossa.mdx rename to src/content/docs/vulnerability-management/getting-started/integrations/fossa.mdx diff --git a/src/content/docs/vulnerability-management/integrations/intro.mdx b/src/content/docs/vulnerability-management/getting-started/integrations/overview.mdx similarity index 85% rename from src/content/docs/vulnerability-management/integrations/intro.mdx rename to src/content/docs/vulnerability-management/getting-started/integrations/overview.mdx index 47fa2ab3d93..de7bb8c9669 100644 --- a/src/content/docs/vulnerability-management/integrations/intro.mdx +++ b/src/content/docs/vulnerability-management/getting-started/integrations/overview.mdx @@ -2,7 +2,11 @@ title: Security RX integrations overview redirects: - /docs/vulnerability-management/intgrations/overview + - /docs/vulnerability-management/intgrations/overview/ - /docs/vulnerability-management/integrations/overview + - /docs/vulnerability-management/integrations/overview/ + - /docs/vulnerability-management/integrations/intro + - /docs/vulnerability-management/integrations/intro/ metaDescription: 'Send your security data from third party applications, APM agents, or through our security data API.' freshnessValidatedDate: never --- @@ -66,7 +70,7 @@ CVE detection coverage differs between agents: - Minimum agent verion + Minimum agent version @@ -242,4 +246,26 @@ Import data from your other security tools directly into New Relic. We currently ## Security data API -Send data directly to New Relic through our security data API. Use this when a tool-specific integration doesn't exist or if sending payloads directly to New Relic works best for your workflow. Learn more [here](/docs/vulnerability-management/integrations/security-data-api). \ No newline at end of file +Send data directly to New Relic through our security data API. Use this when a tool-specific integration doesn't exist or if sending payloads directly to New Relic works best for your workflow. Learn more [here](/docs/vulnerability-management/integrations/security-data-api). + +## What's next? + +After configuring your integrations, start monitoring vulnerabilities: + + + + Monitor vulnerabilities in your application dependencies + + + + Monitor vulnerabilities in your OS packages and distributions + + + + Learn how vulnerabilities are ranked by CVSS, EPSS, and ransomware data + + + + Get notified when vulnerabilities are detected + + diff --git a/src/content/docs/vulnerability-management/integrations/snyk-troubleshooting.mdx b/src/content/docs/vulnerability-management/getting-started/integrations/snyk-troubleshooting.mdx similarity index 100% rename from src/content/docs/vulnerability-management/integrations/snyk-troubleshooting.mdx rename to src/content/docs/vulnerability-management/getting-started/integrations/snyk-troubleshooting.mdx diff --git a/src/content/docs/vulnerability-management/integrations/snyk.mdx b/src/content/docs/vulnerability-management/getting-started/integrations/snyk.mdx similarity index 100% rename from src/content/docs/vulnerability-management/integrations/snyk.mdx rename to src/content/docs/vulnerability-management/getting-started/integrations/snyk.mdx diff --git a/src/content/docs/vulnerability-management/integrations/trivy.mdx b/src/content/docs/vulnerability-management/getting-started/integrations/trivy.mdx similarity index 100% rename from src/content/docs/vulnerability-management/integrations/trivy.mdx rename to src/content/docs/vulnerability-management/getting-started/integrations/trivy.mdx diff --git a/src/content/docs/vulnerability-management/overview.mdx b/src/content/docs/vulnerability-management/getting-started/overview.mdx similarity index 56% rename from src/content/docs/vulnerability-management/overview.mdx rename to src/content/docs/vulnerability-management/getting-started/overview.mdx index df330d12955..bd57a57f9c2 100644 --- a/src/content/docs/vulnerability-management/overview.mdx +++ b/src/content/docs/vulnerability-management/getting-started/overview.mdx @@ -1,8 +1,7 @@ --- -title: Get started with Security RX -metaDescription: Use Security RX to identify blindspots and remediate vulnerabilities. -redirects: -- /docs/vulnerability-management +title: Get started with Security RX +metaDescription: Use Security RX to identify blindspots and remediate vulnerabilities + freshnessValidatedDate: never --- @@ -22,9 +21,9 @@ Modern software is composed of thousands of components, and legacy security offe With Security RX, you get: -* A birds-eye view of all vulnerabilities, including the ones that are detected by the New Relic platform and our integration partners such as [FOSSA](/docs/vulnerability-management/integrations/fossa/), [AWS Security Hub](/docs/vulnerability-management/integrations/aws/), [Trivy](/docs/vulnerability-management/integrations/trivy), [Snyk](/docs/vulnerability-management/integrations/snyk/), [Dependabot](/install/vm/), and more. +* A birds-eye view of all vulnerabilities, including the ones that are detected by the New Relic platform and our integration partners such as [FOSSA](/docs/vulnerability-management/getting-started/integrations/fossa/), [AWS Security Hub](/docs/vulnerability-management/getting-started/integrations/aws/), [Trivy](/docs/vulnerability-management/getting-started/integrations/trivy), [Snyk](/docs/vulnerability-management/getting-started/integrations/snyk/), [Dependabot](/install/vm/), and more. -* Continuous run-time visibility of vulnerabilities in your applications and infrastructure +* Continuous run-time visibility of vulnerabilities in your applications, infrastructure, and cloud environments * Near real-time deployment validation of security patches @@ -52,7 +51,7 @@ As an engineer, you want to: * Understand the risk each vulnerability poses * Surface "security" tasks from the security team in your daily workflow so it's easy to deliver more secure software with less toil -To dive deeper into these use cases, see [Manage vulnerabilities as an engineer](/docs/vulnerability-management/dev-workflow/). +To dive deeper into these use cases, see [Monitor application security](/docs/vulnerability-management/applications/monitor-entity-security/). As a member of a security team, you want to: @@ -60,9 +59,37 @@ As a member of a security team, you want to: * Calculate the vulnerability surface area of your software systems * Understand how runtime architecture of each application affects business risk, vulnerability, and severity -To dive deeper into these use cases, see [Manage vulnerabilities as a security team](/docs/vulnerability-management/security-workflow). +To dive deeper into these use cases, see [Manage application vulnerabilities](/docs/vulnerability-management/applications/manage-organization-vulnerabilities). +## What's next? + +Ready to start using Security RX? Follow these steps: + + + + Verify you have the required permissions and access + + + + Configure APM agents, Infrastructure agents, or third-party tools + + + + Learn how vulnerabilities are ranked by CVSS, EPSS, and ransomware data + + + + Monitor vulnerabilities in your application dependencies + + + + Monitor vulnerabilities in your OS packages and distributions + + + Monitor and remediate cloud misconfigurations in your AWS environment + + diff --git a/src/content/docs/vulnerability-management/user-roles.mdx b/src/content/docs/vulnerability-management/getting-started/prerequisites.mdx similarity index 69% rename from src/content/docs/vulnerability-management/user-roles.mdx rename to src/content/docs/vulnerability-management/getting-started/prerequisites.mdx index 91ac8f43d62..cbae5a9861f 100644 --- a/src/content/docs/vulnerability-management/user-roles.mdx +++ b/src/content/docs/vulnerability-management/getting-started/prerequisites.mdx @@ -1,6 +1,9 @@ --- -title: Prerequisite and user roles for Security RX +title: Prerequisites and user roles for Security RX metaDescription: Learn how to manage user roles in New Relic Security RX. +redirects: + - /docs/vulnerability-management/user-roles + - /docs/vulnerability-management/user-roles/ freshnessValidatedDate: never --- @@ -15,9 +18,9 @@ Before you can use the Security RX capability, you must have the following: * Vulnerability data through one of these sources: - An Application instrumented with [New Relic's APM agent](/docs/apm/new-relic-apm/getting-started/introduction-apm/) - **or** a host monitored with [New Relic's Infrastructure Agent](/docs/infrastructure/infrastructure-agent/new-relic-guided-install-overview/) - - **or** Vulnerability data sent through [one of our integrations](/docs/vulnerability-management/integrations/overview). + - **or** Vulnerability data sent through [one of our integrations](/docs/vulnerability-management/getting-started/integrations/overview). - For more information on security RX pricing, see our [pricing docs](/docs/licenses/license-information/usage-plans/new-relic-one-usage-plan-descriptions/#list-price). + For more information on Security RX pricing, see our [pricing docs](/docs/licenses/license-information/usage-plans/new-relic-one-usage-plan-descriptions/#list-price). ### Capabilities used by Security RX @@ -45,3 +48,24 @@ For more information about custom roles, see [user roles](/docs/accounts/account Users with the ability to create/adjust roles within their organization can modify who has access to Security RX feature. You can remove access from Security RX by creating a custom role that does not have 'read' permissions for the 'vulnerabilities' capability. You must then apply this custom role to the users that you wish to restrict. +## What's next? + +Now that you've verified your prerequisites, set up your first integration: + + + + Configure APM agents, Infrastructure agents, or third-party security tools + + + + Learn how Security RX ranks vulnerabilities by risk + + + + Start monitoring application vulnerabilities + + + + Start monitoring infrastructure vulnerabilities + + diff --git a/src/content/docs/vulnerability-management/understanding-prioritization.mdx b/src/content/docs/vulnerability-management/getting-started/prioritization.mdx similarity index 82% rename from src/content/docs/vulnerability-management/understanding-prioritization.mdx rename to src/content/docs/vulnerability-management/getting-started/prioritization.mdx index f0beba52266..1c3dbdcda40 100644 --- a/src/content/docs/vulnerability-management/understanding-prioritization.mdx +++ b/src/content/docs/vulnerability-management/getting-started/prioritization.mdx @@ -1,6 +1,9 @@ --- title: Understanding vulnerability prioritization -metaDescription: Use Security RX to overcome blindspots and assign remediation to developers as a security team. +metaDescription: Learn how Security RX prioritizes vulnerabilities based on CVSS, EPSS, and active ransomware data. +redirects: + - /docs/vulnerability-management/understanding-prioritization + - /docs/vulnerability-management/understanding-prioritization/ freshnessValidatedDate: never --- @@ -180,3 +183,25 @@ The priority ranking is based on all known data about a vulnerability. The **Rea ### Example of ranking logic A vulnerability that's "high" severity with an EPSS of "exploit probable" might rank higher than a vulnerability with a "critical" severity with an EPSS level that's lower than an 85th percentile probability of exploitation. + +## What's next? + +Now that you understand how vulnerabilities are prioritized, start managing them: + + + + Start monitoring and remediating application vulnerabilities + + + + Start monitoring and remediating infrastructure vulnerabilities + + + + Change status to Ignored, Affected, or Fixed + + + + Get notified when high-priority vulnerabilities are detected + + diff --git a/src/content/docs/vulnerability-management/security-workflow-infra.mdx b/src/content/docs/vulnerability-management/infrastructure/manage-infrastructure-vulnerabilities.mdx similarity index 61% rename from src/content/docs/vulnerability-management/security-workflow-infra.mdx rename to src/content/docs/vulnerability-management/infrastructure/manage-infrastructure-vulnerabilities.mdx index 370e9fabe8b..712d62d57a0 100644 --- a/src/content/docs/vulnerability-management/security-workflow-infra.mdx +++ b/src/content/docs/vulnerability-management/infrastructure/manage-infrastructure-vulnerabilities.mdx @@ -1,22 +1,24 @@ --- -title: Manage infrastructure vulnerabilities as DevSecOps, Platform, or Security security team -metaDescription: Use Security RX to overcome blindspots and assign remediation to developers as a security team. +title: Manage infrastructure vulnerabilities as DevSecOps, Platform, or Security team +metaDescription: Monitor and remediate infrastructure vulnerabilities across your entire organization with Security RX. +redirects: + - /docs/vulnerability-management/security-workflow-infra + - /docs/vulnerability-management/security-workflow-infra/ freshnessValidatedDate: never --- - -We're still working on this feature, but we'd love for you to try it out! - -This feature is currently provided as part of a preview program pursuant to our [pre-release policies](/docs/licenses/license-information/referenced-policies/new-relic-pre-release-policy) and [service specific terms](https://newrelic.com/termsandconditions/service-specific).. - - + +Security RX for Infrastructure is currently in preview. We're actively improving this feature and would love your feedback. + +This feature is provided as part of a preview program pursuant to our [pre-release policies](/docs/licenses/license-information/referenced-policies/new-relic-pre-release-policy) and [service specific terms](https://newrelic.com/termsandconditions/service-specific). + This document covers how to: * Calculate the vulnerability surface area of your infrastructure -* Understand how runtime architecture of each application affects business risk, vulnerability and severity +* Understand how runtime architecture of each host affects business risk, vulnerability and severity -If this workflow doesn't sound like you, check out our document on [managing vulnerabilities as a developer](/docs/vulnerability-management/dev-workflow). +If this workflow doesn't sound like you, check out our document on [monitoring vulnerabilities for a specific host](/docs/vulnerability-management/infrastructure/monitor-host-security). ## View the vulnerability surface area of your infrastructure hosts [#vulnerability-area] @@ -46,7 +48,7 @@ Dig deeper into the security of your system by auditing the vulnerability of all > - To review the vulnerability status of all your entities, from the **Security RX - Infrastructure > Overview** page, select **[Entities](https://one.newrelic.com/vulnerability-management/infra-entities)**. This view shows all your entities and allows you prioritize vulnerability remediation based on weighted vulnerabilities scores and severity profiles. - - Click an entity to open up a **scoped entity** view. Learn more about our scoped entity view in our document on [managing vulnerabilities as a developer](/docs/vulnerability-management/dev-workflow). + - Click an entity to open up a **scoped entity** view. Learn more about our scoped entity view in our document on [monitoring host-level security](/docs/vulnerability-management/infrastructure/monitor-host-security). @@ -54,7 +56,7 @@ Dig deeper into the security of your system by auditing the vulnerability of all - In the **Security RX** page, under **Security RX - Infrastructure** section, select **Distributions** to review the security impact of all OS distributions in your system. This view shows all the distributions used by your services and their security impact through vulnerability counts and severity. @@ -81,3 +83,23 @@ Dig deeper into the security of your system by auditing the vulnerability of all + +## What's next? + + + + Drill down into specific hosts to see entity-level vulnerability details + + + + Change status to Ignored, Affected, or Fixed for remediation tracking + + + + Get notified when new infrastructure vulnerabilities are detected + + + + Build custom infrastructure security dashboards with NRQL + + diff --git a/src/content/docs/vulnerability-management/infra-workflow.mdx b/src/content/docs/vulnerability-management/infrastructure/monitor-host-security.mdx similarity index 51% rename from src/content/docs/vulnerability-management/infra-workflow.mdx rename to src/content/docs/vulnerability-management/infrastructure/monitor-host-security.mdx index dd59d9a9b9c..29e6f88e3bf 100644 --- a/src/content/docs/vulnerability-management/infra-workflow.mdx +++ b/src/content/docs/vulnerability-management/infrastructure/monitor-host-security.mdx @@ -1,29 +1,31 @@ --- -title: Manage vulnerabilities for your infrastructure -metaDescription: Use Vulnerability Management to maintain a healthy application and remediate vulnerabilities as a developer. +title: Monitor host security (entity view) +metaDescription: Monitor and remediate vulnerabilities in a specific infrastructure host with Security RX entity-scoped views. +redirects: + - /docs/vulnerability-management/infra-workflow + - /docs/vulnerability-management/infra-workflow/ freshnessValidatedDate: never --- - -We're still working on this feature, but we'd love for you to try it out! - -This feature is currently provided as part of a preview program pursuant to our [pre-release policies](/docs/licenses/license-information/referenced-policies/new-relic-pre-release-policy) and [service specific terms](https://newrelic.com/termsandconditions/service-specific).. - - + +Security RX for Infrastructure is currently in preview. We're actively improving this feature and would love your feedback. + +This feature is provided as part of a preview program pursuant to our [pre-release policies](/docs/licenses/license-information/referenced-policies/new-relic-pre-release-policy) and [service specific terms](https://newrelic.com/termsandconditions/service-specific). + This document covers how to: * Identify the vulnerabilities with the highest risk in your infrastructure -* Understand the risk vulnerabilities +* Understand vulnerability risk for specific hosts * Surface tasks from your security team in your daily workflow so it's easy to deliver more secure infrastructure -If this workflow doesn't sound like you, check out our document on [managing vulnerabilities as a security team](/docs/vulnerability-management/security-workflow). +If this workflow doesn't sound like you, check out our document on [managing vulnerabilities across all infrastructure](/docs/vulnerability-management/infrastructure/manage-infrastructure-vulnerabilities). ## Maintain the vulnerability health of your infrastructure Once vulnerability data starts flowing into New Relic, you can access your data through various scoped views. -To monitor the health of specific applications or services, navigate to **[one.newrelic.com > All capabilities](https://one.newrelic.com/all-capabilities) > Infrastructure > (select an entity) > Security > Summary** and use the **entity scoped** view. For a larger scope, refer to our document on [managing vulnerabilities as a security team](/docs/vulnerability-management/security-workflow). +To monitor the health of specific hosts, navigate to **[one.newrelic.com > All capabilities](https://one.newrelic.com/all-capabilities) > Infrastructure > (select an entity) > Security > Summary** and use the **entity scoped** view. For a larger scope, refer to our document on [managing vulnerabilities organization-wide](/docs/vulnerability-management/infrastructure/manage-infrastructure-vulnerabilities). + + View vulnerability surface area across all infrastructure hosts + + + + Mark vulnerabilities as Ignored, Affected, or Fixed + + + + Get notified when vulnerabilities are detected in your infrastructure + + + Configure additional data sources for infrastructure vulnerability detection + + diff --git a/src/content/docs/vulnerability-management/infrastructure/overview.mdx b/src/content/docs/vulnerability-management/infrastructure/overview.mdx new file mode 100644 index 00000000000..2fd6cda34c6 --- /dev/null +++ b/src/content/docs/vulnerability-management/infrastructure/overview.mdx @@ -0,0 +1,206 @@ +--- +title: Security RX for Infrastructure +metaDescription: Monitor and remediate vulnerabilities in your infrastructure OS packages and distributions with Security RX. +freshnessValidatedDate: never +--- + + +Security RX for Infrastructure is currently in preview. We're actively improving this feature and would love your feedback. + +This feature is provided as part of a preview program pursuant to our [pre-release policies](/docs/licenses/license-information/referenced-policies/new-relic-pre-release-policy) and [service specific terms](https://newrelic.com/termsandconditions/service-specific). + + +Security RX for Infrastructure helps you identify, prioritize, and remediate vulnerabilities in your infrastructure hosts, operating systems, and installed packages. Monitor security across your entire infrastructure fleet or drill down into specific hosts to understand their security posture. + +## What you can do + +With Security RX for Infrastructure, you can: + +* **Detect vulnerabilities** in OS distributions and installed packages automatically through Infrastructure agents +* **Track package versions** and identify outdated components across your fleet +* **Monitor host-level security** with entity-scoped views +* **Manage infrastructure security** organization-wide with comprehensive dashboards +* **View upgrade recommendations** for vulnerable packages and distributions + +## How to get started + +Before using Security RX for Infrastructure, make sure you have: + +1. **[Set up prerequisites and user roles](/docs/vulnerability-management/getting-started/prerequisites)** - Ensure you have the required permissions +2. **[Installed the Infrastructure agent](/docs/vulnerability-management/getting-started/integrations/overview#supported-os-distributions-and-package-managers)** - Deploy agents to your hosts +3. **Verified your OS is supported** - Check the list of supported Linux distributions below + +## Choose your workflow + +Security RX provides two complementary views for managing infrastructure vulnerabilities: + +### Organization view: Manage all infrastructure + +Best for security teams, DevSecOps, and platform engineers who need to: +- Calculate the vulnerability surface area across all hosts +- Identify which hosts and packages pose the highest risk +- Track OS distributions and package versions in use +- Monitor security hygiene metrics infrastructure-wide + +**→ [Manage infrastructure vulnerabilities](/docs/vulnerability-management/infrastructure/manage-infrastructure-vulnerabilities)** + +### Entity view: Monitor specific hosts + +Best for site reliability engineers, system administrators, and infrastructure teams who need to: +- Monitor vulnerabilities in specific hosts +- Track package vulnerabilities and available upgrades +- View security summaries for individual infrastructure entities +- Integrate security tasks into infrastructure maintenance workflows + +**→ [Monitor host-level security](/docs/vulnerability-management/infrastructure/monitor-host-security)** + +## Supported operating systems + +Security RX for Infrastructure supports the following Linux distributions: + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ OS Distribution + + Package Manager + + Detection Coverage +
+ Debian Debian + + DPKG + + Installed packages +
+ Ubuntu Ubuntu + + DPKG + + Installed packages +
+ Amazon Linux Amazon Linux + + RPM + + Installed packages +
+ CentOS CentOS + + RPM + + Installed packages +
+ RHEL RHEL & Oracle Linux + + RPM + + Installed packages +
+ SLES SLES + + RPM + + Installed packages +
+ +For complete requirements and setup instructions, see [Infrastructure agent integration](/docs/vulnerability-management/getting-started/integrations/overview#supported-os-distributions-and-package-managers). + +## Data sources + +Security RX for Infrastructure collects vulnerability data from: + +* **Infrastructure agents** - Automatic detection of vulnerabilities in OS packages and distributions +* **Package inventory** - Real-time tracking of installed packages and versions +* **CVE databases** - Continuous monitoring of known vulnerabilities affecting your OS distributions + +Learn more about [configuring the Infrastructure agent](/docs/vulnerability-management/getting-started/integrations/overview). + +## Key differences from application security + +Infrastructure vulnerability management focuses on: + +* **Operating system vulnerabilities** - CVEs in the OS itself +* **System packages** - Vulnerabilities in installed system-level packages +* **Package managers** - RPM and DPKG managed components +* **Host-level security** - Security posture of individual servers and containers + +This complements Security RX for Applications, which focuses on application-level dependencies and libraries. + +## What's next? + + + + View vulnerability surface area across all hosts + + + + Track vulnerabilities in a specific host + + + + Get notified when new vulnerabilities are detected + + + + Change status to Ignored, Affected, or Fixed + + diff --git a/src/i18n/translations/en/translation.json b/src/i18n/translations/en/translation.json index 065ec68e37e..9aa98ce222b 100644 --- a/src/i18n/translations/en/translation.json +++ b/src/i18n/translations/en/translation.json @@ -257,7 +257,7 @@ { "title": "Security RX", "text": "Audit your application, infrastructure entities, software libraries, or OS distribution and packages for security vulnerabilities and take action to remediate and reduce risk.", - "to": "https://docs.newrelic.com/docs/vulnerability-management/overview/", + "to": "https://docs.newrelic.com/docs/vulnerability-management/getting-started/overview/", "icon": "nr-vulnerability" } ] diff --git a/src/i18n/translations/es/translation.json b/src/i18n/translations/es/translation.json index 43c7e932c89..b8fb6ef4a12 100644 --- a/src/i18n/translations/es/translation.json +++ b/src/i18n/translations/es/translation.json @@ -272,7 +272,7 @@ { "title": "Gestión de vulnerabilidades", "text": "Examina tus aplicaciones, entidades y bibliotecas de software en busca de vulnerabilidades de seguridad y toma las medidas necesarias para corregir y reducir los riesgos.", - "to": "https://docs.newrelic.com/docs/vulnerability-management/overview/", + "to": "https://docs.newrelic.com/docs/vulnerability-management/getting-started/overview/", "icon": "nr-vulnerability" }, diff --git a/src/i18n/translations/fr/translation.json b/src/i18n/translations/fr/translation.json index cb8f808c81b..646b25937af 100644 --- a/src/i18n/translations/fr/translation.json +++ b/src/i18n/translations/fr/translation.json @@ -273,7 +273,7 @@ { "title" : "Gestion des vulnérabilités", "text" : "Auditez vos applications, entités et bibliothèques de logiciels pour détecter les vulnérabilités de sécurité et prenez des mesures pour corriger et réduire les risques.", - "to" : "https://docs.newrelic.com/docs/vulnerability-management/overview/", + "to" : "https://docs.newrelic.com/docs/vulnerability-management/getting-started/overview/", "icon" : "nr-vulnerability" }] }, diff --git a/src/i18n/translations/jp/translation.json b/src/i18n/translations/jp/translation.json index ab56fd2be7d..e66facaa772 100644 --- a/src/i18n/translations/jp/translation.json +++ b/src/i18n/translations/jp/translation.json @@ -272,7 +272,7 @@ { "title": "脆弱性管理", "text": "アプリケーション、エンティティ、ソフトウェアライブラリのセキュリティに関する脆弱性を監査し、修正アクションを実行してリスクを低減。", - "to": "https://docs.newrelic.com/docs/vulnerability-management/overview/", + "to": "https://docs.newrelic.com/docs/vulnerability-management/getting-started/overview/", "icon": "nr-vulnerability" }, diff --git a/src/i18n/translations/kr/translation.json b/src/i18n/translations/kr/translation.json index 3767f7fdba7..4c558e90c1d 100644 --- a/src/i18n/translations/kr/translation.json +++ b/src/i18n/translations/kr/translation.json @@ -266,7 +266,7 @@ { "title": "취약점 관리", "text": "애플리케이션, 엔터티 및 소프트웨어 라이브러리에서 보안 취약점 여부를 감사하고 위험을 해결 및 완화할 수 있는 조치를 취할 수 있습니다.", - "to": "https://docs.newrelic.com/docs/vulnerability-management/overview/", + "to": "https://docs.newrelic.com/docs/vulnerability-management/getting-started/overview/", "icon": "nr-vulnerability" }, diff --git a/src/i18n/translations/pt/translation.json b/src/i18n/translations/pt/translation.json index 44e4b2c72f9..01c2ce0f67e 100644 --- a/src/i18n/translations/pt/translation.json +++ b/src/i18n/translations/pt/translation.json @@ -272,7 +272,7 @@ { "title": "Gerenciamento de vulnerabilidades", "text": "Faça a auditoria de seus aplicativos, entidades e bibliotecas de software em busca de vulnerabilidades de segurança e aja para corrigir e reduzir erros.", - "to": "https://docs.newrelic.com/docs/vulnerability-management/overview/", + "to": "https://docs.newrelic.com/docs/vulnerability-management/getting-started/overview/", "icon": "nr-vulnerability" }, diff --git a/src/nav/vuln-management.yml b/src/nav/vuln-management.yml index d7a0a945784..e8d92107443 100644 --- a/src/nav/vuln-management.yml +++ b/src/nav/vuln-management.yml @@ -1,46 +1,71 @@ title: Security RX (Remediation Explorer) path: /docs/vulnerability-management pages: - - title: Get started with Security RX + - title: Getting started pages: - title: Overview - path: /docs/vulnerability-management/overview + path: /docs/vulnerability-management/getting-started/overview - title: Prerequisites and user roles - path: /docs/vulnerability-management/user-roles - - title: Vulnerability data integration + path: /docs/vulnerability-management/getting-started/prerequisites + # - title: Understanding prioritization + # path: /docs/vulnerability-management/getting-started/prioritization + - title: Integrations pages: - - title: Vulnerability integrations overview - path: /docs/vulnerability-management/integrations/intro - - title: AWS Security - path: /docs/vulnerability-management/integrations/aws - - title: Dependabot - path: /install/vm - - title: Snyk - pages: - - title: Send Snyk data to New Relic - path: /docs/vulnerability-management/integrations/snyk - - title: Troubleshoot Snyk - path: /docs/vulnerability-management/integrations/snyk-troubleshooting - - title: Trivy - path: /docs/vulnerability-management/integrations/trivy - - title: FOSSA - path: /docs/vulnerability-management/integrations/fossa - - title: Understanding vulnerability prioritization - path: /docs/vulnerability-management/understanding-prioritization - - title: Manage vulnerabilities as an engineer - pages: - - title: Manage vulnerabilities in your application - path: /docs/vulnerability-management/dev-workflow - - title: Manage vulnerabilities in your infrastructure - path: /docs/vulnerability-management/infra-workflow - - title: Manage vulnerabilities as a security team + - title: Integrations overview + path: /docs/vulnerability-management/getting-started/integrations/overview + - title: AWS Security Hub + path: /docs/vulnerability-management/getting-started/integrations/aws + - title: Dependabot + path: /install/vm + - title: Snyk + pages: + - title: Send Snyk data to New Relic + path: /docs/vulnerability-management/getting-started/integrations/snyk + - title: Troubleshoot Snyk integration + path: /docs/vulnerability-management/getting-started/integrations/snyk-troubleshooting + - title: Trivy + path: /docs/vulnerability-management/getting-started/integrations/trivy + - title: FOSSA + path: /docs/vulnerability-management/getting-started/integrations/fossa + - title: Security RX for Applications pages: - - title: Manage vulnerabilities in your application - path: /docs/vulnerability-management/security-workflow - - title: Manage vulnerabilities in your your infrastructure - path: /docs/vulnerability-management/security-workflow-infra - - title: Change vulnerability status - path: /docs/vulnerability-management/change-vulnerability-status - - title: Set up vulnerability alerts - path: /docs/vulnerability-management/set-up-alerts - + - title: Overview + path: /docs/vulnerability-management/applications/overview + - title: Understand prioritization + path: /docs/vulnerability-management/applications/prioritization + - title: Manage organization vulnerabilities (security teams) + path: /docs/vulnerability-management/applications/manage-organization-vulnerabilities + - title: Monitor entity security (engineers) + path: /docs/vulnerability-management/applications/monitor-entity-security + - title: Security RX for Infrastructure + pages: + - title: Overview + path: /docs/vulnerability-management/infrastructure/overview + - title: Manage infrastructure vulnerabilities (security teams) + path: /docs/vulnerability-management/infrastructure/manage-infrastructure-vulnerabilities + - title: Monitor host security (engineers) + path: /docs/vulnerability-management/infrastructure/monitor-host-security + - title: Security RX for Cloud + pages: + - title: Overview + path: /docs/vulnerability-management/cloud/overview + - title: Set up cloud integration + path: /docs/vulnerability-management/cloud/setup + - title: Understand prioritization + path: /docs/vulnerability-management/cloud/prioritization + - title: Remediate misconfigurations + path: /docs/vulnerability-management/cloud/remediation + - title: Manage cloud misconfigurations (security teams) + path: /docs/vulnerability-management/cloud/security-workflow + - title: Monitor cloud security (engineers) + path: /docs/vulnerability-management/cloud/engineer-workflow + - title: Manage your security data + pages: + - title: Security data structure (NRQL) + path: /docs/vulnerability-management/advanced/data-structure + - title: Query examples (NRQL) + path: /docs/vulnerability-management/advanced/query-examples + - title: Set up alerts + path: /docs/vulnerability-management/advanced/set-up-alerts + - title: Manage vulnerability status + path: /docs/vulnerability-management/advanced/manage-vulnerability-status diff --git a/static/images/aws-account-misconfigurations-view.webp b/static/images/aws-account-misconfigurations-view.webp new file mode 100644 index 00000000000..1d798c4946e Binary files /dev/null and b/static/images/aws-account-misconfigurations-view.webp differ diff --git a/static/images/aws-integration-setup.webp b/static/images/aws-integration-setup.webp new file mode 100644 index 00000000000..ae2d5d4812c Binary files /dev/null and b/static/images/aws-integration-setup.webp differ diff --git a/static/images/s3-bucket-misconfiguration-remediation.webp b/static/images/s3-bucket-misconfiguration-remediation.webp new file mode 100644 index 00000000000..c5f459c8100 Binary files /dev/null and b/static/images/s3-bucket-misconfiguration-remediation.webp differ diff --git a/static/images/security-rx-misconfigurations-list.webp b/static/images/security-rx-misconfigurations-list.webp new file mode 100644 index 00000000000..0618a2e600f Binary files /dev/null and b/static/images/security-rx-misconfigurations-list.webp differ diff --git a/static/images/security-rx-overview-dashboard.webp b/static/images/security-rx-overview-dashboard.webp new file mode 100644 index 00000000000..93b1be9de71 Binary files /dev/null and b/static/images/security-rx-overview-dashboard.webp differ diff --git a/static/images/security-rx-resources-dashboard.webp b/static/images/security-rx-resources-dashboard.webp new file mode 100644 index 00000000000..7c22165523d Binary files /dev/null and b/static/images/security-rx-resources-dashboard.webp differ diff --git a/static/images/security_app-overview.png b/static/images/security_app-overview.png new file mode 100644 index 00000000000..e1f4540286f Binary files /dev/null and b/static/images/security_app-overview.png differ diff --git a/static/images/security_app-overview.webp b/static/images/security_app-overview.webp index 7da97e40ff0..e1f4540286f 100644 Binary files a/static/images/security_app-overview.webp and b/static/images/security_app-overview.webp differ diff --git a/static/images/security_cloud-overview.webp b/static/images/security_cloud-overview.webp new file mode 100644 index 00000000000..0762a0c5907 Binary files /dev/null and b/static/images/security_cloud-overview.webp differ diff --git a/static/images/security_infra_entity_overview.webp b/static/images/security_infra_entity_overview.webp index 22465d08279..c1fd9cd663a 100644 Binary files a/static/images/security_infra_entity_overview.webp and b/static/images/security_infra_entity_overview.webp differ diff --git a/static/images/security_screenshot-entity_security-overview.webp b/static/images/security_screenshot-entity_security-overview.webp index f1aed028004..1be33aeb5b2 100644 Binary files a/static/images/security_screenshot-entity_security-overview.webp and b/static/images/security_screenshot-entity_security-overview.webp differ diff --git a/static/images/security_screenshot-full_security-overview.webp b/static/images/security_screenshot-full_security-overview.webp index e38cce61eeb..65893185dd2 100644 Binary files a/static/images/security_screenshot-full_security-overview.webp and b/static/images/security_screenshot-full_security-overview.webp differ diff --git a/static/images/security_screenshot-infra.webp b/static/images/security_screenshot-infra.webp index affc07f3195..e4b91654663 100644 Binary files a/static/images/security_screenshot-infra.webp and b/static/images/security_screenshot-infra.webp differ